ci: fix dep-audit grep pattern + add sigstore-models to license skip list

- dep-audit: grep -iv '^aiir' to match both 'aiir==1.1.0' and
  'aiir @ file://...' forms from pip freeze
- license-check: add sigstore-models to SKIP_PACKAGES (metadata
  reports UNKNOWN but package is actually Apache-2.0)

Author: InvariantSystems

.github/workflows/security.yml

@@ -150,8 +150,9 @@ jobs:
           # --strict = fail on ANY known vulnerability
           # --desc   = include vulnerability descriptions in output
           # Generate a requirements file of all installed packages,
-          # excluding aiir itself (not on PyPI, would cause --strict error)
-          pip freeze | grep -iv '^aiir==' > _audit_reqs.txt
+          # excluding aiir itself (not on PyPI, would cause --strict error).
+          # pip freeze may emit 'aiir==1.1.0' or 'aiir @ file://...' forms.
+          pip freeze | grep -iv '^aiir' > _audit_reqs.txt
           pip-audit --strict --desc -r _audit_reqs.txt --format json --output pip-audit-report.json || true
           pip-audit --strict --desc -r _audit_reqs.txt
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0

scripts/check_licenses.py

@@ -29,8 +29,9 @@
     "HPND",  # Historical Permission Notice and Disclaimer
 ]
 
-# Packages to skip (e.g. the project itself, installed as editable)
-SKIP_PACKAGES: set[str] = {"aiir"}
+# Packages to skip (e.g. the project itself, or packages whose metadata
+# reports UNKNOWN but are verified Apache-2.0 / MIT upstream)
+SKIP_PACKAGES: set[str] = {"aiir", "sigstore-models"}
 
 
 def main() -> int: