[api] Pass pos by value through encode_varint_raw_loop

[api] Force inline encode_varint_raw_loop so pos stays in a register
[api] Unroll varint encode loop for compile-time bounded types
2026-06-24 22:45:55 +00:00 · 2026-04-09 22:13:14 -10:00 · 2026-04-09 22:07:15 -10:00 · 2026-04-09 21:59:35 -10:00
2959 changed files with 24117 additions and 79472 deletions
--- a/.ai/instructions.md
+++ b/.ai/instructions.md
@@ -59,19 +59,6 @@ This document provides essential context for AI models interacting with this pro
        - Protected/private fields: `lower_snake_case_with_trailing_underscore_`
        - Favor descriptive names over abbreviations

-*   **Python Idioms:**
-    *   **Assignment expressions (PEP 572):** Prefer the walrus operator (`:=`) wherever it removes a redundant lookup or a throwaway temporary. The most common case in component code is presence-checking a config key and then indexing it separately — fetch once with `.get()` and bind in the condition instead:
-        ```python
-        # Bad - looks up CONF_BLAH twice
-        if CONF_BLAH in config:
-            cg.add(var.set_blah(config[CONF_BLAH]))
-
-        # Good - single lookup, value bound inline
-        if (blah := config.get(CONF_BLAH)) is not None:
-            cg.add(var.set_blah(blah))
-        ```
-        The same applies to `while` loops and comprehensions where it avoids recomputing a value. Don't contort code to use it — reach for `:=` only when it genuinely cuts repetition or an extra assignment line.
-
 *   **C++ Field Visibility:**
    *   **Prefer `protected`:** Use `protected` for most class fields to enable extensibility and testing. Fields should be `lower_snake_case_with_trailing_underscore_`.
    *   **Use `private` for safety-critical cases:** Use `private` visibility when direct field access could introduce bugs or violate invariants:
@@ -411,23 +398,13 @@ This document provides essential context for AI models interacting with this pro
        │       ├── i2c/         # I2C bus
        │       └── spi/         # SPI bus
        └── components/[component]/
-            ├── common.yaml          # Component-only config (no bus definitions)
-            ├── test.esp32-idf.yaml      # config + compile
-            ├── test.esp8266-ard.yaml    # config + compile
-            ├── test-variant.esp32-idf.yaml  # variant test, config + compile
-            ├── validate.esp32-idf.yaml      # config-only (never compiled)
-            └── validate-legacy.esp32-idf.yaml  # config-only variant
+            ├── common.yaml      # Component-only config (no bus definitions)
+            ├── test.esp32-idf.yaml
+            ├── test.esp8266-ard.yaml
+            └── test.rp2040-ard.yaml
        ```
        Run them using `script/test_build_components`. Use `-c <component>` to test specific components and `-t <target>` for specific platforms.

-    *   **Config-only test files (`validate.*.yaml`):** Use this prefix when a YAML file only needs to exercise schema/validation paths and does not need to be compiled. CI runs `validate.*.yaml` files with `esphome config` only and skips them during compile. The grammar mirrors `test.*.yaml`:
-        - `validate.<platform>.yaml` — base config-only test
-        - `validate-<variant>.<platform>.yaml` — config-only variant
-
-        Use this for things like deprecated-syntax migration tests, schema edge cases, or platform-specific validation branches where building firmware adds no signal. A component may have any mix of `test.*.yaml` and `validate.*.yaml` files. Validate files never participate in bus-grouping; each one runs as its own `esphome config` invocation.
-
-        When a PR's only edits to a component are `validate.*.yaml` files (no source changes, no `test.*.yaml` changes, and the component isn't pulled in as a dependency of another changed component), CI skips the compile stage for that component entirely and only runs config validation. This is decided in `script/determine-jobs.py` via `_component_change_is_validate_only` and surfaced as the `validate_only_components` output that the `test-build-components-split` job consumes.
-
    *   **Test Grouping with Packages:** Components that use shared bus packages can be grouped together in CI to reduce build count. **Never define buses (uart, i2c, spi, modbus) directly in test YAML files** — always use packages from `test_build_components/common/`:
        ```yaml
        # test.esp32-idf.yaml — use packages for buses
@@ -475,7 +452,7 @@ This document provides essential context for AI models interacting with this pro
    6.  **Pull Request:** Submit a PR against the `dev` branch. The Pull Request title should have a prefix of the component being worked on (e.g., `[display] Fix bug`, `[abc123] Add new component`). Update documentation, examples, and add `CODEOWNERS` entries as needed. Pull requests should always be made using the `.github/PULL_REQUEST_TEMPLATE.md` template - fill out all sections completely without removing any parts of the template.

