[tests] Use larger app partition for esp32-c6-idf component builds

The default IDF partition leaves only 1.75MB for the app which is too small for
grouped tests (bluetooth_proxy currently overflows). Match esp32-idf, esp32-c2-idf,
esp32-c3-idf and esp32-s3-idf by switching the c6 base config to partitions_testing.csv.

.clang-tidy.hash

@@ -0,0 +1 @@
+27aaab4e0ebfc10491720345aa746fc2dffa6a3985f73ec111b12dd99078d46f

.claude/skills/pr-workflow/SKILL.md

@@ -29,7 +29,7 @@ Required fields:
 - **What does this implement/fix?**: Brief description of changes
 - **Types of changes**: Check ONE appropriate box (Bugfix, New feature, Breaking change, etc.)
 - **Related issue**: Use `fixes <link>` syntax if applicable
-- **Pull request in esphome.io**: Link if docs are needed
+- **Pull request in esphome-docs**: Link if docs are needed
 - **Test Environment**: Check platforms you tested on
 - **Example config.yaml**: Include working example YAML
 - **Checklist**: Verify code is tested and tests added
@@ -54,9 +54,9 @@ Required fields:
 
 - fixes https://github.com/esphome/esphome/issues/XXX
 
-**Pull request in [esphome.io](https://github.com/esphome/esphome.io) with documentation (if applicable):**
+**Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):**
 
-- esphome/esphome.io#XXX
+- esphome/esphome-docs#XXX
 
 ## Test Environment
 
@@ -83,7 +83,7 @@ component_name:
   - [x] Tests have been added to verify that the new code works (under `tests/` folder).
 
 If user exposed functionality or configuration variables are added/changed:
-  - [ ] Documentation added/updated in [esphome.io](https://github.com/esphome/esphome.io).
+  - [ ] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).
 ```
 
 ## 5. Push and Create PR

.github/ISSUE_TEMPLATE/config.yml

@@ -2,7 +2,7 @@
 blank_issues_enabled: false
 contact_links:
   - name: Report an issue with the ESPHome documentation
-    url: https://github.com/esphome/esphome.io/issues/new/choose
+    url: https://github.com/esphome/esphome-docs/issues/new/choose
     about: Report an issue with the ESPHome documentation.
   - name: Report an issue with the ESPHome web server
     url: https://github.com/esphome/esphome-webserver/issues/new/choose

.github/PULL_REQUEST_TEMPLATE.md

@@ -16,9 +16,9 @@
 
 - fixes <link to issue>
 
-**Pull request in [esphome.io](https://github.com/esphome/esphome.io) with documentation (if applicable):**
+**Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):**
 
-- esphome/esphome.io#<esphome.io PR number goes here>
+- esphome/esphome-docs#<esphome-docs PR number goes here>
 
 ## Test Environment
 
@@ -43,4 +43,4 @@
   - [ ] Tests have been added to verify that the new code works (under `tests/` folder).
 
 If user exposed functionality or configuration variables are added/changed:
-  - [ ] Documentation added/updated in [esphome.io](https://github.com/esphome/esphome.io).
+  - [ ] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).

.github/actions/build-image/action.yaml

@@ -15,6 +15,11 @@ inputs:
     description: "Version to build"
     required: true
     example: "2023.12.0"
+  base_os:
+    description: "Base OS to use"
+    required: false
+    default: "debian"
+    example: "debian"
 runs:
   using: "composite"
   steps:
@@ -55,6 +60,7 @@ runs:
         build-args: |
           BUILD_TYPE=${{ inputs.build_type }}
           BUILD_VERSION=${{ inputs.version }}
+          BUILD_OS=${{ inputs.base_os }}
         outputs: |
           type=image,name=ghcr.io/${{ steps.tags.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true
 
@@ -80,6 +86,7 @@ runs:
         build-args: |
           BUILD_TYPE=${{ inputs.build_type }}
           BUILD_VERSION=${{ inputs.version }}
+          BUILD_OS=${{ inputs.base_os }}
         outputs: |
           type=image,name=docker.io/${{ steps.tags.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true
 

.github/actions/cache-esp-idf/action.yml

@@ -1,52 +0,0 @@
-name: Cache ESP-IDF
-description: >
-  Resolve the pinned ESP-IDF version and cache the native ESP-IDF install
-  (toolchains + source) at ~/.esphome-idf. Every job that installs ESP-IDF
-  natively (clang-tidy for IDF/Arduino and the component test batches) shares
-  one cache, since the install is identical (ESPHOME_IDF_DEFAULT_TARGETS
-  defaults to "all", so all toolchains are present regardless of the chip).
-  Callers must set env ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf and have the
-  Python venv already restored.
-inputs:
-  framework:
-    description: 'Which pinned IDF version to key on: "espidf" (recommended) or "arduino".'
-    default: espidf
-  restore-only:
-    description: >
-      When "true", only restore -- never save the cache, even on dev. Use from
-      jobs that may not produce an ESP-IDF install (e.g. a component batch with
-      no esp32 target), so a partial/empty install is never written to the key.
-    default: "false"
-runs:
-  using: composite
-  steps:
-    - name: Resolve ESP-IDF version for cache key
-      # The native-IDF version is pinned in code, not in any file that feeds the
-      # other cache keys, so resolve it explicitly. Keying on it means the cache
-      # invalidates on a version bump (actions/cache never overwrites a key).
-      id: version
-      shell: bash
-      run: |
-        . venv/bin/activate
-        if [ "${{ inputs.framework }}" = "arduino" ]; then
-          version=$(python -c 'from esphome.components.esp32 import ARDUINO_FRAMEWORK_VERSION_LOOKUP as A, ARDUINO_IDF_VERSION_LOOKUP as L; print(L[A["recommended"]])')
-        else
-          version=$(python -c 'from esphome.components.esp32 import ESP_IDF_FRAMEWORK_VERSION_LOOKUP as L; print(L["recommended"])')
-        fi
-        echo "version=$version" >> "$GITHUB_OUTPUT"
-    # Mirror the adjacent PlatformIO cache: only dev-branch runs write the
-    # shared cache (so it lives in the default-branch scope readable by all
-    # PRs), and PRs are restore-only -- they never push multi-GB artifacts into
-    # their own scope / the repo quota (e.g. on a version-bump PR).
-    - name: Cache ESP-IDF install (write on dev)
-      if: github.ref == 'refs/heads/dev' && inputs.restore-only != 'true'
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: ~/.esphome-idf
-        key: ${{ runner.os }}-esphome-idf-${{ steps.version.outputs.version }}
-    - name: Cache ESP-IDF install (restore-only off dev)
-      if: github.ref != 'refs/heads/dev' || inputs.restore-only == 'true'
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: ~/.esphome-idf
-        key: ${{ runner.os }}-esphome-idf-${{ steps.version.outputs.version }}

.github/actions/restore-python/action.yml

@@ -32,7 +32,7 @@ runs:
       # detects the activated venv via ``VIRTUAL_ENV`` so the venv layout
       # downstream jobs rely on is preserved.
       if: steps.cache-venv.outputs.cache-hit != 'true'
-      uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         enable-cache: true
         # Pin uv version so the action does not have to fetch the

.github/dependabot.yml

@@ -5,7 +5,6 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    open-pull-requests-limit: 10
     ignore:
       # Hypotehsis is only used for testing and is updated quite often
       - dependency-name: hypothesis

.github/scripts/auto-label-pr/constants.js

@@ -35,9 +35,6 @@ module.exports = {
   ],
 
   DOCS_PR_PATTERNS: [
-    /https:\/\/github\.com\/esphome\/esphome\.io\/pull\/\d+/,
-    /esphome\/esphome\.io#\d+/,
-    // Keep matching the old esphome-docs name during the transition period
     /https:\/\/github\.com\/esphome\/esphome-docs\/pull\/\d+/,
     /esphome\/esphome-docs#\d+/
   ]

.github/scripts/auto-label-pr/detectors.js

@@ -107,8 +107,6 @@ async function detectNewPlatforms(github, context, prFiles, apiData) {
     /^esphome\/components\/([^\/]+)\/([^\/]+)\/__init__\.py$/,
   ];
 
-  const removedFiles = new Set(prFiles.filter(file => file.status === 'removed').map(file => file.filename));
-
   for (const file of addedFiles) {
     for (const re of platformPathPatterns) {
       const match = file.match(re);
@@ -116,12 +114,6 @@ async function detectNewPlatforms(github, context, prFiles, apiData) {
       const platform = match[2];
       if (!apiData.platformComponents.includes(platform)) break;
 
-      // Skip if this is a restructure between flat and subdirectory forms (either direction):
-      //   <component>/<platform>.py  <->  <component>/<platform>/__init__.py
-      const flatEquivalent = `esphome/components/${match[1]}/${platform}.py`;
-      const subdirEquivalent = `esphome/components/${match[1]}/${platform}/__init__.py`;
-      if (removedFiles.has(flatEquivalent) || removedFiles.has(subdirEquivalent)) break;
-
       labels.add('new-platform');
       const content = await fetchPrFileContent(github, context, file);
       if (content === null) {

.github/scripts/auto-label-pr/package.json

@@ -1,7 +0,0 @@
-{
-  "name": "auto-label-pr",
-  "private": true,
-  "scripts": {
-    "test": "node --test tests/*.test.js"
-  }
-}

.github/scripts/auto-label-pr/tests/detectors.test.js

@@ -1,147 +0,0 @@
-const { describe, it } = require('node:test');
-const assert = require('node:assert/strict');
-const { detectNewPlatforms, detectNewComponents } = require('../detectors');
-
-// Minimal GitHub API mock — only repos.getContent is called by detectNewPlatforms/detectNewComponents
-// to check for CONFIG_SCHEMA in newly added files.
-function makeGithub(content = '') {
-  return {
-    rest: {
-      repos: {
-        getContent: async () => ({
-          data: { content: Buffer.from(content).toString('base64') }
-        })
-      }
-    }
-  };
-}
-
-const CONTEXT = {
-  repo: { owner: 'esphome', repo: 'esphome' },
-  payload: { pull_request: { head: { sha: 'abc123' }, base: { ref: 'dev' } } }
-};
-
-const API_DATA = {
-  targetPlatforms: ['esp32', 'esp8266', 'rp2040'],
-  platformComponents: ['cover', 'sensor', 'binary_sensor', 'switch', 'light', 'fan', 'climate', 'valve']
-};
-
-const WITH_SCHEMA = 'CONFIG_SCHEMA = cv.Schema({})';
-const WITHOUT_SCHEMA = 'CODEOWNERS = ["@esphome/core"]';
-
-// ---------------------------------------------------------------------------
-// detectNewPlatforms
-// ---------------------------------------------------------------------------
-
-describe('detectNewPlatforms', () => {
-  describe('restructure detection (no false positives)', () => {
-    it('flat .py -> subdir __init__.py is not a new platform', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/endstop/cover.py', status: 'removed' },
-        { filename: 'esphome/components/endstop/cover/__init__.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-
-    it('subdir __init__.py -> flat .py is not a new platform', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/endstop/cover/__init__.py', status: 'removed' },
-        { filename: 'esphome/components/endstop/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-  });
-
-  describe('genuine new platforms', () => {
-    it('new subdir platform with CONFIG_SCHEMA sets new-platform and hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover/__init__.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, true);
-    });
-
-    it('new flat platform with CONFIG_SCHEMA sets new-platform and hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, true);
-    });
-
-    it('new platform without CONFIG_SCHEMA sets new-platform but not hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITHOUT_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, false);
-    });
-
-    it('non-platform file addition produces no labels', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/sensor.py', status: 'added' },
-      ];
-      // Override platformComponents so 'sensor' is not a recognized platform -> no label expected.
-      const nonPlatformApiData = { ...API_DATA, platformComponents: ['cover'] };
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, nonPlatformApiData);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// detectNewComponents
-// ---------------------------------------------------------------------------
-
-describe('detectNewComponents', () => {
-  it('new top-level __init__.py sets new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/actuator/__init__.py', status: 'added', },
-    ];
-    const result = await detectNewComponents(makeGithub(WITHOUT_SCHEMA), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.equal(result.hasYamlLoadable, false);
-  });
-
-  it('new top-level __init__.py with CONFIG_SCHEMA sets hasYamlLoadable', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/my_component/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.equal(result.hasYamlLoadable, true);
-  });
-
-  it('new top-level __init__.py with IS_TARGET_PLATFORM sets new-target-platform', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/my_platform/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub('IS_TARGET_PLATFORM = True'), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.ok(result.labels.has('new-target-platform'));
-  });
-
-  it('modified __init__.py does not set new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/existing/__init__.py', status: 'modified' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.equal(result.labels.size, 0);
-  });
-
-  it('nested __init__.py does not set new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/endstop/cover/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.equal(result.labels.size, 0);
-  });
-});

.github/scripts/detect-tags.js

@@ -41,6 +41,7 @@ function hasCoreChanges(changedFiles) {
  */
 function hasDashboardChanges(changedFiles) {
   return changedFiles.some(file =>
+    file.startsWith('esphome/dashboard/') ||
     file.startsWith('esphome/components/dashboard_import/')
   );
 }

.github/workflows/auto-label-pr.yml

@@ -24,7 +24,7 @@ jobs:
     if: github.event.pull_request.state == 'open' && (github.event.action != 'labeled' || github.event.sender.type != 'Bot')
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Generate a token
         id: generate-token

.github/workflows/ci-api-proto.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
@@ -29,7 +29,7 @@ jobs:
       - name: Set up uv
         # ``--system`` (below) installs into the setup-python interpreter;
         # no venv is created or restored by this workflow.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           # Pin uv version so the action does not have to fetch the

.github/workflows/ci-clang-tidy-hash.yml

@@ -0,0 +1,76 @@
+name: Clang-tidy Hash CI
+
+on:
+  pull_request:
+    paths:
+      - ".clang-tidy"
+      - "platformio.ini"
+      - "requirements_dev.txt"
+      - "sdkconfig.defaults"
+      - ".clang-tidy.hash"
+      - "script/clang_tidy_hash.py"
+      - ".github/workflows/ci-clang-tidy-hash.yml"
+
+permissions:
+  contents: read        # actions/checkout for the PR head
+  pull-requests: write  # pulls.createReview / listReviews / dismissReview when the clang-tidy hash is out of date
+
+jobs:
+  verify-hash:
+    name: Verify clang-tidy hash
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Verify hash
+        run: |
+          python script/clang_tidy_hash.py --verify
+
+      - if: failure()
+        name: Show hash details
+        run: |
+          python script/clang_tidy_hash.py
+          echo "## Job Failed" | tee -a $GITHUB_STEP_SUMMARY
+          echo "You have modified clang-tidy configuration but have not updated the hash." | tee -a $GITHUB_STEP_SUMMARY
+          echo "Please run 'script/clang_tidy_hash.py --update' and commit the changes." | tee -a $GITHUB_STEP_SUMMARY
+
+      - if: failure() && github.event.pull_request.head.repo.full_name == github.repository
+        name: Request changes
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            await github.rest.pulls.createReview({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              event: 'REQUEST_CHANGES',
+              body: 'You have modified clang-tidy configuration but have not updated the hash.\nPlease run `script/clang_tidy_hash.py --update` and commit the changes.'
+            })
+
+      - if: success() && github.event.pull_request.head.repo.full_name == github.repository
+        name: Dismiss review
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            let reviews = await github.rest.pulls.listReviews({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+            for (let review of reviews.data) {
+              if (review.user.login === 'github-actions[bot]' && review.state === 'CHANGES_REQUESTED') {
+                await github.rest.pulls.dismissReview({
+                  pull_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  review_id: review.id,
+                  message: 'Clang-tidy hash now matches configuration.'
+                });
+              }
+            }

.github/workflows/ci-docker.yml

@@ -1,41 +1,28 @@
 ---
 name: CI for docker images
 
-# Only run on PRs that touch the docker image, its build inputs, or any code
-# whose toolchain the compile smoke test exercises (core + target platforms).
+# Only run when docker paths change
 
 on:
-  pull_request:
+  push:
+    branches: [dev, beta, release]
+    paths:
+      - "docker/**"
+      - ".github/workflows/ci-docker.yml"
+      - "requirements*.txt"
+      - "platformio.ini"
+      - "script/platformio_install_deps.py"
+
+  pull_request:
     paths:
-      # Docker image and its build inputs.
       - "docker/**"
       - ".github/workflows/ci-docker.yml"
       - "requirements*.txt"
-      - "pyproject.toml"
       - "platformio.ini"
-      - "esphome/idf_component.yml"
       - "script/platformio_install_deps.py"
-      # Core, build pipeline, toolchain, and target-platform changes can change
-      # how a toolchain is set up or built, so re-run the per-toolchain compile
-      # smoke test when they change.
-      - "esphome/core/**"
-      - "esphome/writer.py"
-      - "esphome/build_gen/**"
-      - "esphome/espidf/**"
-      - "esphome/platformio/**"
-      - "esphome/components/bk72xx/**"
-      - "esphome/components/esp32/**"
-      - "esphome/components/esp8266/**"
-      - "esphome/components/host/**"
-      - "esphome/components/libretiny/**"
-      - "esphome/components/ln882x/**"
-      - "esphome/components/nrf52/**"
-      - "esphome/components/rp2040/**"
-      - "esphome/components/rtl87xx/**"
-      - "esphome/components/zephyr/**"
 
 permissions:
-  contents: read  # actions/checkout only
+  contents: read  # actions/checkout only; the build does not push images
 
 concurrency:
   # yamllint disable-line rule:line-length
@@ -46,9 +33,6 @@ jobs:
   check-docker:
     name: Build docker containers
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read   # actions/checkout to load Dockerfile and build context
-      packages: write  # push branch-tagged images to ghcr.io for local testing
     strategy:
       fail-fast: false
       matrix:
@@ -57,11 +41,8 @@ jobs:
           - "ha-addon"
           - "docker"
           # - "lint"
-    outputs:
-      tag: ${{ steps.tag.outputs.tag }}
-      push: ${{ steps.tag.outputs.push }}
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
@@ -69,149 +50,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
-      - name: Determine tag and whether to push
-        id: tag
+      - name: Set TAG
         run: |
-          # Sanitize the branch name into a valid docker tag: replace invalid
-          # characters, ensure the first character is valid (tags must start
-          # with [A-Za-z0-9_]), and cap the length at 128 characters.
-          branch="${{ github.head_ref || github.ref_name }}"
-          tag="${branch//[^a-zA-Z0-9_.-]/-}"
-          case "$tag" in
-            [a-zA-Z0-9_]*) ;;
-            *) tag="pr-${tag}" ;;
-          esac
-          tag="${tag:0:128}"
-          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
-          # Only push branch images for same-repo pull requests. Push events
-          # only fire for dev/beta/release, whose images are owned by the
-          # release pipeline -- never overwrite those from here.
-          if [ "${{ github.event_name }}" = "pull_request" ] \
-            && [ "${{ github.repository }}" = "esphome/esphome" ] \
-            && [ "${{ github.event.pull_request.head.repo.full_name }}" = "esphome/esphome" ]; then
-            echo "push=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "push=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Log in to the GitHub container registry
-        if: steps.tag.outputs.push == 'true'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          echo "TAG=check" >> $GITHUB_ENV
 
       - name: Run build
         run: |
           docker/build.py \
-            --tag "${{ steps.tag.outputs.tag }}" \
+            --tag "${TAG}" \
             --arch "${{ matrix.os == 'ubuntu-24.04-arm' && 'aarch64' || 'amd64' }}" \
             --build-type "${{ matrix.build_type }}" \
-            --registry ghcr \
-            build ${{ steps.tag.outputs.push == 'true' && '--push --no-cache-to' || '' }} ${{ (matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker') && '--load' || '' }}
-
-      # The amd64 "docker" image is also loaded locally (above) and handed to
-      # compile-test as an artifact, so the smoke test reuses this build instead
-      # of building the image a second time. Using an artifact (rather than the
-      # pushed image) keeps it working for fork PRs, which never push to ghcr.io.
-      - name: Export image for compile-test
-        if: matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker'
-        run: docker save "ghcr.io/esphome/esphome-amd64:${{ steps.tag.outputs.tag }}" | gzip > compile-test-image.tar.gz
-
-      - name: Upload compile-test image artifact
-        if: matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          # The tar is already gzipped, so upload it as-is. archive: false skips
-          # the redundant zip and makes the file name the artifact name (the
-          # `name` input is ignored in that mode).
-          path: compile-test-image.tar.gz
-          retention-days: 1
-          archive: false
-
-  manifest:
-    name: Push ${{ matrix.build_type }} manifest to ghcr.io
-    needs: [check-docker]
-    if: needs.check-docker.outputs.push == 'true'
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read   # actions/checkout to run docker/build.py
-      packages: write  # buildx imagetools writes the multi-arch tag to ghcr.io
-    strategy:
-      fail-fast: false
-      matrix:
-        build_type:
-          - "ha-addon"
-          - "docker"
-    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Log in to the GitHub container registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create and push manifest
-        run: |
-          docker/build.py \
-            --tag "${{ needs.check-docker.outputs.tag }}" \
-            --build-type "${{ matrix.build_type }}" \
-            --registry ghcr \
-            manifest
-
-  # Smoke-test the built image by compiling one minimal config per target
-  # platform / toolchain. This catches missing system dependencies in the image
-  # that only surface when a given toolchain is downloaded and run. The image is
-  # the amd64 "docker" build produced by check-docker (shared as an artifact).
-  compile-test:
-    name: Compile ${{ matrix.id }}
-    needs: check-docker
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read  # actions/checkout to load the test configs
-    strategy:
-      fail-fast: false
-      # Cap concurrency so this smoke test doesn't hog all the shared runners.
-      max-parallel: 2
-      matrix:
-        # One entry per distinct toolchain. ESP32 variants (c3/c6/s2/s3/p4)
-        # share a toolchain bundle, so esp32 is exercised on the base variant
-        # across the full framework x toolchain cross-product (arduino/esp-idf
-        # framework, each built with the platformio and native esp-idf
-        # toolchains) so both toolchains stay covered regardless of which one is
-        # the default.
-        id:
-          - esp8266-arduino
-          - esp32-arduino-platformio
-          - esp32-arduino-esp-idf
-          - esp32-idf-platformio
-          - esp32-idf-esp-idf
-          - rp2040-arduino
-          - bk72xx-arduino
-          - rtl87xx-arduino
-          - ln882x-arduino
-          - nrf52
-          - host
-    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-      - name: Download image artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: compile-test-image.tar.gz
-      - name: Load image
-        run: docker load --input compile-test-image.tar.gz
-      - name: Compile ${{ matrix.id }}
-        run: |
-          docker run --rm \
-            -v "${{ github.workspace }}/docker/test_configs:/config" \
-            "ghcr.io/esphome/esphome-amd64:${{ needs.check-docker.outputs.tag }}" \
-            compile "${{ matrix.id }}.yaml"
+            build

.github/workflows/ci-github-scripts.yml

@@ -1,27 +0,0 @@
-name: CI - GitHub Scripts
-
-on:
-  push:
-    branches: [dev, beta, release]
-    paths:
-      - ".github/scripts/**"
-      - ".github/workflows/ci-github-scripts.yml"
-  pull_request:
-    paths:
-      - ".github/scripts/**"
-      - ".github/workflows/ci-github-scripts.yml"
-
-permissions:
-  contents: read
-
-jobs:
-  test-auto-label-pr:
-    name: Test auto-label-pr scripts
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-
-      - name: Run tests
-        working-directory: .github/scripts/auto-label-pr
-        run: npm test

.github/workflows/ci-memory-impact-comment.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Check out code from base repository
         if: steps.pr.outputs.skip != 'true'
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Always check out from the base repository (esphome/esphome), never from forks
           # Use the PR's target branch to ensure we run trusted code from the main repo

.github/workflows/ci.yml

@@ -28,7 +28,7 @@ jobs:
       cache-key: ${{ steps.cache-key.outputs.key }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Generate cache-key
         id: cache-key
         run: echo key="${{ hashFiles('requirements.txt', 'requirements_dev.txt', 'requirements_test.txt', '.pre-commit-config.yaml') }}" >> $GITHUB_OUTPUT
@@ -49,7 +49,7 @@ jobs:
         # detects the activated venv via ``VIRTUAL_ENV`` so downstream jobs
         # that ``. venv/bin/activate`` see an identical layout.
         if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           # Pin uv version so the action does not have to fetch the
@@ -74,7 +74,7 @@ jobs:
     if: needs.determine-jobs.outputs.python-linters == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -97,7 +97,7 @@ jobs:
     if: needs.determine-jobs.outputs.core-ci == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -113,7 +113,6 @@ jobs:
           script/build_language_schema.py --check
           script/generate-esp32-boards.py --check
           script/generate-rp2040-boards.py --check
-          script/ci_check_duplicate_test_ids.py
 
   import-time:
     name: Check import esphome.__main__ time
@@ -124,7 +123,7 @@ jobs:
     if: needs.determine-jobs.outputs.import-time == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -152,11 +151,11 @@ jobs:
     if: needs.determine-jobs.outputs.device-builder == 'true'
     steps:
       - name: Check out esphome (this PR)
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: esphome
       - name: Check out esphome/device-builder
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: esphome/device-builder
           ref: main
@@ -171,7 +170,7 @@ jobs:
         # install step (order-of-magnitude faster on cold boots,
         # with its own wheel cache). actions/setup-python still
         # provides the interpreter.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           # Pin uv version so the action does not have to fetch the
@@ -190,12 +189,9 @@ jobs:
       - name: Run device-builder pytest
         # ``-n auto`` runs under pytest-xdist (matches device-builder's
         # own CI). No ``--cov`` here -- this is purely a downstream
-        # smoke check against this PR's esphome code. ``tests/e2e/slow``
-        # is excluded: those are real multi-minute toolchain compiles
-        # (LibreTiny SDK clone, native ESP-IDF install) that device-builder
-        # runs in its own dedicated jobs, not this smoke check.
+        # smoke check against this PR's esphome code.
         working-directory: device-builder
-        run: pytest -q -n auto --maxfail=5 --durations=30 --no-cov --ignore=tests/benchmarks --ignore=tests/e2e/slow
+        run: pytest -q -n auto --maxfail=5 --durations=30 --no-cov --ignore=tests/benchmarks
 
   pytest:
     name: Run pytest
@@ -225,7 +221,7 @@ jobs:
     if: needs.determine-jobs.outputs.core-ci == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         id: restore-python
         uses: ./.github/actions/restore-python
@@ -245,7 +241,7 @@ jobs:
           . venv/bin/activate
           pytest -vv --cov-report=xml --tb=native --durations=30 -n auto tests --ignore=tests/integration/
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Save Python virtual environment cache
@@ -270,8 +266,8 @@ jobs:
       python-linters: ${{ steps.determine.outputs.python-linters }}
       import-time: ${{ steps.determine.outputs.import-time }}
       device-builder: ${{ steps.determine.outputs.device-builder }}
-      esp32-platformio: ${{ steps.determine.outputs.esp32-platformio }}
-      esp32-platformio-components: ${{ steps.determine.outputs.esp32-platformio-components }}
+      native-idf: ${{ steps.determine.outputs.native-idf }}
+      native-idf-components: ${{ steps.determine.outputs.native-idf-components }}
       changed-components: ${{ steps.determine.outputs.changed-components }}
       changed-components-with-tests: ${{ steps.determine.outputs.changed-components-with-tests }}
       directly-changed-components-with-tests: ${{ steps.determine.outputs.directly-changed-components-with-tests }}
@@ -285,7 +281,7 @@ jobs:
       benchmarks: ${{ steps.determine.outputs.benchmarks }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Fetch enough history to find the merge base
           fetch-depth: 2
@@ -324,8 +320,8 @@ jobs:
           echo "python-linters=$(echo "$output" | jq -r '.python_linters')" >> $GITHUB_OUTPUT
           echo "import-time=$(echo "$output" | jq -r '.import_time')" >> $GITHUB_OUTPUT
           echo "device-builder=$(echo "$output" | jq -r '.device_builder')" >> $GITHUB_OUTPUT
-          echo "esp32-platformio=$(echo "$output" | jq -r '.esp32_platformio')" >> $GITHUB_OUTPUT
-          echo "esp32-platformio-components=$(echo "$output" | jq -r '.esp32_platformio_components')" >> $GITHUB_OUTPUT
+          echo "native-idf=$(echo "$output" | jq -r '.native_idf')" >> $GITHUB_OUTPUT
+          echo "native-idf-components=$(echo "$output" | jq -r '.native_idf_components')" >> $GITHUB_OUTPUT
           echo "changed-components=$(echo "$output" | jq -c '.changed_components')" >> $GITHUB_OUTPUT
           echo "changed-components-with-tests=$(echo "$output" | jq -c '.changed_components_with_tests')" >> $GITHUB_OUTPUT
           echo "directly-changed-components-with-tests=$(echo "$output" | jq -c '.directly_changed_components_with_tests')" >> $GITHUB_OUTPUT
@@ -357,7 +353,7 @@ jobs:
         bucket: ${{ fromJson(needs.determine-jobs.outputs.integration-test-buckets) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python 3.13
         id: python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -372,7 +368,7 @@ jobs:
       - name: Set up uv
         # Only needed on cache miss to populate the venv.
         if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           # Pin uv version so the action does not have to fetch the
@@ -409,7 +405,7 @@ jobs:
     if: github.event_name == 'pull_request' && (needs.determine-jobs.outputs.cpp-unit-tests-run-all == 'true' || needs.determine-jobs.outputs.cpp-unit-tests-components != '[]')
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Restore Python
         uses: ./.github/actions/restore-python
@@ -438,7 +434,7 @@ jobs:
       (github.event_name == 'pull_request' && needs.determine-jobs.outputs.benchmarks == 'true')
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Restore Python
         uses: ./.github/actions/restore-python
@@ -456,7 +452,7 @@ jobs:
           echo "binary=$BINARY" >> $GITHUB_OUTPUT
 
       - name: Run CodSpeed benchmarks
-        uses: CodSpeedHQ/action@63f3e98b61959fe67f146a3ff022e4136fe9bb9c # v4.17.6
+        uses: CodSpeedHQ/action@3194d9a39c4d46684cb44bf7207fc56626aad8fd # v4.15.1
         with:
           run: |
             . venv/bin/activate
@@ -473,8 +469,6 @@ jobs:
     if: needs.determine-jobs.outputs.clang-tidy == 'true'
     env:
       GH_TOKEN: ${{ github.token }}
-      # esp32-arduino-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
     strategy:
       fail-fast: false
       max-parallel: 2
@@ -485,9 +479,9 @@ jobs:
             options: --environment esp8266-arduino-tidy --grep USE_ESP8266
             pio_cache_key: tidyesp8266
           - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 Arduino
-            options: --environment esp32-arduino-tidy --grep USE_ARDUINO
-            cache_idf: true
+            name: Run script/clang-tidy for ESP32 IDF
+            options: --environment esp32-idf-tidy --grep USE_ESP_IDF
+            pio_cache_key: tidyesp32-idf
           - id: clang-tidy
             name: Run script/clang-tidy for ZEPHYR
             options: --environment nrf52-tidy --grep USE_ZEPHYR --grep USE_NRF52
@@ -496,7 +490,7 @@ jobs:
 
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Need history for HEAD~1 to work for checking changed files
           fetch-depth: 2
@@ -508,40 +502,44 @@ jobs:
           cache-key: ${{ needs.common.outputs.cache-key }}
 
       - name: Cache platformio
-        if: github.ref == 'refs/heads/dev' && matrix.pio_cache_key
+        if: github.ref == 'refs/heads/dev'
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.platformio
           key: platformio-${{ matrix.pio_cache_key }}-${{ hashFiles('platformio.ini') }}
 
       - name: Cache platformio
-        if: github.ref != 'refs/heads/dev' && matrix.pio_cache_key
+        if: github.ref != 'refs/heads/dev'
         uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.platformio
           key: platformio-${{ matrix.pio_cache_key }}-${{ hashFiles('platformio.ini') }}
 
-      - name: Cache ESP-IDF install
-        if: matrix.cache_idf
-        uses: ./.github/actions/cache-esp-idf
-        with:
-          framework: arduino
-
       - name: Register problem matchers
         run: |
           echo "::add-matcher::.github/workflows/matchers/gcc.json"
           echo "::add-matcher::.github/workflows/matchers/clang-tidy.json"
 
+      - name: Run 'pio run --list-targets -e esp32-idf-tidy'
+        if: matrix.name == 'Run script/clang-tidy for ESP32 IDF'
+        run: |
+          . venv/bin/activate
+          mkdir -p .temp
+          pio run --list-targets -e esp32-idf-tidy
+
       - name: Check if full clang-tidy scan needed
         id: check_full_scan
         run: |
           . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
+          # determine-jobs.clang-tidy-full-scan is true when core C++ changed
+          # OR the ci-run-all label forced --force-all. Independent of the
+          # hash check, both must produce a full scan in the job itself.
           if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
             echo "full_scan=true" >> $GITHUB_OUTPUT
             echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+          elif python script/clang_tidy_hash.py --check; then
+            echo "full_scan=true" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
           else
             echo "full_scan=false" >> $GITHUB_OUTPUT
             echo "reason=normal" >> $GITHUB_OUTPUT
@@ -567,7 +565,7 @@ jobs:
         if: always()
 
   clang-tidy-nosplit:
-    name: Run script/clang-tidy for ESP32 IDF
+    name: Run script/clang-tidy for ESP32 Arduino
     runs-on: ubuntu-24.04
     needs:
       - common
@@ -575,11 +573,9 @@ jobs:
     if: needs.determine-jobs.outputs.clang-tidy-mode == 'nosplit'
     env:
       GH_TOKEN: ${{ github.token }}
-      # esp32-idf-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Need history for HEAD~1 to work for checking changed files
           fetch-depth: 2
@@ -590,8 +586,19 @@ jobs:
           python-version: ${{ env.DEFAULT_PYTHON }}
           cache-key: ${{ needs.common.outputs.cache-key }}
 
-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
+      - name: Cache platformio
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
+
+      - name: Cache platformio
+        if: github.ref != 'refs/heads/dev'
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
 
       - name: Register problem matchers
         run: |
@@ -602,12 +609,15 @@ jobs:
         id: check_full_scan
         run: |
           . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
+          # determine-jobs.clang-tidy-full-scan is true when core C++ changed
+          # OR the ci-run-all label forced --force-all. Independent of the
+          # hash check, both must produce a full scan in the job itself.
           if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
             echo "full_scan=true" >> $GITHUB_OUTPUT
             echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+          elif python script/clang_tidy_hash.py --check; then
+            echo "full_scan=true" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
           else
             echo "full_scan=false" >> $GITHUB_OUTPUT
             echo "reason=normal" >> $GITHUB_OUTPUT
@@ -618,10 +628,10 @@ jobs:
           . venv/bin/activate
           if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
             echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
-            script/clang-tidy --all-headers --fix --environment esp32-idf-tidy
+            script/clang-tidy --all-headers --fix --environment esp32-arduino-tidy
           else
             echo "Running clang-tidy on changed files only"
-            script/clang-tidy --all-headers --fix --changed --environment esp32-idf-tidy
+            script/clang-tidy --all-headers --fix --changed --environment esp32-arduino-tidy
           fi
         env:
           # Also cache libdeps, store them in a ~/.platformio subfolder
@@ -640,26 +650,27 @@ jobs:
     if: needs.determine-jobs.outputs.clang-tidy-mode == 'split'
     env:
       GH_TOKEN: ${{ github.token }}
-      # esp32-idf-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
     strategy:
       fail-fast: false
-      max-parallel: 3
+      max-parallel: 2
       matrix:
         include:
           - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 1/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 1
+            name: Run script/clang-tidy for ESP32 Arduino 1/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 1
           - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 2/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 2
+            name: Run script/clang-tidy for ESP32 Arduino 2/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 2
           - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 3/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 3
+            name: Run script/clang-tidy for ESP32 Arduino 3/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 3
+          - id: clang-tidy
+            name: Run script/clang-tidy for ESP32 Arduino 4/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 4
 
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Need history for HEAD~1 to work for checking changed files
           fetch-depth: 2
@@ -670,8 +681,19 @@ jobs:
           python-version: ${{ env.DEFAULT_PYTHON }}
           cache-key: ${{ needs.common.outputs.cache-key }}
 
-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
+      - name: Cache platformio
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
+
+      - name: Cache platformio
+        if: github.ref != 'refs/heads/dev'
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
 
       - name: Register problem matchers
         run: |
@@ -682,12 +704,15 @@ jobs:
         id: check_full_scan
         run: |
           . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
+          # determine-jobs.clang-tidy-full-scan is true when core C++ changed
+          # OR the ci-run-all label forced --force-all. Independent of the
+          # hash check, both must produce a full scan in the job itself.
           if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
             echo "full_scan=true" >> $GITHUB_OUTPUT
             echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+          elif python script/clang_tidy_hash.py --check; then
+            echo "full_scan=true" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
           else
             echo "full_scan=false" >> $GITHUB_OUTPUT
             echo "reason=normal" >> $GITHUB_OUTPUT
@@ -711,89 +736,6 @@ jobs:
         run: script/ci-suggest-changes
         if: always()
 
-  clang-tidy-esp32-variants:
-    name: ${{ matrix.name }}
-    runs-on: ubuntu-24.04
-    needs:
-      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.clang-tidy == 'true'
-    env:
-      GH_TOKEN: ${{ github.token }}
-      # The variant tidy envs install ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
-    strategy:
-      fail-fast: false
-      max-parallel: 3
-      matrix:
-        include:
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 S3
-            options: --environment esp32s3-idf-tidy --grep USE_ESP32_VARIANT_ESP32S3
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 P4
-            # P4 has no native Wi-Fi/BLE; those run over the hosted co-processor,
-            # so their code paths differ -- lint them under the P4 build too.
-            # yamllint disable-line rule:line-length
-            options: --environment esp32p4-idf-tidy --grep USE_ESP32_VARIANT_ESP32P4 --grep USE_ESP32_HOSTED --grep USE_WIFI --grep USE_BLE
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 C6
-            # yamllint disable-line rule:line-length
-            options: --environment esp32c6-idf-tidy --grep USE_ESP32_VARIANT_ESP32C6 --grep USE_OPENTHREAD --grep USE_ZIGBEE
-
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-        with:
-          # Need history for HEAD~1 to work for checking changed files
-          fetch-depth: 2
-
-      - name: Restore Python
-        uses: ./.github/actions/restore-python
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache-key: ${{ needs.common.outputs.cache-key }}
-
-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
-
-      - name: Register problem matchers
-        run: |
-          echo "::add-matcher::.github/workflows/matchers/gcc.json"
-          echo "::add-matcher::.github/workflows/matchers/clang-tidy.json"
-
-      - name: Check if full clang-tidy scan needed
-        id: check_full_scan
-        run: |
-          . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
-          if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
-            echo "full_scan=true" >> $GITHUB_OUTPUT
-            echo "reason=determine_jobs" >> $GITHUB_OUTPUT
-          else
-            echo "full_scan=false" >> $GITHUB_OUTPUT
-            echo "reason=normal" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run clang-tidy
-        # Limited variant scan: only the files carrying that variant's code paths
-        # (no --all-headers; the comprehensive esp32-idf pass covers the shared tree).
-        run: |
-          . venv/bin/activate
-          if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
-            echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
-            script/clang-tidy --fix ${{ matrix.options }}
-          else
-            echo "Running clang-tidy on changed files only"
-            script/clang-tidy --fix --changed ${{ matrix.options }}
-          fi
-
-      - name: Suggested changes
-        run: script/ci-suggest-changes
-        if: always()
-
   test-build-components-split:
     name: Test components batch (${{ matrix.components }})
     runs-on: ubuntu-24.04
@@ -801,10 +743,6 @@ jobs:
       - common
       - determine-jobs
     if: github.event_name == 'pull_request' && fromJSON(needs.determine-jobs.outputs.component-test-count) > 0
-    env:
-      # esp32 component builds use the native ESP-IDF toolchain (default), so
-      # share the tidy jobs' install location -- the restore below lands here.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
     strategy:
       fail-fast: false
       max-parallel: ${{ (startsWith(github.base_ref, 'beta') || startsWith(github.base_ref, 'release')) && 8 || 4 }}
@@ -826,18 +764,12 @@ jobs:
           version: 1.0
 
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
           python-version: ${{ env.DEFAULT_PYTHON }}
           cache-key: ${{ needs.common.outputs.cache-key }}
-      - name: Cache ESP-IDF install (restore-only)
-        # A batch may contain no esp32 build, so never save -- just reuse the
-        # shared install the dev tidy jobs already cached when present.
-        uses: ./.github/actions/cache-esp-idf
-        with:
-          restore-only: true
       - name: Validate and compile components with intelligent grouping
         run: |
           . venv/bin/activate
@@ -889,7 +821,7 @@ jobs:
           fi
           echo ""
 
-          # Show disk space before validation
+          # Show disk space before validation (after bind mounts setup)
           echo "Disk space before config validation:"
           df -h
           echo ""
@@ -941,22 +873,23 @@ jobs:
             echo "All components in this batch are validate-only -- skipping compile stage."
           fi
 
-  test-esp32-platformio:
-    name: Test esp32 components with PlatformIO
+  test-native-idf:
+    name: Test components with native ESP-IDF
     runs-on: ubuntu-24.04
     needs:
       - common
       - determine-jobs
-    if: github.event_name == 'pull_request' && needs.determine-jobs.outputs.esp32-platformio == 'true'
+    if: github.event_name == 'pull_request' && needs.determine-jobs.outputs.native-idf == 'true'
     env:
-      # Comma-joined subset of the esp32 PlatformIO representative component list,
-      # computed by script/determine-jobs.py (esp32_platformio_components_to_test).
+      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
+      # Comma-joined subset of the native-IDF representative component list,
+      # computed by script/determine-jobs.py (native_idf_components_to_test).
       # Single source of truth -- the full list lives in
-      # script/determine-jobs.py::ESP32_PLATFORMIO_TEST_COMPONENTS.
-      TEST_COMPONENTS: ${{ needs.determine-jobs.outputs.esp32-platformio-components }}
+      # script/determine-jobs.py::NATIVE_IDF_TEST_COMPONENTS.
+      TEST_COMPONENTS: ${{ needs.determine-jobs.outputs.native-idf-components }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Restore Python
         uses: ./.github/actions/restore-python
@@ -964,23 +897,70 @@ jobs:
           python-version: ${{ env.DEFAULT_PYTHON }}
           cache-key: ${{ needs.common.outputs.cache-key }}
 
-      - name: Run PlatformIO compile test
+      - name: Cache ESPHome
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.esphome-idf
+          key: ${{ runner.os }}-esphome-${{ needs.common.outputs.cache-key }}
+
+      - name: Run native ESP-IDF compile test
         run: |
           . venv/bin/activate
 
+          # Check if /mnt has more free space than / before bind mounting
+          # Extract available space in KB for comparison
+          root_avail=$(df -k / | awk 'NR==2 {print $4}')
+          mnt_avail=$(df -k /mnt 2>/dev/null | awk 'NR==2 {print $4}')
+
+          echo "Available space: / has ${root_avail}KB, /mnt has ${mnt_avail}KB"
+
+          # Only use /mnt if it has more space than /
+          if [ -n "$mnt_avail" ] && [ "$mnt_avail" -gt "$root_avail" ]; then
+            echo "Using /mnt for build files (more space available)"
+            # Bind mount PlatformIO directory to /mnt (tools, packages, build cache all go there)
+            sudo mkdir -p /mnt/esphome-idf
+            sudo chown $USER:$USER /mnt/esphome-idf
+            mkdir -p ~/.esphome-idf
+            sudo mount --bind /mnt/esphome-idf ~/.esphome-idf
+
+            # Bind mount test build directory to /mnt
+            sudo mkdir -p /mnt/test_build_components_build
+            sudo chown $USER:$USER /mnt/test_build_components_build
+            mkdir -p tests/test_build_components/build
+            sudo mount --bind /mnt/test_build_components_build tests/test_build_components/build
+          else
+            echo "Using / for build files (more space available than /mnt or /mnt unavailable)"
+          fi
+
           echo "Testing components: $TEST_COMPONENTS"
           echo ""
 
-          # compile validates config first, so a separate config pass is
-          # redundant for this smoke test. ESP-IDF framework via PlatformIO:
-          python3 script/test_build_components.py -e compile -t esp32-idf -c "$TEST_COMPONENTS" -f --toolchain platformio
-
-          echo ""
-          echo "ESP-IDF-via-PlatformIO build passed! Starting Arduino smoke test..."
+          # Show disk space before validation (after bind mounts setup)
+          echo "Disk space before config validation:"
+          df -h
           echo ""
 
-          # Arduino framework via PlatformIO (only components with an esp32-ard test are built):
-          python3 script/test_build_components.py -e compile -t esp32-ard -c "$TEST_COMPONENTS" -f --toolchain platformio
+          # Run config validation (auto-grouped by test_build_components.py)
+          python3 script/test_build_components.py -e config -t esp32-idf -c "$TEST_COMPONENTS" -f --toolchain esp-idf
+
+          echo ""
+          echo "Config validation passed! Starting compilation..."
+          echo ""
+
+          # Show disk space before compilation
+          echo "Disk space before compilation:"
+          df -h
+          echo ""
+
+          # Run compilation (auto-grouped by test_build_components.py)
+          python3 script/test_build_components.py -e compile -t esp32-idf -c "$TEST_COMPONENTS" -f --toolchain esp-idf
+
+      - name: Save ESPHome cache
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.esphome-idf
+          key: ${{ runner.os }}-esphome-${{ needs.common.outputs.cache-key }}
 
   pre-commit-ci-lite:
     name: pre-commit.ci lite
@@ -991,7 +971,7 @@ jobs:
     if: github.event_name == 'pull_request' && !startsWith(github.base_ref, 'beta') && !startsWith(github.base_ref, 'release') && needs.determine-jobs.outputs.core-ci == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -999,7 +979,7 @@ jobs:
           cache-key: ${{ needs.common.outputs.cache-key }}
       - uses: esphome/pre-commit-action@43cd1109c09c544d97196f7730ee5b2e0cc6d81e # v3.0.1 fork with pinned actions/cache
         env:
-          SKIP: pylint,ci-custom
+          SKIP: pylint,clang-tidy-hash,ci-custom
       - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
         if: always()
 
@@ -1017,7 +997,7 @@ jobs:
       skip: ${{ steps.check-script.outputs.skip || steps.check-tests.outputs.skip }}
     steps:
       - name: Check out target branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.base_ref }}
 
@@ -1199,7 +1179,7 @@ jobs:
       flash_usage: ${{ steps.extract.outputs.flash_usage }}
     steps:
       - name: Check out PR branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -1268,7 +1248,7 @@ jobs:
       GH_TOKEN: ${{ github.token }}
     steps:
       - name: Check out code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Restore Python
         uses: ./.github/actions/restore-python
         with:
@@ -1311,11 +1291,10 @@ jobs:
       - clang-tidy-single
       - clang-tidy-nosplit
       - clang-tidy-split
-      - clang-tidy-esp32-variants
       - determine-jobs
       - device-builder
       - test-build-components-split
-      - test-esp32-platformio
+      - test-native-idf
       - pre-commit-ci-lite
       - memory-impact-target-branch
       - memory-impact-pr-branch
@@ -1331,7 +1310,4 @@ jobs:
           # 1. The target branch has a build issue independent of this PR
           # 2. This PR fixes a build issue on the target branch
           # In either case, we only care that the PR branch builds successfully.
-          # Every other job must have succeeded or been skipped; a "cancelled" or
-          # "failure" result fails this check so CI is not reported green when the
-          # workflow was cancelled.
-          echo "$NEEDS_JSON" | jq -e 'del(.["memory-impact-target-branch"]) | all(.result == "success" or .result == "skipped")'
+          echo "$NEEDS_JSON" | jq -e 'del(.["memory-impact-target-branch"]) | all(.result != "failure")'

.github/workflows/codeowner-approved-label-update.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout base branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.base.sha }}
           sparse-checkout: |

.github/workflows/codeowner-review-request.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout base branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.base.sha }}
 

.github/workflows/codeql.yml

@@ -52,11 +52,11 @@ jobs:
             # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -84,6 +84,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dashboard-deprecation-comment.yml

@@ -0,0 +1,119 @@
+name: Add Dashboard Deprecation Comment
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+# All API calls (pulls.listFiles + issues.{list,create,update}Comment) are performed with
+# the App token minted below, so the workflow's GITHUB_TOKEN does not need any scopes.
+permissions: {}
+
+jobs:
+  dashboard-deprecation-comment:
+    name: Dashboard deprecation comment
+    runs-on: ubuntu-latest
+    # Release-bump PRs (bump-X.Y.Z -> beta, beta -> release) inevitably
+    # roll up everything merged into dev since the last cut, which can
+    # include dashboard changes that have already been reviewed once.
+    # The bot's purpose is to warn new contributors before they invest
+    # time -- that only applies to PRs entering dev.
+    if: github.event.pull_request.base.ref == 'dev'
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
+          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
+          # pulls.listFiles + issues.{list,create,update}Comment on PRs. For PR resources
+          # the issues.*Comment APIs require the pull-requests scope, not issues.
+          permission-pull-requests: write
+
+      - name: Add dashboard deprecation comment
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          github-token: ${{ steps.generate-token.outputs.token }}
+          script: |
+            const commentMarker = "<!-- This comment was generated automatically by the dashboard-deprecation-comment workflow. -->";
+
+            const commentBody = `Thanks for opening this PR!
+
+            Heads up: the legacy ESPHome dashboard (\`esphome/dashboard/\` and \`tests/dashboard/\`) is **deprecated** and is being replaced by [ESPHome Device Builder](https://github.com/esphome/device-builder). We are not adding new features to the legacy dashboard and it will eventually be removed from this repository.
+
+            What this means for your PR:
+
+            - **New features / enhancements**: please port the change to [esphome/device-builder](https://github.com/esphome/device-builder) instead. We are unlikely to review or merge new dashboard features here.
+            - **Bug fixes**: small fixes may still be considered, but please check first whether the same issue exists in Device Builder, where the fix will have a longer life.
+            - **Security issues**: please do not file a public PR. Report privately via [GitHub security advisories](https://github.com/esphome/esphome/security/advisories/new) so we can coordinate a fix.
+
+            We appreciate the contribution and apologize for the friction; flagging this early so your time isn't spent on a change that may not land.
+
+            ---
+            (Added by the PR bot)
+
+            ${commentMarker}`;
+
+            async function getDashboardChanges(github, owner, repo, prNumber) {
+                const changedFiles = await github.paginate(
+                    github.rest.pulls.listFiles,
+                    {
+                        owner: owner,
+                        repo: repo,
+                        pull_number: prNumber,
+                        per_page: 100,
+                    }
+                );
+
+                return changedFiles.filter(file =>
+                    file.filename.startsWith('esphome/dashboard/') ||
+                    file.filename.startsWith('tests/dashboard/')
+                );
+            }
+
+            async function findBotComment(github, owner, repo, prNumber) {
+                const comments = await github.paginate(
+                    github.rest.issues.listComments,
+                    {
+                        owner: owner,
+                        repo: repo,
+                        issue_number: prNumber,
+                        per_page: 100,
+                    }
+                );
+
+                return comments.find(comment =>
+                    comment.body.includes(commentMarker) && comment.user.type === "Bot"
+                );
+            }
+
+            const prNumber = context.payload.pull_request.number;
+            const { owner, repo } = context.repo;
+
+            const dashboardChanges = await getDashboardChanges(github, owner, repo, prNumber);
+            const existingComment = await findBotComment(github, owner, repo, prNumber);
+
+            if (dashboardChanges.length === 0) {
+                // PR doesn't (or no longer) touches the legacy dashboard. If we previously
+                // commented (e.g. files were removed in a later push), leave the comment in
+                // place for history rather than thrash on edit/delete.
+                return;
+            }
+
+            if (existingComment) {
+                if (existingComment.body === commentBody) {
+                    return;
+                }
+                await github.rest.issues.updateComment({
+                    owner: owner,
+                    repo: repo,
+                    comment_id: existingComment.id,
+                    body: commentBody,
+                });
+            } else {
+                await github.rest.issues.createComment({
+                    owner: owner,
+                    repo: repo,
+                    issue_number: prNumber,
+                    body: commentBody,
+                });
+            }

.github/workflows/pr-title-check.yml

@@ -16,7 +16,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:

.github/workflows/release.yml

@@ -20,7 +20,7 @@ jobs:
       branch_build: ${{ steps.tag.outputs.branch_build }}
       deploy_env: ${{ steps.tag.outputs.deploy_env }}
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get tag
         id: tag
         # yamllint disable rule:line-length
@@ -60,7 +60,7 @@ jobs:
       contents: read   # actions/checkout to build the sdist/wheel
       id-token: write  # OIDC token for PyPI Trusted Publishing (pypa/gh-action-pypi-publish)
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
@@ -92,7 +92,7 @@ jobs:
             os: "ubuntu-24.04-arm"
 
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
@@ -168,7 +168,7 @@ jobs:
           - ghcr
           - dockerhub
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Download digests
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

.github/workflows/sync-device-classes.yml

@@ -28,10 +28,10 @@ jobs:
           permission-pull-requests: write  # pulls.create / pulls.update to open or refresh the sync PR
 
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Checkout Home Assistant
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: home-assistant/core
           path: lib/home-assistant
@@ -47,7 +47,7 @@ jobs:
         # setup-python interpreter so subsequent ``pre-commit`` /
         # ``script/run-in-env.py`` steps find the deps without a
         # ``uv run`` prefix.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
           # Pin uv version so the action does not have to fetch the

.gitignore

@@ -141,7 +141,6 @@ tests/.esphome/
 
 sdkconfig.*
 !sdkconfig.defaults
-!sdkconfig.defaults.*
 
 .tests/
 

.pre-commit-config.yaml

@@ -6,12 +6,12 @@ ci:
   autoupdate_commit_msg: 'pre-commit: autoupdate'
   autoupdate_schedule: off  # Disabled until ruff versions are synced between deps and pre-commit
   # Skip hooks that have issues in pre-commit CI environment
-  skip: [pylint]
+  skip: [pylint, clang-tidy-hash]
 
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.15.15
+    rev: v0.15.14
     hooks:
       # Run the linter.
       - id: ruff
@@ -59,6 +59,13 @@ repos:
         language: system
         types: [python]
         files: ^esphome/.+\.py$
+      - id: clang-tidy-hash
+        name: Update clang-tidy hash
+        entry: python script/clang_tidy_hash.py --update-if-changed
+        language: python
+        files: ^(\.clang-tidy|platformio\.ini|requirements_dev\.txt)$
+        pass_filenames: false
+        additional_dependencies: []
       - id: ci-custom
         name: ci-custom
         entry: python script/run-in-env.py script/ci-custom.py

AGENTS.md

@@ -14,7 +14,7 @@ This document provides essential context for AI models interacting with this pro
 *   **Build Systems:** PlatformIO is the primary build system. CMake is used as an alternative.
 *   **Configuration:** YAML.
 *   **Key Libraries/Dependencies:**
-    *   **Python:** `voluptuous` (for configuration validation), `PyYAML` (for parsing configuration files), `paho-mqtt` (for MQTT communication), `aioesphomeapi` (for the native API).
+    *   **Python:** `voluptuous` (for configuration validation), `PyYAML` (for parsing configuration files), `paho-mqtt` (for MQTT communication), `tornado` (for the web server), `aioesphomeapi` (for the native API).
     *   **C++:** `ArduinoJson` (for JSON serialization/deserialization), `AsyncMqttClient-esphome` (for MQTT), `ESPAsyncWebServer` (for the web server).
 *   **Package Manager(s):** `pip` (for Python dependencies), `platformio` (for C++/PlatformIO dependencies).
 *   **Communication Protocols:** Protobuf (for native API), MQTT, HTTP.
@@ -35,6 +35,7 @@ This document provides essential context for AI models interacting with this pro
     2.  **Code Generation** (`esphome/codegen.py`, `esphome/cpp_generator.py`): Manages Python to C++ code generation, template processing, and build flag management.
     3.  **Component System** (`esphome/components/`): Contains modular hardware and software components with platform-specific implementations and dependency management.
     4.  **Core Framework** (`esphome/core/`): Manages the application lifecycle, hardware abstraction, and component registration.
+    5.  **Dashboard** (`esphome/dashboard/`): A web-based interface for device configuration, management, and OTA updates.
 
 *   **Platform Support:**
     1.  **ESP32** (`components/esp32/`): Espressif ESP32 family. Supports multiple variants (Original, C2, C3, C5, C6, H2, P4, S2, S3) with ESP-IDF framework. Arduino framework supports only a subset of the variants (Original, C3, S2, S3).
@@ -58,19 +59,6 @@ This document provides essential context for AI models interacting with this pro
         - Protected/private fields: `lower_snake_case_with_trailing_underscore_`
         - Favor descriptive names over abbreviations
 
-*   **Python Idioms:**
-    *   **Assignment expressions (PEP 572):** Prefer the walrus operator (`:=`) wherever it removes a redundant lookup or a throwaway temporary. The most common case in component code is presence-checking a config key and then indexing it separately — fetch once with `.get()` and bind in the condition instead:
-        ```python
-        # Bad - looks up CONF_BLAH twice
-        if CONF_BLAH in config:
-            cg.add(var.set_blah(config[CONF_BLAH]))
-
-        # Good - single lookup, value bound inline
-        if (blah := config.get(CONF_BLAH)) is not None:
-            cg.add(var.set_blah(blah))
-        ```
-        The same applies to `while` loops and comprehensions where it avoids recomputing a value. Don't contort code to use it — reach for `:=` only when it genuinely cuts repetition or an extra assignment line.
-
 *   **C++ Field Visibility:**
     *   **Prefer `protected`:** Use `protected` for most class fields to enable extensibility and testing. Fields should be `lower_snake_case_with_trailing_underscore_`.
     *   **Use `private` for safety-critical cases:** Use `private` visibility when direct field access could introduce bugs or violate invariants:
@@ -455,6 +443,7 @@ This document provides essential context for AI models interacting with this pro
     *   **Debug Tools:**
         - `esphome config <file>.yaml` to validate configuration.
         - `esphome compile <file>.yaml` to compile without uploading.
+        - Check the Dashboard for real-time logs.
         - Use component-specific debug logging.
     *   **Common Issues:**
         - **Import Errors**: Check component dependencies and `PYTHONPATH`.
@@ -473,7 +462,7 @@ This document provides essential context for AI models interacting with this pro
     6.  **Pull Request:** Submit a PR against the `dev` branch. The Pull Request title should have a prefix of the component being worked on (e.g., `[display] Fix bug`, `[abc123] Add new component`). Update documentation, examples, and add `CODEOWNERS` entries as needed. Pull requests should always be made using the `.github/PULL_REQUEST_TEMPLATE.md` template - fill out all sections completely without removing any parts of the template.
 
 *   **Documentation Contributions:**
-    *   Documentation is hosted in the separate `esphome/esphome.io` repository.
+    *   Documentation is hosted in the separate `esphome/esphome-docs` repository.
     *   The contribution workflow is the same as for the codebase.
     *   When editing a component's documentation page, also update the corresponding component index page to ensure both pages remain in sync.
 
@@ -656,7 +645,7 @@ This document provides essential context for AI models interacting with this pro
         If you need a real-world example, search for components that use `@dataclass` with `CORE.data` in the codebase. Note: Some components may use `TypedDict` for dictionary-based storage; both patterns are acceptable depending on your needs.
 
         **Why this matters:**
-        - Module-level globals persist between compilation runs if the host process (e.g. device-builder) doesn't fork/exec
+        - Module-level globals persist between compilation runs if the dashboard doesn't fork/exec
         - `CORE.data` automatically clears between runs
         - Namespacing under `DOMAIN` prevents key collisions between components
         - `@dataclass` provides type safety and cleaner attribute access
@@ -692,7 +681,7 @@ This document provides essential context for AI models interacting with this pro
     - [ ] Explored non-breaking alternatives
     - [ ] Added deprecation warnings if possible (use `ESPDEPRECATED` macro for C++)
     - [ ] Documented migration path in PR description with before/after examples
-    - [ ] Updated all internal usage and esphome.io
+    - [ ] Updated all internal usage and esphome-docs
     - [ ] Tested backward compatibility during deprecation period
 
 *   **Deprecation Pattern (C++):**

CODEOWNERS

@@ -19,6 +19,7 @@ esphome/components/ac_dimmer/* @glmnet
 esphome/components/adc/* @esphome/core
 esphome/components/adc128s102/* @DeerMaximum
 esphome/components/addressable_light/* @justfalter
+esphome/components/ade7880/* @kpfleming
 esphome/components/ade7953/* @angelnu
 esphome/components/ade7953_base/* @angelnu
 esphome/components/ade7953_i2c/* @angelnu
@@ -27,7 +28,7 @@ esphome/components/ads1118/* @solomondg1
 esphome/components/ags10/* @mak-42
 esphome/components/aic3204/* @kbx81
 esphome/components/airthings_ble/* @jeromelaban
-esphome/components/airthings_wave_base/* @jeromelaban @ncareau
+esphome/components/airthings_wave_base/* @jeromelaban @kpfleming @ncareau
 esphome/components/airthings_wave_mini/* @ncareau
 esphome/components/airthings_wave_plus/* @jeromelaban @precurse
 esphome/components/alarm_control_panel/* @grahambrown11 @hwstar
@@ -83,7 +84,6 @@ esphome/components/bme680_bsec/* @trvrnrth
 esphome/components/bme68x_bsec2/* @kbx81 @neffs
 esphome/components/bme68x_bsec2_i2c/* @kbx81 @neffs
 esphome/components/bmi160/* @flaviut
-esphome/components/bmi270/* @clydebarrow
 esphome/components/bmp280_base/* @ademuri
 esphome/components/bmp280_i2c/* @ademuri
 esphome/components/bmp280_spi/* @ademuri
@@ -139,7 +139,7 @@ esphome/components/dfplayer/* @glmnet
 esphome/components/dfrobot_sen0395/* @niklasweber
 esphome/components/dht/* @OttoWinter
 esphome/components/display_menu_base/* @numo68
-esphome/components/dlms_meter/* @latonita @PolarGoose @SimonFischer04 @Tomer27cz
+esphome/components/dlms_meter/* @SimonFischer04
 esphome/components/dps310/* @kbx81
 esphome/components/ds1307/* @badbadc0ffee
 esphome/components/ds2484/* @mrk-its
@@ -291,7 +291,6 @@ esphome/components/lock/* @esphome/core
 esphome/components/logger/* @esphome/core
 esphome/components/logger/select/* @clydebarrow
 esphome/components/lps22/* @nagisa
-esphome/components/lsm6ds/* @clydebarrow
 esphome/components/ltr390/* @latonita @sjtrny
 esphome/components/ltr501/* @latonita
 esphome/components/ltr_als_ps/* @latonita
@@ -352,7 +351,6 @@ esphome/components/modbus_server/* @exciton
 esphome/components/mopeka_ble/* @Fabian-Schmidt @spbrogan
 esphome/components/mopeka_pro_check/* @spbrogan
 esphome/components/mopeka_std_check/* @Fabian-Schmidt
-esphome/components/motion/* @esphome/core
 esphome/components/mpl3115a2/* @kbickar
 esphome/components/mpu6886/* @fabaff
 esphome/components/ms8607/* @e28eta
@@ -381,7 +379,6 @@ esphome/components/pca6416a/* @Mat931
 esphome/components/pca9554/* @bdraco @clydebarrow @hwstar
 esphome/components/pcf85063/* @brogon
 esphome/components/pcf8563/* @KoenBreeman
-esphome/components/pcm5122/* @remcom
 esphome/components/pi4ioe5v6408/* @jesserockz
 esphome/components/pid/* @OttoWinter
 esphome/components/pipsolar/* @andreashergert1984
@@ -420,7 +417,6 @@ esphome/components/restart/* @esphome/core
 esphome/components/rf_bridge/* @jesserockz
 esphome/components/rgbct/* @jesserockz
 esphome/components/ring_buffer/* @kahrendt
-esphome/components/router/speaker/* @kahrendt
 esphome/components/rp2040/* @jesserockz
 esphome/components/rp2040_ble/* @bdraco
 esphome/components/rp2040_pio_led_strip/* @Papa-DMan
@@ -445,7 +441,7 @@ esphome/components/select/* @esphome/core
 esphome/components/sen0321/* @notjj
 esphome/components/sen21231/* @shreyaskarnik
 esphome/components/sen5x/* @martgras
-esphome/components/sen6x/* @martgras @mebner86 @tuct
+esphome/components/sen6x/* @martgras @mebner86 @mikelawrence @tuct
 esphome/components/sendspin/* @kahrendt
 esphome/components/sendspin/media_player/* @kahrendt
 esphome/components/sendspin/media_source/* @kahrendt
@@ -561,7 +557,6 @@ esphome/components/uart/packet_transport/* @clydebarrow
 esphome/components/udp/* @clydebarrow
 esphome/components/ufire_ec/* @pvizeli
 esphome/components/ufire_ise/* @pvizeli
-esphome/components/ufm01/* @ljungqvist
 esphome/components/ultrasonic/* @ssieb @swoboda1337
 esphome/components/update/* @jesserockz
 esphome/components/uponor_smatrix/* @kroimon
@@ -599,7 +594,6 @@ esphome/components/wk2212_spi/* @DrCoolZic
 esphome/components/wl_134/* @hobbypunk90
 esphome/components/wts01/* @alepee
 esphome/components/x9c/* @EtienneMD
-esphome/components/xdb401/* @RT530
 esphome/components/xgzp68xx/* @gcormier
 esphome/components/xiaomi_hhccjcy10/* @fariouche
 esphome/components/xiaomi_lywsd02mmc/* @juanluss31

Doxyfile

@@ -48,7 +48,7 @@ PROJECT_NAME           = ESPHome
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2026.7.0-dev
+PROJECT_NUMBER         = 2026.6.0-dev
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

THREAT_MODEL.md

@@ -1,102 +0,0 @@
-# ESPHome Threat Model
-
-This document defines the trust boundary for the **ESPHome** repository — the
-Python compiler/CLI and the device firmware it generates — so that real security
-bugs can be told apart from defense-in-depth improvements. It gives contributors,
-reviewers, and security researchers a clear answer to one question:
-**does this issue let an _unauthenticated_ attacker do something they shouldn't?**
-
-Related documents:
-
-- Deployment guidance for operators:
-  https://esphome.io/guides/security_best_practices/
-- The **Device Builder dashboard** (the web UI, its authentication, ingress,
-  Origin/Host gates, and peer-link pairing) lives in a separate repository and
-  has its own threat model. If your report concerns any of that, please read and
-  report there instead:
-  https://github.com/esphome/device-builder/blob/main/docs/THREAT_MODEL.md
-
-## The trust boundary
-
-For this repository there are two trusted inputs by design:
-
-1. **The configuration.** Anyone who can supply or edit a YAML config is trusted
-   (see below).