 *   **Documentation Contributions:**
-    *   Documentation is hosted in the separate `esphome/esphome.io` repository.
+    *   Documentation is hosted in the separate `esphome/esphome-docs` repository.
    *   The contribution workflow is the same as for the codebase.
    *   When editing a component's documentation page, also update the corresponding component index page to ensure both pages remain in sync.

@@ -694,7 +671,7 @@ This document provides essential context for AI models interacting with this pro
    - [ ] Explored non-breaking alternatives
    - [ ] Added deprecation warnings if possible (use `ESPDEPRECATED` macro for C++)
    - [ ] Documented migration path in PR description with before/after examples
-    - [ ] Updated all internal usage and esphome.io
+    - [ ] Updated all internal usage and esphome-docs
    - [ ] Tested backward compatibility during deprecation period

 *   **Deprecation Pattern (C++):**
--- a/.clang-tidy
+++ b/.clang-tidy
@@ -5,30 +5,24 @@ Checks: >-
  -altera-*,
  -android-*,
  -boost-*,
-  -bugprone-derived-method-shadowing-base-method,
  -bugprone-easily-swappable-parameters,
  -bugprone-implicit-widening-of-multiplication-result,
-  -bugprone-invalid-enum-default-initialization,
  -bugprone-multi-level-implicit-pointer-conversion,
  -bugprone-narrowing-conversions,
-  -bugprone-tagged-union-member-count,
  -bugprone-signed-char-misuse,
  -bugprone-switch-missing-default-case,
  -cert-dcl50-cpp,
  -cert-err33-c,
  -cert-err58-cpp,
-  -cert-int09-c,
  -cert-oop57-cpp,
  -cert-str34-c,
  -clang-analyzer-optin.core.EnumCastOutOfRange,
  -clang-analyzer-optin.cplusplus.UninitializedObject,
  -clang-analyzer-osx.*,
-  -clang-analyzer-security.ArrayBound,
  -clang-diagnostic-delete-abstract-non-virtual-dtor,
  -clang-diagnostic-delete-non-abstract-non-virtual-dtor,
  -clang-diagnostic-deprecated-declarations,
  -clang-diagnostic-ignored-optimization-argument,
-  -clang-diagnostic-missing-designated-field-initializers,
  -clang-diagnostic-missing-field-initializers,
  -clang-diagnostic-shadow-field,
  -clang-diagnostic-unused-const-variable,
@@ -48,7 +42,6 @@ Checks: >-
  -cppcoreguidelines-owning-memory,
  -cppcoreguidelines-prefer-member-initializer,
  -cppcoreguidelines-pro-bounds-array-to-pointer-decay,
-  -cppcoreguidelines-pro-bounds-avoid-unchecked-container-access,
  -cppcoreguidelines-pro-bounds-constant-array-index,
  -cppcoreguidelines-pro-bounds-pointer-arithmetic,
  -cppcoreguidelines-pro-type-const-cast,
@@ -61,13 +54,12 @@ Checks: >-
  -cppcoreguidelines-rvalue-reference-param-not-moved,
  -cppcoreguidelines-special-member-functions,
  -cppcoreguidelines-use-default-member-init,
-  -cppcoreguidelines-use-enum-class,
  -cppcoreguidelines-virtual-class-destructor,
-  -fuchsia-default-arguments-calls,
-  -fuchsia-default-arguments-declarations,
  -fuchsia-multiple-inheritance,
  -fuchsia-overloaded-operator,
  -fuchsia-statically-constructed-objects,
+  -fuchsia-default-arguments-declarations,
+  -fuchsia-default-arguments-calls,
  -google-build-using-namespace,
  -google-explicit-constructor,
  -google-readability-braces-around-statements,
@@ -79,63 +71,49 @@ Checks: >-
  -llvm-else-after-return,
  -llvm-header-guard,
  -llvm-include-order,
-  -llvm-prefer-static-over-anonymous-namespace,
  -llvm-qualified-auto,