-2. **Authenticated peers of a running device** — clients holding the device's
-   API encryption key / password, OTA password, or web server credentials.
-
-The security boundary is therefore **unauthenticated network traffic vs. those
-trusted inputs.** A bug that lets an unauthenticated attacker cross it is a
-security bug.
-
-## Config authors are host-equivalent by design
-
-Anyone who can supply or edit a configuration is **trusted with full code
-execution on the host that runs `esphome`**, on purpose. This is what the product
-does, not a flaw. A config author can already, through fully supported features:
-
-- Run arbitrary **Python** at validation/compile time via `external_components:`
-  (and other component-import mechanisms) — ESPHome imports those packages as
-  ordinary Python.
-- Run arbitrary **shell** commands through the compile/validate/flash toolchain
-  that ESPHome invokes as subprocesses.
-- Read and write arbitrary files reachable by the process (e.g. via `!include`,
-  `packages:`, `dashboard_import:`, and generated build output).
-
-Because of this, a malicious config author is equivalent to shell access on the
-host running the build.
-
-## What is *not* a security vulnerability
-
-If exploiting an issue requires the ability to supply or edit configuration, it
-is **not** a vulnerability in ESPHome, because that ability already grants host
-code execution. This explicitly includes, among others:
-
-- Template / expression injection in substitutions or any YAML string value
-  (e.g. Jinja `${...}` evaluation reaching Python internals). This grants no
-  capability a config author lacks.
-- `!include` / `packages:` / `dashboard_import:` reading or fetching content
-  from surprising or remote locations.
-- The validator or compiler crashing or behaving unexpectedly on adversarial
-  YAML.
-- ESPHome running as root in the official container — that is the documented
-  deployment posture, reachable by the same caller through the features above.
-
-These do not warrant a CVE or coordinated disclosure. Hardening in these areas
-(for example, sandboxing template evaluation as least-surprise defense-in-depth)
-is welcome as a normal enhancement PR, framed as cleanliness rather than a
-security fix — not as a vulnerability remediation.
-
-## What we do defend
-
-These *are* security bugs in this repo, and we want to hear about them privately:
-
-- Memory-safety or protocol bugs in the generated **device firmware** that are
-  remotely triggerable over the network (native API, web server, OTA, BLE,
-  captive portal, etc.) **without** valid credentials.
-- Authentication or encryption bypass on the device — reaching API calls, OTA
-  updates, or the web server without the configured key/password.
-- Flaws that weaken the device's API encryption (Noise), OTA, or web server auth
-  below their documented guarantees.
-
-## Explicitly out of scope
-
-- Local attackers who already have shell access on the host that runs `esphome`.
-- Supply-chain attacks against ESPHome or its dependencies.
-- Operator-supplied hostile YAML (covered above — config authoring is trusted).
-- Attacks that require an already-authenticated device peer (someone who already
-  holds the API key / OTA / web credentials).
-- Anything in the dashboard / device-builder — report that in its own repository
-  (linked at the top).
-- Deployments where the operator removed protections or exposed credentials. See
-  the security best practices guide:
-  https://esphome.io/guides/security_best_practices/
-
-## Reporting a vulnerability
-
-If you believe you've found an issue that crosses the unauthenticated boundary
-above, please report it privately via GitHub Security Advisories rather than a
-public issue. For issues that require config-write access, please review this
-document first — they are very likely out of scope by design. For dashboard /
-device-builder issues, report against that repository and consult its threat
-model (linked at the top).

codecov.yml

@@ -1,18 +0,0 @@
-coverage:
-  status:
-    patch:
-      default:
-        target: 100%
-        threshold: 0%
-    project:
-      default:
-        informational: true
-
-ignore:
-  - "esphome/components/**/*"
-  - "esphome/analyze_memory/**/*"
-  - "tests/integration/**/*"
-
-comment:
-  layout: "reach, diff, flags, files"
-  require_changes: true

docker/Dockerfile

@@ -1,9 +1,10 @@
 ARG BUILD_VERSION=dev
-ARG BUILD_BASE_VERSION=2026.06.0
+ARG BUILD_OS=alpine
+ARG BUILD_BASE_VERSION=2025.04.0
 ARG BUILD_TYPE=docker
 
-FROM ghcr.io/esphome/docker-base:debian-${BUILD_BASE_VERSION} AS base-source-docker
-FROM ghcr.io/esphome/docker-base:debian-ha-addon-${BUILD_BASE_VERSION} AS base-source-ha-addon
+FROM ghcr.io/esphome/docker-base:${BUILD_OS}-${BUILD_BASE_VERSION} AS base-source-docker
+FROM ghcr.io/esphome/docker-base:${BUILD_OS}-ha-addon-${BUILD_BASE_VERSION} AS base-source-ha-addon
 
 ARG BUILD_TYPE
 FROM base-source-${BUILD_TYPE} AS base
@@ -17,9 +18,13 @@ RUN git config --system --add safe.directory "*" \
 # validate openocd-esp32 (it dynamically links libusb-1.0.so.0); without
 # it idf_tools.py rejects the openocd install with exit 127 and aborts
 # the whole framework setup.
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends build-essential libusb-1.0-0 \
-    && rm -rf /var/lib/apt/lists/*
+RUN if command -v apk > /dev/null; then \
+        apk add --no-cache build-base libusb; \
+    else \
+        apt-get update \
+        && apt-get install -y --no-install-recommends build-essential libusb-1.0-0 \
+        && rm -rf /var/lib/apt/lists/*; \
+    fi
 
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1
 
@@ -31,9 +36,6 @@ RUN \
     uv pip install --no-cache-dir \
     -r /requirements.txt
 
-# Install the ESPHome Device Builder dashboard.
-RUN uv pip install --no-cache-dir esphome-device-builder==1.0.12
-
 RUN \
     platformio settings set enable_telemetry No \
     && platformio settings set check_platformio_interval 1000000 \

docker/build.py

@@ -20,10 +20,6 @@ TYPE_HA_ADDON = "ha-addon"
 TYPE_LINT = "lint"
 TYPES = [TYPE_DOCKER, TYPE_HA_ADDON, TYPE_LINT]
 
-REGISTRY_GHCR = "ghcr"
-REGISTRY_DOCKERHUB = "dockerhub"
-REGISTRIES = [REGISTRY_GHCR, REGISTRY_DOCKERHUB]
-
 
 parser = argparse.ArgumentParser()
 parser.add_argument(
@@ -38,12 +34,6 @@ parser.add_argument(
 parser.add_argument(
     "--build-type", choices=TYPES, required=True, help="The type of build to run"
 )
-parser.add_argument(
-    "--registry",
-    choices=REGISTRIES,
-    action="append",
-    help="Restrict to specific registries (default: all). May be passed multiple times.",
-)
 parser.add_argument(
     "--dry-run", action="store_true", help="Don't run any commands, just print them"
 )
@@ -55,11 +45,6 @@ build_parser.add_argument("--push", help="Also push the images", action="store_t
 build_parser.add_argument(
     "--load", help="Load the docker image locally", action="store_true"
 )
-build_parser.add_argument(
-    "--no-cache-to",
-    help="Don't write the build cache (avoids polluting the shared cache)",
-    action="store_true",
-)
 manifest_parser = subparsers.add_parser(
     "manifest", help="Create a manifest from already pushed images"
 )
@@ -110,14 +95,11 @@ def main():
                 print("Command failed")
                 sys.exit(1)
 
-    registries = args.registry or REGISTRIES
-
     # detect channel from tag
     match = re.match(r"^(\d+\.\d+)(?:\.\d+)?(b\d+)?$", args.tag)
     major_minor_version = None
     if match is None:
-        # Custom tag (e.g. a branch name) -- push only the tag itself
-        channel = None
+        channel = CHANNEL_DEV
     elif match.group(2) is None:
         major_minor_version = match.group(1)
         channel = CHANNEL_RELEASE
@@ -146,18 +128,11 @@ def main():
             CHANNEL_DEV: "cache-dev",
             CHANNEL_BETA: "cache-beta",
             CHANNEL_RELEASE: "cache-latest",
-        }.get(channel, "cache-dev")
-        # Cache images live alongside the pushed images; prefer GHCR when it is
-        # one of the selected registries, otherwise fall back to Docker Hub so a
-        # registry-restricted build doesn't need GHCR auth.
-        cache_prefix = "ghcr.io/" if REGISTRY_GHCR in registries else ""
-        cache_img = f"{cache_prefix}{params.build_to}:{cache_tag}"
+        }[channel]
+        cache_img = f"ghcr.io/{params.build_to}:{cache_tag}"
 
-        imgs = []
-        if REGISTRY_DOCKERHUB in registries:
-            imgs += [f"{params.build_to}:{tag}" for tag in tags_to_push]
-        if REGISTRY_GHCR in registries:
-            imgs += [f"ghcr.io/{params.build_to}:{tag}" for tag in tags_to_push]
+        imgs = [f"{params.build_to}:{tag}" for tag in tags_to_push]
+        imgs += [f"ghcr.io/{params.build_to}:{tag}" for tag in tags_to_push]
 
         # 3. build
         cmd = [
@@ -180,9 +155,7 @@ def main():
         for img in imgs:
             cmd += ["--tag", img]
         if args.push:
-            cmd += ["--push"]
-            if not args.no_cache_to:
-                cmd += ["--cache-to", f"type=registry,ref={cache_img},mode=max"]
+            cmd += ["--push", "--cache-to", f"type=registry,ref={cache_img},mode=max"]
         if args.load:
             cmd += ["--load"]
 
@@ -190,22 +163,20 @@ def main():
     elif args.command == "manifest":
         manifest = DockerParams.for_type_arch(args.build_type, ARCH_AMD64).manifest_to
 
-        targets = []
-        if REGISTRY_DOCKERHUB in registries:
-            targets += [f"{manifest}:{tag}" for tag in tags_to_push]
-        if REGISTRY_GHCR in registries:
-            targets += [f"ghcr.io/{manifest}:{tag}" for tag in tags_to_push]
-        # Use buildx imagetools (not `docker manifest`) so the per-arch sources,
-        # which buildx pushes as single-platform manifest lists, are combined
-        # and pushed correctly in one step.
+        targets = [f"{manifest}:{tag}" for tag in tags_to_push]
+        targets += [f"ghcr.io/{manifest}:{tag}" for tag in tags_to_push]
+        # 1. Create manifests
         for target in targets:
-            cmd = ["docker", "buildx", "imagetools", "create", "--tag", target]
+            cmd = ["docker", "manifest", "create", target]
             for arch in ARCHS:
                 src = f"{DockerParams.for_type_arch(args.build_type, arch).build_to}:{args.tag}"
                 if target.startswith("ghcr.io"):
                     src = f"ghcr.io/{src}"
                 cmd.append(src)
             run_command(*cmd)
+        # 2. Push manifests
+        for target in targets:
+            run_command("docker", "manifest", "push", target)
 
 
 if __name__ == "__main__":

docker/docker_entrypoint.sh

@@ -27,12 +27,4 @@ if [[ -d /build ]]; then
     export ESPHOME_BUILD_PATH=/build
 fi
 
-# The default CMD is "dashboard /config". Route the dashboard to the new
-# Device Builder, but pass every other subcommand (compile, run, config,
-# logs, ...) straight through to the esphome CLI so direct CLI use keeps working.
-if [[ "$1" == "dashboard" ]]; then
-    shift
-    exec esphome-device-builder "$@"
-fi
-
 exec esphome "$@"

docker/ha-addon-rootfs/etc/cont-init.d/40-device-builder.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/with-contenv bashio
+# ==============================================================================
+# Installs the latest prerelease of esphome-device-builder when the
+# `use_new_device_builder` config option is enabled.
+# This is a temporary install-on-boot step until esphome-device-builder
+# becomes a direct dependency of esphome.
+# ==============================================================================
+
+if ! bashio::config.true 'use_new_device_builder'; then
+  exit 0
+fi
+
+bashio::log.info "Installing latest prerelease of esphome-device-builder..."
+if command -v uv > /dev/null; then
+  uv pip install --system --no-cache-dir --prerelease=allow --upgrade \
+    esphome-device-builder ||
+    bashio::exit.nok "Failed installing esphome-device-builder."
+else
+  pip install --no-cache-dir --pre --upgrade esphome-device-builder ||
+    bashio::exit.nok "Failed installing esphome-device-builder."
+fi
+bashio::log.info "Installed esphome-device-builder."

docker/ha-addon-rootfs/etc/nginx/includes/mime.types

@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

docker/ha-addon-rootfs/etc/nginx/includes/proxy_params.conf

@@ -0,0 +1,16 @@
+proxy_http_version          1.1;
+proxy_ignore_client_abort   off;
+proxy_read_timeout          86400s;
+proxy_redirect              off;
+proxy_send_timeout          86400s;
+proxy_max_temp_file_size    0;
+
+proxy_set_header Accept-Encoding "";
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-NginX-Proxy true;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Authorization "";

docker/ha-addon-rootfs/etc/nginx/includes/server_params.conf

@@ -0,0 +1,8 @@
+root            /dev/null;
+server_name     $hostname;
+
+client_max_body_size 512m;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;

docker/ha-addon-rootfs/etc/nginx/includes/ssl_params.conf

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

docker/ha-addon-rootfs/etc/nginx/includes/upstream.conf

@@ -0,0 +1,3 @@
+upstream esphome {
+    server unix:/var/run/esphome.sock;
+}

docker/ha-addon-rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,30 @@
+daemon off;
+user root;
+pid /var/run/nginx.pid;
+worker_processes 1;
+error_log /proc/1/fd/1 error;
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/includes/mime.types;
+
+    access_log              off;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    sendfile                on;
+    server_tokens           off;
+
+    tcp_nodelay             on;
+    tcp_nopush              on;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    include /etc/nginx/includes/upstream.conf;
+    include /etc/nginx/servers/*.conf;
+}

docker/ha-addon-rootfs/etc/nginx/servers/.gitkeep

@@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)

docker/ha-addon-rootfs/etc/nginx/templates/direct.gtpl

@@ -0,0 +1,28 @@
+server {
+    {{ if not .ssl }}
+    listen 6052 default_server;
+    {{ else }}
+    listen 6052 default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+
+    # Redirect http requests to https on the same port.