-  -llvm-use-ranges,
  -llvmlibc-*,
  -misc-const-correctness,
  -misc-include-cleaner,
-  -misc-multiple-inheritance,
  -misc-no-recursion,
  -misc-non-private-member-variables-in-classes,
-  -misc-override-with-different-visibility,
  -misc-unused-parameters,
  -misc-use-anonymous-namespace,
-  -misc-use-internal-linkage,
  -modernize-avoid-bind,
-  -modernize-avoid-variadic-functions,
  -modernize-avoid-c-arrays,
-  -modernize-avoid-c-style-cast,
+  -modernize-concat-nested-namespaces,
  -modernize-macro-to-enum,
  -modernize-return-braced-init-list,
  -modernize-type-traits,
  -modernize-use-auto,
  -modernize-use-constraints,
  -modernize-use-default-member-init,
-  -modernize-use-designated-initializers,
  -modernize-use-equals-default,
-  -modernize-use-integer-sign-comparison,
  -modernize-use-nodiscard,
  -modernize-use-nullptr,
-  -modernize-use-ranges,
+  -modernize-use-nodiscard,
+  -modernize-use-nullptr,
  -modernize-use-trailing-return-type,
  -mpi-*,
  -objc-*,
  -performance-enum-size,
-  -portability-avoid-pragma-once,
-  -portability-template-virtual-member-function,
-  -readability-ambiguous-smartptr-reset-call,
  -readability-avoid-nested-conditional-operator,
+  -readability-container-contains,
  -readability-container-data-pointer,
  -readability-convert-member-functions-to-static,
  -readability-else-after-return,
-  -readability-enum-initial-value,
  -readability-function-cognitive-complexity,
  -readability-implicit-bool-conversion,
  -readability-isolate-declaration,
  -readability-magic-numbers,
  -readability-make-member-function-const,
-  -readability-math-missing-parentheses,
  -readability-named-parameter,
  -readability-redundant-casting,
  -readability-redundant-inline-specifier,
  -readability-redundant-member-init,
-  -readability-redundant-parentheses,
-  -readability-redundant-typename,
+  -readability-redundant-string-init,
  -readability-uppercase-literal-suffix,
  -readability-use-anyofallof,
-  -readability-use-std-min-max,
-  -readability-use-concise-preprocessor-directives,
 WarningsAsErrors: '*'
 FormatStyle:     google
 CheckOptions:
--- a/.clang-tidy.hash
+++ b/.clang-tidy.hash
@@ -0,0 +1 @@
+f31f13994768b5b07e29624406c9b053bf4bb26e1623ac2bc1e9d4a9477502d6
--- a/.claude/skills/pr-workflow/SKILL.md
+++ b/.claude/skills/pr-workflow/SKILL.md
@@ -29,7 +29,7 @@ Required fields:
 - **What does this implement/fix?**: Brief description of changes
 - **Types of changes**: Check ONE appropriate box (Bugfix, New feature, Breaking change, etc.)
 - **Related issue**: Use `fixes <link>` syntax if applicable
- **Pull request in esphome.io**: Link if docs are needed
+- **Pull request in esphome-docs**: Link if docs are needed
 - **Test Environment**: Check platforms you tested on
 - **Example config.yaml**: Include working example YAML
 - **Checklist**: Verify code is tested and tests added
@@ -54,9 +54,9 @@ Required fields:

 - fixes https://github.com/esphome/esphome/issues/XXX

-**Pull request in [esphome.io](https://github.com/esphome/esphome.io) with documentation (if applicable):**
+**Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):**

- esphome/esphome.io#XXX
+- esphome/esphome-docs#XXX

 ## Test Environment

@@ -83,7 +83,7 @@ component_name:
  - [x] Tests have been added to verify that the new code works (under `tests/` folder).

 If user exposed functionality or configuration variables are added/changed:
-  - [ ] Documentation added/updated in [esphome.io](https://github.com/esphome/esphome.io).
+  - [ ] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).
 ```

 ## 5. Push and Create PR
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -12,7 +12,7 @@
    "--privileged",
    "-e",
    "GIT_EDITOR=code --wait"
-    // uncomment and edit the path in order to pass through local USB serial to the container
+    // uncomment and edit the path in order to pass though local USB serial to the conatiner
    // , "--device=/dev/ttyACM0"
  ],
  "appPort": 6052,
--- a/.dockerignore
+++ b/.dockerignore
@@ -115,4 +115,4 @@ examples/
 Dockerfile
 .git/
 tests/
-.?*
+.*
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -2,7 +2,7 @@
 blank_issues_enabled: false
 contact_links:
  - name: Report an issue with the ESPHome documentation
-    url: https://github.com/esphome/esphome.io/issues/new/choose
+    url: https://github.com/esphome/esphome-docs/issues/new/choose
    about: Report an issue with the ESPHome documentation.
  - name: Report an issue with the ESPHome web server
    url: https://github.com/esphome/esphome-webserver/issues/new/choose
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -16,9 +16,9 @@

 - fixes <link to issue>

-**Pull request in [esphome.io](https://github.com/esphome/esphome.io) with documentation (if applicable):**
+**Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):**

- esphome/esphome.io#<esphome.io PR number goes here>
+- esphome/esphome-docs#<esphome-docs PR number goes here>

 ## Test Environment

@@ -43,4 +43,4 @@
  - [ ] Tests have been added to verify that the new code works (under `tests/` folder).

 If user exposed functionality or configuration variables are added/changed:
-  - [ ] Documentation added/updated in [esphome.io](https://github.com/esphome/esphome.io).
+  - [ ] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).
--- a/.github/actions/build-image/action.yaml
+++ b/.github/actions/build-image/action.yaml
@@ -15,6 +15,11 @@ inputs:
    description: "Version to build"
    required: true
    example: "2023.12.0"
+  base_os:
+    description: "Base OS to use"
+    required: false
+    default: "debian"
+    example: "debian"
 runs:
  using: "composite"
  steps:
@@ -42,7 +47,7 @@ runs:

    - name: Build and push to ghcr by digest
      id: build-ghcr
-      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
      env:
        DOCKER_BUILD_SUMMARY: false
        DOCKER_BUILD_RECORD_UPLOAD: false
@@ -55,6 +60,7 @@ runs:
        build-args: |
          BUILD_TYPE=${{ inputs.build_type }}
          BUILD_VERSION=${{ inputs.version }}
+          BUILD_OS=${{ inputs.base_os }}
        outputs: |
          type=image,name=ghcr.io/${{ steps.tags.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true

@@ -67,7 +73,7 @@ runs:

    - name: Build and push to dockerhub by digest
      id: build-dockerhub
-      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
      env:
        DOCKER_BUILD_SUMMARY: false
        DOCKER_BUILD_RECORD_UPLOAD: false
@@ -80,6 +86,7 @@ runs:
        build-args: |
          BUILD_TYPE=${{ inputs.build_type }}
          BUILD_VERSION=${{ inputs.version }}
+          BUILD_OS=${{ inputs.base_os }}
        outputs: |
          type=image,name=docker.io/${{ steps.tags.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true

--- a/.github/actions/cache-esp-idf/action.yml
+++ b/.github/actions/cache-esp-idf/action.yml
@@ -1,52 +0,0 @@
-name: Cache ESP-IDF
-description: >
-  Resolve the pinned ESP-IDF version and cache the native ESP-IDF install
-  (toolchains + source) at ~/.esphome-idf. Every job that installs ESP-IDF