+    # https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/
+    error_page 497 https://$http_host$request_uri;
+    {{ end }}
+
+    # Clear Home Assistant Ingress header
+    proxy_set_header X-HA-Ingress "";
+
+    location / {
+        proxy_pass http://esphome;
+    }
+}

docker/ha-addon-rootfs/etc/nginx/templates/ingress.gtpl

@@ -0,0 +1,18 @@
+server {
+    listen 127.0.0.1:{{ .port }} default_server;
+    listen {{ .interface }}:{{ .port }} default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    # Set Home Assistant Ingress header
+    proxy_set_header X-HA-Ingress "YES";
+
+    location / {
+        allow   172.30.32.2;
+        allow   127.0.0.1;
+        deny    all;
+
+        proxy_pass http://esphome;
+    }
+}

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/discovery/run

@@ -16,7 +16,7 @@ fi
 
 port=$(bashio::addon.ingress_port)
 
-# Wait for the ESPHome Device Builder to become available
+# Wait for NGINX to become available
 bashio::net.wait_for "${port}" "127.0.0.1" 300
 
 config=$(\

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/finish

@@ -2,7 +2,7 @@
 # shellcheck shell=bash
 # ==============================================================================
 # Home Assistant Community Add-on: ESPHome
-# Take down the S6 supervision tree when ESPHome Device Builder fails
+# Take down the S6 supervision tree when ESPHome dashboard fails
 # ==============================================================================
 declare exit_code
 readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
@@ -10,7 +10,7 @@ readonly exit_code_service="${1}"
 readonly exit_code_signal="${2}"
 
 bashio::log.info \
-  "Service ESPHome Device Builder exited with code ${exit_code_service}" \
+  "Service ESPHome dashboard exited with code ${exit_code_service}" \
   "(by signal ${exit_code_signal})"
 
 if [[ "${exit_code_service}" -eq 256 ]]; then

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/run

@@ -2,7 +2,7 @@
 # shellcheck shell=bash
 # ==============================================================================
 # Community Hass.io Add-ons: ESPHome
-# Runs the ESPHome Device Builder
+# Runs the ESPHome dashboard
 # ==============================================================================
 readonly pio_cache_base=/data/cache/platformio
 
@@ -49,21 +49,12 @@ if bashio::fs.directory_exists '/config/esphome/.esphome'; then
     rm -rf /config/esphome/.esphome
 fi
 
-# Only signal device-builder to expose the public LAN port when the operator
-# mapped port 6052, matching the legacy dashboard where nginx listened on the
-# fixed port 6052 only when it was configured. We use the mapping purely as a
-# presence check and don't forward the published value; device-builder binds
-# its default port 6052 (the fixed container port, as the legacy
-# "listen 6052" did). --ha-addon-allow-public is inert on its own: the no-auth
-# gate is the DISABLE_HA_AUTHENTICATION env var set above, so both opt-ins are
-# required to bind 6052 unauthenticated; either alone stays ingress-only.
-set --
-if bashio::var.has_value "$(bashio::addon.port 6052)"; then
-    set -- --ha-addon-allow-public
+if bashio::config.true 'use_new_device_builder'; then
+    bashio::log.info "Starting ESPHome Device Builder..."
+    exec esphome-device-builder /config/esphome \
+        --ha-addon \
+        --ingress-port "$(bashio::addon.ingress_port)"
 fi
 
-bashio::log.info "Starting ESPHome Device Builder..."
-exec esphome-device-builder /config/esphome \
-    --ha-addon \
-    --ingress-port "$(bashio::addon.ingress_port)" \
-    "$@"
+bashio::log.info "Starting ESPHome dashboard..."
+exec esphome dashboard /config/esphome --socket /var/run/esphome.sock --ha-addon

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run

@@ -0,0 +1,35 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Configures NGINX for use with ESPHome
+# ==============================================================================
+
+# When the new device builder is enabled it serves HA ingress directly,
+# so nginx is not used at all -- skip configuration.
+if bashio::config.true 'use_new_device_builder'; then
+    bashio::log.info "Skipping NGINX setup: new device builder serves ingress directly."
+    bashio::exit.ok
+fi
+
+mkdir -p /var/log/nginx
+
+# Generate Ingress configuration
+bashio::var.json \
+    interface "$(bashio::addon.ip_address)" \
+    port "^$(bashio::addon.ingress_port)" \
+    | tempio \
+        -template /etc/nginx/templates/ingress.gtpl \
+        -out /etc/nginx/servers/ingress.conf
+
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 6052)"; then
+    bashio::config.require.ssl
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
+fi

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/type

@@ -0,0 +1 @@
+oneshot

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-nginx/run

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/finish

@@ -0,0 +1,25 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Take down the S6 supervision tree when NGINX fails
+# ==============================================================================
+declare exit_code
+readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+
+bashio::log.info \
+  "Service NGINX exited with code ${exit_code_service}" \
+  "(by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + $exit_code_signal)) > /run/s6-linux-init-container-results/exitcode
+  fi
+  [[ "${exit_code_signal}" -eq 15 ]] && exec /run/s6/basedir/bin/halt
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" > /run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/run

@@ -0,0 +1,23 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Runs the NGINX proxy
+# ==============================================================================
+
+# The new device builder handles HA ingress itself, so nginx is bypassed.
+# Block the longrun forever so s6 keeps the dependency satisfied and does
+# not respawn it.
+if bashio::config.true 'use_new_device_builder'; then
+    bashio::log.info "NGINX bypassed: new device builder serves ingress directly."
+    exec sleep infinity
+fi
+
+bashio::log.info "Waiting for ESPHome dashboard to come up..."
+
+while [[ ! -S /var/run/esphome.sock ]]; do
+  sleep 0.5
+done
+
+bashio::log.info "Starting NGINX..."
+exec nginx

docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/type

@@ -0,0 +1 @@
+longrun

docker/test_configs/bk72xx-arduino.yaml

@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-bk72xx-arduino
-
-bk72xx:
-  board: generic-bk7231n-qfn32-tuya
-
-logger:

docker/test_configs/esp32-arduino-esp-idf.yaml

@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-ard-idf
-
-esp32:
-  variant: esp32
-  framework:
-    type: arduino
-  toolchain: esp-idf
-
-logger:

docker/test_configs/esp32-arduino-platformio.yaml

@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-ard-pio
-
-esp32:
-  variant: esp32
-  framework:
-    type: arduino
-  toolchain: platformio
-
-logger:

docker/test_configs/esp32-idf-esp-idf.yaml

@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-idf-idf
-
-esp32:
-  variant: esp32
-  framework:
-    type: esp-idf
-  toolchain: esp-idf
-
-logger:

docker/test_configs/esp32-idf-platformio.yaml

@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-idf-pio
-
-esp32:
-  variant: esp32
-  framework:
-    type: esp-idf
-  toolchain: platformio
-
-logger:

docker/test_configs/esp8266-arduino.yaml

@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-esp8266-arduino
-
-esp8266:
-  board: d1_mini
-
-logger:

docker/test_configs/host.yaml

@@ -1,6 +0,0 @@
-esphome:
-  name: docker-test-host
-
-host:
-
-logger:

docker/test_configs/ln882x-arduino.yaml

@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-ln882x-arduino
-
-ln882x:
-  board: generic-ln882hki
-
-logger:

docker/test_configs/nrf52.yaml

@@ -1,8 +0,0 @@
-esphome:
-  name: docker-test-nrf52
-
-nrf52:
-  board: adafruit_itsybitsy_nrf52840
-  bootloader: adafruit_nrf52_sd140_v6
-
-logger:

docker/test_configs/rp2040-arduino.yaml

@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-rp2040-arduino
-
-rp2040:
-  variant: rp2040
-
-logger:

docker/test_configs/rtl87xx-arduino.yaml

@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-rtl87xx-arduino
-
-rtl87xx:
-  board: generic-rtl8710bn-2mb-788k
-
-logger:

esphome/__main__.py

@@ -268,36 +268,6 @@ def _ota_hostnames_for_default(purpose: Purpose) -> list[str]:
     return _resolve_with_cache(CORE.address, purpose)
 
 
-def _unresolved_default_error(purpose: Purpose, defaults: list[str]) -> str:
-    """Build the error when a default device target produced no usable host.
-
-    When the OTA default was requested and the address resolves but the config
-    lacks the transport the purpose needs (``api:`` for logs, an ``ota:``
-    platform for uploads), name that gap instead of the misleading
-    "could not be resolved" / set-use_address hint.
-    """
-    if "OTA" in defaults and has_resolvable_address():
-        if purpose == Purpose.LOGGING and not has_api():
-            return (
-                "Cannot view logs over the network: no 'api:' component is "
-                "configured. Network log streaming requires the native API; add "
-                "an 'api:' component, enable MQTT logging, or view logs over USB."
-            )
-        if purpose == Purpose.UPLOADING and not has_ota():
-            return (
-                "Cannot upload over the network: no 'ota:' platform is "
-                "configured. Add an 'ota:' platform, or upload over USB."
-            )
-    if CORE.dashboard:
-        hint = "If you know the IP, set 'use_address' in your network config."
-    else:
-        hint = "If you know the IP, try --device <IP>"
-    return (
-        f"All specified devices {defaults} could not be resolved. "
-        f"Is the device connected to the network? {hint}"
-    )
-
-
 def choose_upload_log_host(
     default: list[str] | str | None,
     check_default: str | None,
@@ -347,7 +317,14 @@ def choose_upload_log_host(
             else:
                 resolved.append(device)
         if not resolved:
-            raise EsphomeError(_unresolved_default_error(purpose, defaults))
+            if CORE.dashboard:
+                hint = "If you know the IP, set 'use_address' in your network config."
+            else:
+                hint = "If you know the IP, try --device <IP>"
+            raise EsphomeError(
+                f"All specified devices {defaults} could not be resolved. "
+                f"Is the device connected to the network? {hint}"
+            )
         return resolved
 
     # No devices specified, show interactive chooser
@@ -527,12 +504,6 @@ def has_resolvable_address() -> bool:
     if has_ip_address():
         return True
 
-    # device-builder pre-resolves the device and passes the IPs via
-    # --mdns-address-cache/--dns-address-cache; honor a cached address even when the
-    # device has mDNS disabled (e.g. a .local host found via ping).
-    if CORE.address_cache and CORE.address_cache.get_addresses(CORE.address):
-        return True
-
     if has_mdns():
         return True
 
@@ -637,7 +608,7 @@ def run_miniterm(config: ConfigType, port: str, args) -> int:
 
     try:
         module = importlib.import_module("esphome.components." + CORE.target_platform)
-        process_stacktrace = module.process_stacktrace
+        process_stacktrace = getattr(module, "process_stacktrace")
     except (AttributeError, ImportError):
         _LOGGER.info(
             'Stacktrace analysis is unavailable: no compatible analyzer found for target platform "%s".',
@@ -668,7 +639,7 @@ def run_miniterm(config: ConfigType, port: str, args) -> int:
                         chunk = ser.read(ser.in_waiting or 1)
                         if not chunk:
                             continue
-                        time_ = datetime.now().astimezone()
+                        time_ = datetime.now()
                         milliseconds = time_.microsecond // 1000
                         time_str = f"[{time_.hour:02}:{time_.minute:02}:{time_.second:02}.{milliseconds:03}]"
 
@@ -724,11 +695,6 @@ def _wrap_to_code(name, comp, yaml_util):
 def write_cpp(config: ConfigType) -> int:
     from esphome import writer
 
-    # Refresh the storage sidecar and clean an incompatible previous build
-    # before regenerating any sources. This may full-wipe the build dir, so it
-    # has to run before write_cpp_file writes src/.
-    writer.update_storage_json()
-
     if not get_bool_env(ENV_NOGITIGNORE):
         writer.write_gitignore()
 
@@ -794,7 +760,6 @@ def compile_program(args: ArgsProtocol, config: ConfigType) -> int:
         toolchain.create_factory_bin()
         toolchain.create_ota_bin()
         toolchain.create_elf_copy()
-        toolchain.get_idedata()
     else:
         from esphome.platformio import toolchain
 
@@ -829,7 +794,7 @@ def _check_and_emit_build_info() -> None:
 
     # Read build_info from JSON
     try:
-        with build_info_json_path.open(encoding="utf-8") as f:
+        with open(build_info_json_path, encoding="utf-8") as f:
             build_info = json.load(f)
     except (OSError, json.JSONDecodeError) as e:
         _LOGGER.debug("Failed to read build_info: %s", e)
@@ -1091,7 +1056,7 @@ def _wait_for_serial_port(
     def _port_found() -> bool:
         if port is not None:
             if os.name == "posix":
-                return Path(port).exists()
+                return os.path.exists(port)
             return any(p.path == port for p in get_serial_ports())
         ports = get_serial_ports()
         if known_ports is not None:
@@ -1136,7 +1101,7 @@ def upload_program(
     host = devices[0]
     try:
         module = importlib.import_module("esphome.components." + CORE.target_platform)
-        if module.upload_program(config, args, host):
+        if getattr(module, "upload_program")(config, args, host):
             return 0, host
     except AttributeError:
         pass
@@ -1385,23 +1350,10 @@ def _validate_bootloader_binary(binary: Path) -> None:
         )
 
 
-def _should_subscribe_states(args: ArgsProtocol) -> bool:
-    """Determine whether entity state changes should be shown in log output.
-
-    The ``--states``/``--no-states`` command line flags take precedence. When
-    neither is given, the ``ESPHOME_LOG_STATES`` environment variable controls
-    the behavior, defaulting to showing states.
-    """
-    states = getattr(args, "states", None)
-    if states is not None:
-        return states
-    return get_bool_env("ESPHOME_LOG_STATES", True)
-
-
 def show_logs(config: ConfigType, args: ArgsProtocol, devices: list[str]) -> int | None:
     try:
         module = importlib.import_module("esphome.components." + CORE.target_platform)
-        if module.show_logs(config, args, devices):
+        if getattr(module, "show_logs")(config, args, devices):
             return 0
     except AttributeError:
         pass
@@ -1427,7 +1379,7 @@ def show_logs(config: ConfigType, args: ArgsProtocol, devices: list[str]) -> int
         return run_logs(
             config,
             network_devices,
-            subscribe_states=_should_subscribe_states(args),
+            subscribe_states=not getattr(args, "no_states", False),
         )
 
     if port_type in (PortType.NETWORK, PortType.MQTT) and has_mqtt_logging():
@@ -1457,59 +1409,20 @@ def command_wizard(args: ArgsProtocol) -> int | None:
 def command_config(args: ArgsProtocol, config: ConfigType) -> int | None:
     from esphome import yaml_util
 
-    if getattr(args, "no_defaults", False):
-        user_config = getattr(config, "user_config", None)
-        if user_config is None:
-            _LOGGER.warning(
-                "--no-defaults requested but the user-only config snapshot is "
-                "unavailable; falling back to the validated configuration."
-            )
-        else:
-            config = user_config
-    elif not CORE.verbose:
+    if not CORE.verbose:
         config = strip_default_ids(config)
     output = yaml_util.dump(config, args.show_secrets)
+    # add the console decoration so the front-end can hide the secrets
     if not args.show_secrets:
-        output = _redact_with_legacy_fallback(output)
+        output = re.sub(
+            r"(password|key|psk|ssid)\: (.+)", r"\1: \\033[8m\2\\033[28m", output
+        )
     if not CORE.quiet:
         safe_print(output)
     _LOGGER.info("Configuration is valid!")
     return 0
 
 
-# Legacy substring redaction fallback for unmigrated schemas; removed in
-# 2026.12.0 once canonical sensitive fields are tagged. The lookahead skips
-# values that already render themselves: ``\033[8m`` (SensitiveStr wrap),
-# ``!secret`` (preserves the user-friendly tag), ``!lambda`` (multi-line
-# block; first line is structural). The fragment must either start the
-# field name or follow ``_`` so the warning names a real field; this avoids
-# false positives like ``monkey:`` matching the ``key`` fragment.
-_LEGACY_REDACTION_RE = re.compile(
-    r"(?P<key>\b(?:\w+_)?(?:password|key|psk|ssid))\: "
-    r"(?!\\033\[8m|!secret\b|!lambda\b)(?P<val>.+)"
-)
-_LEGACY_REDACTION_REMOVAL = "2026.12.0"
-
-
-def _redact_with_legacy_fallback(output: str) -> str:
-    unmarked: set[str] = set()
-
-    def _replace(m: re.Match[str]) -> str:
-        unmarked.add(m.group("key"))
-        return f"{m.group('key')}: \\033[8m{m.group('val')}\\033[28m"
-
-    output = _LEGACY_REDACTION_RE.sub(_replace, output)
-    for key in sorted(unmarked):
-        _LOGGER.warning(
-            "Field '%s' is being redacted by a legacy substring heuristic. "
-            "Mark this field's schema validator with cv.sensitive(...) for "
-            "deterministic redaction; the heuristic will be removed in %s.",
-            key,
-            _LEGACY_REDACTION_REMOVAL,
-        )
-    return output
-
-
 def command_config_hash(args: ArgsProtocol, config: ConfigType) -> int | None:
     # generating code might modify config, so it must be done in order to generate
     # a hash that will match what was generated when compiling and then running
@@ -1674,7 +1587,7 @@ def command_clean(args: ArgsProtocol, config: ConfigType) -> int | None:
     from esphome import writer
 
     try:
-        writer.clean_build(full=True)
+        writer.clean_build()
     except OSError as err:
         _LOGGER.error("Error deleting build files: %s", err)
         return 1
@@ -1715,13 +1628,9 @@ def command_bundle(args: ArgsProtocol, config: ConfigType) -> int | None:
 
 
 def command_dashboard(args: ArgsProtocol) -> int | None:
-    raise EsphomeError(
-        "The built-in dashboard has been removed from ESPHome. "
-        "Install and run ESPHome Device Builder instead:\n"
-        "  pip install esphome-device-builder\n"
-        "  esphome-device-builder\n"
-        "See https://github.com/esphome/device-builder for more information."
-    )
+    from esphome.dashboard import dashboard
+
+    return dashboard.start_dashboard(args)
 
 
 def run_multiple_configs(
@@ -1798,21 +1707,6 @@ def command_update_all(args: ArgsProtocol) -> int | None:
 def command_idedata(args: ArgsProtocol, config: ConfigType) -> int:
     import json
 
-    if CORE.using_toolchain_esp_idf:
-        # Native ESP-IDF derives idedata from the build's compile_commands.json,
-        # so the configuration must already be compiled.
-        from esphome.espidf import toolchain as espidf_toolchain
-
-        idedata = espidf_toolchain.get_idedata()
-        if idedata is None:
-            _LOGGER.error(
-                "No idedata available; compile the configuration first",
-            )
-            return 1
-
-        print(json.dumps(idedata, indent=2) + "\n")
-        return 0
-
     if not CORE.using_toolchain_platformio:
         _LOGGER.error(
             "The idedata command is not compatible with %s toolchain",
@@ -1906,7 +1800,7 @@ def command_analyze_memory(args: ArgsProtocol, config: ConfigType) -> int:
         ram_report = ram_analyzer.generate_report()
         print()
         print(ram_report)
-    except Exception as e:  # noqa: BLE001  # pylint: disable=broad-except
+    except Exception as e:  # pylint: disable=broad-except
         _LOGGER.warning("RAM strings analysis failed: %s", e)
 
     return 0
@@ -2094,29 +1988,6 @@ SIMPLE_CONFIG_ACTIONS = [
 ]
 
 
-def _add_states_args(parser: argparse.ArgumentParser) -> None:
-    """Add mutually exclusive ``--states``/``--no-states`` flags to a parser.
-
-    When neither flag is given, the ``ESPHOME_LOG_STATES`` environment variable
-    controls whether entity state changes are shown (defaulting to showing them).
-    """
-    states_group = parser.add_mutually_exclusive_group()
-    states_group.add_argument(
-        "--states",
-        dest="states",
-        action="store_true",
-        default=None,
-        help="Show entity state changes in log output (overrides ESPHOME_LOG_STATES).",
-    )
-    states_group.add_argument(
-        "--no-states",
-        dest="states",
-        action="store_false",
-        default=None,
-        help="Do not show entity state changes in log output.",
-    )
-
-
 def parse_args(argv):
     options_parser = argparse.ArgumentParser(add_help=False)
     options_parser.add_argument(
@@ -2209,12 +2080,6 @@ def parse_args(argv):
     parser_config.add_argument(
         "--show-secrets", help="Show secrets in output.", action="store_true"
     )
-    parser_config.add_argument(
-        "--no-defaults",
-        help="Only output the user-supplied configuration without "
-        "schema defaults applied.",
-        action="store_true",
-    )
 
     parser_config_hash = subparsers.add_parser(
         "config-hash", help="Calculate the hash of the configuration."
@@ -2299,7 +2164,11 @@ def parse_args(argv):
         help="Reset the device before starting serial logs.",
         default=os.getenv("ESPHOME_SERIAL_LOGGING_RESET"),
     )
-    _add_states_args(parser_logs)
+    parser_logs.add_argument(
+        "--no-states",
+        action="store_true",
+        help="Do not show entity state changes in log output.",
+    )
 
     parser_discover = subparsers.add_parser(
         "discover",
@@ -2331,7 +2200,11 @@ def parse_args(argv):
         "--no-logs", help="Disable starting logs.", action="store_true"
     )
 
-    _add_states_args(parser_run)
+    parser_run.add_argument(
+        "--no-states",
+        action="store_true",
+        help="Do not show entity state changes in log output.",
+    )
 
     parser_run.add_argument(
         "--reset",
@@ -2383,22 +2256,44 @@ def parse_args(argv):
         "configuration", help="Your YAML file or configuration directory.", nargs="*"
     )
 
-    # The dashboard moved to ESPHome Device Builder; the command is kept only to
-    # print a redirect (see command_dashboard). Accept and ignore the old flags
-    # so legacy invocations reach that message instead of failing on argparse
-    # "unrecognized arguments".
-    parser_dashboard = subparsers.add_parser("dashboard")
-    parser_dashboard.add_argument("configuration", nargs="?", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument("--port", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument("--address", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument("--username", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument("--password", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument("--socket", help=argparse.SUPPRESS)
-    parser_dashboard.add_argument(
-        "--open-ui", action="store_true", help=argparse.SUPPRESS
+    parser_dashboard = subparsers.add_parser(
+        "dashboard", help="Create a simple web server for a dashboard."
     )
     parser_dashboard.add_argument(
-        "--ha-addon", action="store_true", help=argparse.SUPPRESS
+        "configuration", help="Your YAML configuration file directory."
+    )
+    parser_dashboard.add_argument(
+        "--port",
+        help="The HTTP port to open connections on. Defaults to 6052.",
+        type=int,
+        default=6052,
+    )
+    parser_dashboard.add_argument(
+        "--address",
+        help="The address to bind to.",
+        type=str,
+        default="0.0.0.0",
+    )
+    parser_dashboard.add_argument(
+        "--username",
+        help="The optional username to require for authentication.",
+        type=str,
+        default="",
+    )
+    parser_dashboard.add_argument(
+        "--password",
+        help="The optional password to require for authentication.",
+        type=str,
+        default="",
+    )
+    parser_dashboard.add_argument(
+        "--open-ui", help="Open the dashboard UI in a browser.", action="store_true"
+    )
+    parser_dashboard.add_argument(
+        "--ha-addon", help=argparse.SUPPRESS, action="store_true"
+    )
+    parser_dashboard.add_argument(
+        "--socket", help="Make the dashboard serve under a unix socket", type=str
     )
 
     parser_vscode = subparsers.add_parser("vscode")
@@ -2493,7 +2388,11 @@ def run_esphome(argv):
     elif args.quiet:
         args.log_level = "CRITICAL"
 
-    setup_log(log_level=args.log_level)
+    setup_log(
+        log_level=args.log_level,
+        # Show timestamp for dashboard access logs
+        include_timestamp=args.command == "dashboard",
+    )
 
     if args.command in PRE_CONFIG_ACTIONS:
         try:

esphome/analyze_memory/cli.py

@@ -6,7 +6,6 @@ from collections import defaultdict
 from collections.abc import Callable
 import heapq
 from operator import itemgetter
-from pathlib import Path
 import sys
 from typing import TYPE_CHECKING
 
@@ -510,7 +509,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
             lines.append(
                 f"{_COMPONENT_CORE} Symbols > {self.SYMBOL_SIZE_THRESHOLD} B ({len(large_core_symbols)} symbols):"
             )
-            for i, (_symbol, demangled, size) in enumerate(large_core_symbols):
+            for i, (symbol, demangled, size) in enumerate(large_core_symbols):
                 # Core symbols only track (symbol, demangled, size) without section info,
                 # so we don't show section labels here
                 lines.append(
@@ -602,7 +601,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
                 lines.append(
                     f"{comp_name} Symbols > {self.SYMBOL_SIZE_THRESHOLD} B & storage ({len(large_symbols)} symbols):"
                 )
-                for i, (_symbol, demangled, size, section) in enumerate(large_symbols):
+                for i, (symbol, demangled, size, section) in enumerate(large_symbols):
                     lines.append(
                         f"{i + 1}. {self._format_symbol_with_section(demangled, size, section)}"
                     )
@@ -641,7 +640,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
                 lines.append(
                     f"  Symbols > {self.RAM_SYMBOL_SIZE_THRESHOLD} B ({len(large_ram_syms)}):"
                 )
-                for _symbol, demangled, size, section in large_ram_syms[:10]:
+                for symbol, demangled, size, section in large_ram_syms[:10]:
                     # Format section label consistently by stripping leading dot
                     section_label = section.lstrip(".") if section else ""
                     display_name = _format_pstorage_name(demangled)
@@ -700,7 +699,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
         content = "\n".join(lines)
 
         if output_file:
-            with Path(output_file).open("w", encoding="utf-8") as f:
+            with open(output_file, "w", encoding="utf-8") as f:
                 f.write(content)
         else:
             print(content)
@@ -738,6 +737,7 @@ def main():
 
     # Load build directory
     import json
+    from pathlib import Path
 
     from esphome.platformio.toolchain import IDEData
 
@@ -785,7 +785,7 @@ def main():
         if not idedata_path.exists():
             continue
         try:
-            with idedata_path.open(encoding="utf-8") as f:
+            with open(idedata_path, encoding="utf-8") as f:
                 raw_data = json.load(f)
             idedata = IDEData(raw_data)
             print(f"Loaded idedata from: {idedata_path}", file=sys.stderr)

esphome/analyze_memory/demangle.py

@@ -154,7 +154,7 @@ def batch_demangle(
     failed_count = 0
 
     for original, stripped, prefix, demangled in zip(
-        symbols, symbols_stripped, symbols_prefixes, demangled_lines, strict=True
+        symbols, symbols_stripped, symbols_prefixes, demangled_lines
     ):
         # Add back any prefix that was removed
         demangled = _restore_symbol_prefix(prefix, stripped, demangled)

esphome/analyze_memory/toolchain.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import logging
+import os
 from pathlib import Path
 import subprocess
 from typing import TYPE_CHECKING
@@ -36,7 +37,7 @@ def _find_in_platformio_packages(tool_name: str) -> str | None:
         Full path to the tool or None if not found
     """
     # Get PlatformIO packages directory
-    platformio_home = Path("~/.platformio/packages").expanduser()
+    platformio_home = Path(os.path.expanduser("~/.platformio/packages"))
     if not platformio_home.exists():
         return None
 

esphome/async_thread.py

@@ -45,7 +45,7 @@ class AsyncThreadRunner(threading.Thread, Generic[_T]):
     async def _runner(self) -> None:
         try:
             self.result = await self._coro_factory()
-        except Exception as exc:  # noqa: BLE001  # pylint: disable=broad-except
+        except Exception as exc:  # pylint: disable=broad-except
             # Capture all exceptions so ``event`` is always set — otherwise a
             # crash would hang the waiter forever.
             self.exception = exc

esphome/build_gen/espidf.py

@@ -6,19 +6,8 @@ from pathlib import Path
 from esphome.components.esp32 import get_esp32_variant, idf_version
 import esphome.config_validation as cv
 from esphome.core import CORE
-from esphome.framework_helpers import get_project_compile_flags, get_project_link_flags
 from esphome.helpers import mkdir_p, write_file_if_changed
-
-# Replaces the IDF default C++ standard (-std=gnu++2b appended to
-# CXX_COMPILE_OPTIONS by project.cmake's __build_init) with the one set via
-# cg.set_cpp_standard(). Emitted between include(project.cmake) and project(),
-# i.e. after IDF appends its default and before the options are consumed, and
-# applies project-wide like PlatformIO build_unflags.
-CPP_STANDARD_TEMPLATE = """\
-idf_build_get_property(esphome_cxx_compile_options CXX_COMPILE_OPTIONS)
-list(FILTER esphome_cxx_compile_options EXCLUDE REGEX "^-std=")
-list(APPEND esphome_cxx_compile_options "-std={standard}")
-idf_build_set_property(CXX_COMPILE_OPTIONS "${{esphome_cxx_compile_options}}")"""
+from esphome.writer import update_storage_json
 
 
 def get_available_components() -> list[str] | None:
@@ -35,7 +24,7 @@ def get_available_components() -> list[str] | None:
         return None
 
     try:
-        with project_desc.open(encoding="utf-8") as f:
+        with open(project_desc, encoding="utf-8") as f:
             data = json.load(f)
 
         component_info = data.get("build_component_info", {})
@@ -85,18 +74,17 @@ def get_project_cmakelists(minimal: bool = False) -> str:
     # esphome__micro-mp3) rather than just src/. Required so suppressions
     # like ``-Wno-error=maybe-uninitialized`` actually silence warnings in
     # third-party components we don't author.
-    project_compile_opts = get_project_compile_flags()
+    project_compile_opts = [
+        flag
+        for flag in sorted(CORE.build_flags)
+        if flag.startswith("-D")
+        or (flag.startswith("-W") and not flag.startswith("-Wl,"))
+    ]
     extra_compile_options = "\n".join(
         f'idf_build_set_property(COMPILE_OPTIONS "{flag}" APPEND)'
         for flag in project_compile_opts
     )
 
-    cpp_standard_options = (
-        CPP_STANDARD_TEMPLATE.format(standard=CORE.cpp_standard)
-        if CORE.cpp_standard
-        else ""
-    )
-
     # Per-project list exposed as a CMake variable so converted PIO libs
     # can reference ${ESPHOME_PROJECT_MANAGED_COMPONENTS} without baking
     # project-specific names into their cached CMakeLists.
@@ -153,8 +141,6 @@ set(EXTRA_COMPONENT_DIRS ${{CMAKE_SOURCE_DIR}}/src)
 
 include($ENV{{IDF_PATH}}/tools/cmake/project.cmake)
 
-{cpp_standard_options}
-
 {extra_compile_options}
 
 {managed_components_property}
@@ -184,8 +170,8 @@ def get_component_cmakelists() -> str:
     # Extract linker options (-Wl, flags). Compile flags (-D, -W) are
     # emitted project-wide via idf_build_set_property in
     # get_project_cmakelists so they reach every component, not just src/.
-    link_opts = get_project_link_flags()
-    link_opts_str = "\n    ".join(link_opts) if link_opts else ""
+    link_opts = [flag for flag in CORE.build_flags if flag.startswith("-Wl,")]
+    link_opts_str = "\n    ".join(sorted(link_opts)) if link_opts else ""
 
     return f"""\
 # Auto-generated by ESPHome
@@ -215,6 +201,9 @@ idf_component_register(
     REQUIRES ${{ESPHOME_PROJECT_BUILTIN_COMPONENTS}}
 )
 
+# Apply C++ standard
+target_compile_features(${{COMPONENT_LIB}} PUBLIC cxx_std_20)
+
 # ESPHome linker options
 target_link_options(${{COMPONENT_LIB}} PUBLIC
     {link_opts_str}
@@ -224,6 +213,11 @@ target_link_options(${{COMPONENT_LIB}} PUBLIC
 
 def write_project(minimal: bool = False) -> None:
     """Write ESP-IDF project files."""
+    # Refresh <data_dir>/storage/<name>.yaml.json so the dashboard's
+    # /info and /downloads endpoints can locate the build (they 404
+    # otherwise). This mirrors the PlatformIO build-gen path's call
+    # in build_gen/platformio.py:write_ini().
+    update_storage_json()
     mkdir_p(CORE.build_path)
     mkdir_p(CORE.relative_src_path())
 

esphome/build_gen/platformio.py

@@ -1,7 +1,7 @@
 from esphome.const import __version__
 from esphome.core import CORE
 from esphome.helpers import mkdir_p, read_file, write_file_if_changed
-from esphome.writer import find_begin_end
+from esphome.writer import find_begin_end, update_storage_json
 
 INI_AUTO_GENERATE_BEGIN = "; ========== AUTO GENERATED CODE BEGIN ==========="
 INI_AUTO_GENERATE_END = "; =========== AUTO GENERATED CODE END ============"
@@ -33,27 +33,12 @@ def format_ini(data: dict[str, str | list[str]]) -> str:
     return content
 
 
-# All -std= variants a platform/framework may set by default, in both the GNU
-# and strict dialects; unflagged so the cg.set_cpp_standard() value is the
-# only standard left in the build.
-CPP_STD_VARIANTS = [
-    f"{prefix}{year}"
-    for year in ("11", "14", "17", "20", "23", "26", "2a", "2b", "2c")
-    for prefix in ("gnu++", "c++")
-]
-
-
 def get_ini_content():
     CORE.add_platformio_option(
         "lib_deps",
         [x.as_lib_dep for x in CORE.platformio_libraries.values()]
         + ["${common.lib_deps}"],
     )
-    if CORE.cpp_standard:
-        for variant in CPP_STD_VARIANTS:
-            if variant != CORE.cpp_standard:
-                CORE.add_build_unflag(f"-std={variant}")
-        CORE.add_build_flag(f"-std={CORE.cpp_standard}")
     # Sort to avoid changing build flags order
     CORE.add_platformio_option("build_flags", sorted(CORE.build_flags))
 
@@ -73,6 +58,7 @@ def get_ini_content():
 
 
 def write_ini(content):
+    update_storage_json()
     path = CORE.relative_build_path("platformio.ini")
 
     if path.is_file():

esphome/bundle.py

@@ -412,7 +412,7 @@ class ConfigBundleCreator:
     @staticmethod
     def _add_to_tar(tar: tarfile.TarFile, bf: BundleFile) -> None:
         """Add a BundleFile to the tar archive with deterministic metadata."""
-        with bf.source.open("rb") as f:
+        with open(bf.source, "rb") as f:
             _add_bytes_to_tar(tar, bf.path, f.read())
 
 

esphome/compiled_config.py

@@ -43,7 +43,7 @@ def save_compiled_config(config: ConfigType) -> None:
     try:
         rendered = yaml_util.dump(config, show_secrets=True)
         write_file(compiled_config_path(CORE.config_filename), rendered, private=True)
-    except Exception as err:  # noqa: BLE001  # pylint: disable=broad-except
+    except Exception as err:  # pylint: disable=broad-except
         _LOGGER.debug("Skipping compiled config cache write: %s", err)
 
 
@@ -62,7 +62,7 @@ def load_compiled_config(conf_path: Path) -> ConfigType | None:
 
     try:
         config = yaml_util.load_yaml(cache_path, clear_secrets=False)
-    except Exception:  # noqa: BLE001  # pylint: disable=broad-except
+    except Exception:  # pylint: disable=broad-except
         return None
 
     storage = StorageJSON.load(ext_storage_path(conf_path.name))

esphome/components/a01nyub/a01nyub.h

@@ -8,7 +8,7 @@
 
 namespace esphome::a01nyub {
 
-class A01nyubComponent final : public sensor::Sensor, public Component, public uart::UARTDevice {
+class A01nyubComponent : public sensor::Sensor, public Component, public uart::UARTDevice {
  public:
   // Nothing really public.
 

esphome/components/a02yyuw/a02yyuw.h

@@ -8,7 +8,7 @@
 
 namespace esphome::a02yyuw {
 
-class A02yyuwComponent final : public sensor::Sensor, public Component, public uart::UARTDevice {
+class A02yyuwComponent : public sensor::Sensor, public Component, public uart::UARTDevice {
  public:
   // Nothing really public.
 

esphome/components/a4988/a4988.h

@@ -6,7 +6,7 @@
 
 namespace esphome::a4988 {
 
-class A4988 final : public stepper::Stepper, public Component {
+class A4988 : public stepper::Stepper, public Component {
  public:
   void set_step_pin(GPIOPin *step_pin) { step_pin_ = step_pin; }
   void set_dir_pin(GPIOPin *dir_pin) { dir_pin_ = dir_pin; }

esphome/components/absolute_humidity/absolute_humidity.h

@@ -13,7 +13,7 @@ enum SaturationVaporPressureEquation {
 };
 
 /// This class implements calculation of absolute humidity from temperature and relative humidity.
-class AbsoluteHumidityComponent final : public sensor::Sensor, public Component {
+class AbsoluteHumidityComponent : public sensor::Sensor, public Component {
  public:
   void set_temperature_sensor(sensor::Sensor *temperature_sensor) { this->temperature_sensor_ = temperature_sensor; }
   void set_humidity_sensor(sensor::Sensor *humidity_sensor) { this->humidity_sensor_ = humidity_sensor; }

esphome/components/ac_dimmer/ac_dimmer.h

@@ -41,7 +41,7 @@ struct AcDimmerDataStore {
 #endif
 };
 
-class AcDimmer final : public output::FloatOutput, public Component {
+class AcDimmer : public output::FloatOutput, public Component {
  public:
   void setup() override;
 

esphome/components/adc/adc_sensor.h

@@ -54,7 +54,7 @@ template<typename T> class Aggregator {
   SamplingMode mode_{SamplingMode::AVG};
 };
 
-class ADCSensor final : public sensor::Sensor, public PollingComponent, public voltage_sampler::VoltageSampler {
+class ADCSensor : public sensor::Sensor, public PollingComponent, public voltage_sampler::VoltageSampler {
  public:
   /// Update the sensor's state by reading the current ADC value.
   /// This method is called periodically based on the update interval.

esphome/components/adc128s102/adc128s102.h

@@ -6,9 +6,9 @@
 
 namespace esphome::adc128s102 {
 
-class ADC128S102 final : public Component,
-                         public spi::SPIDevice<spi::BIT_ORDER_MSB_FIRST, spi::CLOCK_POLARITY_LOW,
-                                               spi::CLOCK_PHASE_LEADING, spi::DATA_RATE_10MHZ> {
+class ADC128S102 : public Component,
+                   public spi::SPIDevice<spi::BIT_ORDER_MSB_FIRST, spi::CLOCK_POLARITY_LOW, spi::CLOCK_PHASE_LEADING,
+                                         spi::DATA_RATE_10MHZ> {
  public:
   ADC128S102() = default;
 

esphome/components/adc128s102/sensor/adc128s102_sensor.h

@@ -9,10 +9,10 @@
 
 namespace esphome::adc128s102 {
 
-class ADC128S102Sensor final : public PollingComponent,
-                               public Parented<ADC128S102>,
-                               public sensor::Sensor,
-                               public voltage_sampler::VoltageSampler {
+class ADC128S102Sensor : public PollingComponent,
+                         public Parented<ADC128S102>,
+                         public sensor::Sensor,
+                         public voltage_sampler::VoltageSampler {
  public:
   ADC128S102Sensor(uint8_t channel);
 

esphome/components/addressable_light/addressable_light_display.h

@@ -9,7 +9,7 @@
 
 namespace esphome::addressable_light {
 
-class AddressableLightDisplay final : public display::DisplayBuffer {
+class AddressableLightDisplay : public display::DisplayBuffer {
  public:
   light::AddressableLight *get_light() const { return this->light_; }
 

esphome/components/ade7880/__init__.py

@@ -0,0 +1 @@
+CODEOWNERS = ["@kpfleming"]

esphome/components/ade7880/ade7880.cpp

@@ -87,24 +87,14 @@ void ADE7880::update_sensor_from_s16_register16_(sensor::Sensor *sensor, uint16_
   sensor->publish_state(f(val));
 }
 
-void ADE7880::update_active_energy_(PowerChannel *channel, uint16_t a_register) {
-  if (channel->forward_active_energy == nullptr && channel->reverse_active_energy == nullptr) {
+template<typename F>
+void ADE7880::update_sensor_from_s32_register16_(sensor::Sensor *sensor, uint16_t a_register, F &&f) {
+  if (sensor == nullptr) {
     return;
   }
 
-  // The ADE7880 has no separate forward/reverse active energy accumulators. The xWATTHR registers
-  // accumulate signed energy since the last read (positive = imported/forward, negative = exported/
-  // reverse), so split the value by sign into the forward and reverse running totals.
-  float val = this->read_s32_register16_(a_register) / 14400.0f;
-  if (val >= 0.0f) {
-    if (channel->forward_active_energy != nullptr) {
-      channel->forward_active_energy->publish_state(channel->forward_active_energy_total += val);
-    }
-  } else {
-    if (channel->reverse_active_energy != nullptr) {
-      channel->reverse_active_energy->publish_state(channel->reverse_active_energy_total -= val);
-    }
-  }
+  float val = this->read_s32_register16_(a_register);
+  sensor->publish_state(f(val));
 }
 
 void ADE7880::update() {
@@ -127,7 +117,12 @@ void ADE7880::update() {
     this->update_sensor_from_s24zp_register16_(chan->apparent_power, AVA, [](float val) { return val / 100.0f; });
     this->update_sensor_from_s16_register16_(chan->power_factor, APF,
                                              [](float val) { return std::abs(val / -327.68f); });
-    this->update_active_energy_(chan, AWATTHR);
+    this->update_sensor_from_s32_register16_(chan->forward_active_energy, AFWATTHR, [&chan](float val) {
+      return chan->forward_active_energy_total += val / 14400.0f;
+    });
+    this->update_sensor_from_s32_register16_(chan->reverse_active_energy, ARWATTHR, [&chan](float val) {
+      return chan->reverse_active_energy_total += val / 14400.0f;
+    });
   }
 
   if (this->channel_b_ != nullptr) {
@@ -138,7 +133,12 @@ void ADE7880::update() {
     this->update_sensor_from_s24zp_register16_(chan->apparent_power, BVA, [](float val) { return val / 100.0f; });
     this->update_sensor_from_s16_register16_(chan->power_factor, BPF,
                                              [](float val) { return std::abs(val / -327.68f); });
-    this->update_active_energy_(chan, BWATTHR);
+    this->update_sensor_from_s32_register16_(chan->forward_active_energy, BFWATTHR, [&chan](float val) {
+      return chan->forward_active_energy_total += val / 14400.0f;
+    });
+    this->update_sensor_from_s32_register16_(chan->reverse_active_energy, BRWATTHR, [&chan](float val) {
+      return chan->reverse_active_energy_total += val / 14400.0f;
+    });
   }
 
   if (this->channel_c_ != nullptr) {
@@ -149,7 +149,12 @@ void ADE7880::update() {
     this->update_sensor_from_s24zp_register16_(chan->apparent_power, CVA, [](float val) { return val / 100.0f; });
     this->update_sensor_from_s16_register16_(chan->power_factor, CPF,
                                              [](float val) { return std::abs(val / -327.68f); });
-    this->update_active_energy_(chan, CWATTHR);
+    this->update_sensor_from_s32_register16_(chan->forward_active_energy, CFWATTHR, [&chan](float val) {
+      return chan->forward_active_energy_total += val / 14400.0f;
+    });
+    this->update_sensor_from_s32_register16_(chan->reverse_active_energy, CRWATTHR, [&chan](float val) {
+      return chan->reverse_active_energy_total += val / 14400.0f;
+    });
   }
 
   ESP_LOGD(TAG, "update took %" PRIu32 " ms", millis() - start);

esphome/components/ade7880/ade7880.h

@@ -65,7 +65,7 @@ struct ADE7880Store {
   static void gpio_intr(ADE7880Store *arg);
 };
 
-class ADE7880 final : public i2c::I2CDevice, public PollingComponent {
+class ADE7880 : public i2c::I2CDevice, public PollingComponent {
  public:
   void set_irq0_pin(InternalGPIOPin *pin) { this->irq0_pin_ = pin; }
   void set_irq1_pin(InternalGPIOPin *pin) { this->irq1_pin_ = pin; }
@@ -105,8 +105,7 @@ class ADE7880 final : public i2c::I2CDevice, public PollingComponent {
   // the callable will be passed a 'float' value and is expected to return a 'float'
   template<typename F> void update_sensor_from_s24zp_register16_(sensor::Sensor *sensor, uint16_t a_register, F &&f);
   template<typename F> void update_sensor_from_s16_register16_(sensor::Sensor *sensor, uint16_t a_register, F &&f);
-
-  void update_active_energy_(PowerChannel *channel, uint16_t a_register);
+  template<typename F> void update_sensor_from_s32_register16_(sensor::Sensor *sensor, uint16_t a_register, F &&f);
 
   void reset_device_();
 

esphome/components/ade7880/ade7880_registers.h

@@ -84,7 +84,9 @@ constexpr uint16_t CWATTHR = 0xE402;
 constexpr uint16_t AFWATTHR = 0xE403;
 constexpr uint16_t BFWATTHR = 0xE404;
 constexpr uint16_t CFWATTHR = 0xE405;
-// 0xE406-0xE408 are reserved on the ADE7880 (it does not implement total reactive energy accumulation)
+constexpr uint16_t ARWATTHR = 0xE406;
+constexpr uint16_t BRWATTHR = 0xE407;
+constexpr uint16_t CRWATTHR = 0xE408;
 constexpr uint16_t AFVARHR = 0xE409;
 constexpr uint16_t BFVARHR = 0xE40A;
 constexpr uint16_t CFVARHR = 0xE40B;

esphome/components/ade7953_i2c/ade7953_i2c.h

@@ -10,7 +10,7 @@
 
 namespace esphome::ade7953_i2c {
 
-class AdE7953I2c final : public ade7953_base::ADE7953, public i2c::I2CDevice {
+class AdE7953I2c : public ade7953_base::ADE7953, public i2c::I2CDevice {
  public:
   void dump_config() override;
 

esphome/components/ads1115/ads1115.h

@@ -43,7 +43,7 @@ enum ADS1115Samplerate {
   ADS1115_860SPS = 0b111
 };
 
-class ADS1115Component final : public Component, public i2c::I2CDevice {
+class ADS1115Component : public Component, public i2c::I2CDevice {
  public:
   void setup() override;
   void dump_config() override;

esphome/components/ads1115/sensor/ads1115_sensor.h

@@ -11,10 +11,10 @@
 namespace esphome::ads1115 {
 
 /// Internal holder class that is in instance of Sensor so that the hub can create individual sensors.
-class ADS1115Sensor final : public sensor::Sensor,
-                            public PollingComponent,
-                            public voltage_sampler::VoltageSampler,
-                            public Parented<ADS1115Component> {
+class ADS1115Sensor : public sensor::Sensor,
+                      public PollingComponent,
+                      public voltage_sampler::VoltageSampler,
+                      public Parented<ADS1115Component> {
  public:
   void update() override;
   void set_multiplexer(ADS1115Multiplexer multiplexer) { this->multiplexer_ = multiplexer; }

esphome/components/ads1118/ads1118.h

@@ -26,9 +26,9 @@ enum ADS1118Gain {
   ADS1118_GAIN_0P256 = 0b101,
 };
 
-class ADS1118 final : public Component,
-                      public spi::SPIDevice<spi::BIT_ORDER_MSB_FIRST, spi::CLOCK_POLARITY_LOW,
-                                            spi::CLOCK_PHASE_TRAILING, spi::DATA_RATE_1MHZ> {
+class ADS1118 : public Component,
+                public spi::SPIDevice<spi::BIT_ORDER_MSB_FIRST, spi::CLOCK_POLARITY_LOW, spi::CLOCK_PHASE_TRAILING,
+                                      spi::DATA_RATE_1MHZ> {
  public:
   ADS1118() = default;
   void setup() override;

esphome/components/ads1118/sensor/ads1118_sensor.h

@@ -10,10 +10,10 @@
 
 namespace esphome::ads1118 {
 
-class ADS1118Sensor final : public PollingComponent,
-                            public sensor::Sensor,
-                            public voltage_sampler::VoltageSampler,
-                            public Parented<ADS1118> {
+class ADS1118Sensor : public PollingComponent,
+                      public sensor::Sensor,
+                      public voltage_sampler::VoltageSampler,
+                      public Parented<ADS1118> {
  public:
   void update() override;