-  natively (clang-tidy for IDF/Arduino and the component test batches) shares
-  one cache, since the install is identical (ESPHOME_IDF_DEFAULT_TARGETS
-  defaults to "all", so all toolchains are present regardless of the chip).
-  Callers must set env ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf and have the
-  Python venv already restored.
-inputs:
-  framework:
-    description: 'Which pinned IDF version to key on: "espidf" (recommended) or "arduino".'
-    default: espidf
-  restore-only:
-    description: >
-      When "true", only restore -- never save the cache, even on dev. Use from
-      jobs that may not produce an ESP-IDF install (e.g. a component batch with
-      no esp32 target), so a partial/empty install is never written to the key.
-    default: "false"
-runs:
-  using: composite
-  steps:
-    - name: Resolve ESP-IDF version for cache key
-      # The native-IDF version is pinned in code, not in any file that feeds the
-      # other cache keys, so resolve it explicitly. Keying on it means the cache
-      # invalidates on a version bump (actions/cache never overwrites a key).
-      id: version
-      shell: bash
-      run: |
-        . venv/bin/activate
-        if [ "${{ inputs.framework }}" = "arduino" ]; then
-          version=$(python -c 'from esphome.components.esp32 import ARDUINO_FRAMEWORK_VERSION_LOOKUP as A, ARDUINO_IDF_VERSION_LOOKUP as L; print(L[A["recommended"]])')
-        else
-          version=$(python -c 'from esphome.components.esp32 import ESP_IDF_FRAMEWORK_VERSION_LOOKUP as L; print(L["recommended"])')
-        fi
-        echo "version=$version" >> "$GITHUB_OUTPUT"
-    # Mirror the adjacent PlatformIO cache: only dev-branch runs write the
-    # shared cache (so it lives in the default-branch scope readable by all
-    # PRs), and PRs are restore-only -- they never push multi-GB artifacts into
-    # their own scope / the repo quota (e.g. on a version-bump PR).
-    - name: Cache ESP-IDF install (write on dev)
-      if: github.ref == 'refs/heads/dev' && inputs.restore-only != 'true'
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: ~/.esphome-idf
-        key: ${{ runner.os }}-esphome-idf-${{ steps.version.outputs.version }}
-    - name: Cache ESP-IDF install (restore-only off dev)
-      if: github.ref != 'refs/heads/dev' || inputs.restore-only == 'true'
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: ~/.esphome-idf
-        key: ${{ runner.os }}-esphome-idf-${{ steps.version.outputs.version }}
--- a/.github/actions/restore-python/action.yml
+++ b/.github/actions/restore-python/action.yml
@@ -22,23 +22,11 @@ runs:
        python-version: ${{ inputs.python-version }}
    - name: Restore Python virtual environment
      id: cache-venv
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: venv
        # yamllint disable-line rule:line-length
        key: ${{ runner.os }}-${{ steps.python.outputs.python-version }}-venv-${{ inputs.cache-key }}
-    - name: Set up uv
-      # Only needed on cache miss to populate the venv. ``uv pip install``
-      # detects the activated venv via ``VIRTUAL_ENV`` so the venv layout
-      # downstream jobs rely on is preserved.
-      if: steps.cache-venv.outputs.cache-hit != 'true'
-      uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-      with:
-        enable-cache: true
-        # Pin uv version so the action does not have to fetch the
-        # manifest from raw.githubusercontent.com on every cache
-        # miss; that fetch flakes on Windows runners.
-        version: "0.11.15"
    - name: Create Python virtual environment
      if: steps.cache-venv.outputs.cache-hit != 'true' && runner.os != 'Windows'
      shell: bash
@@ -46,8 +34,8 @@ runs:
        python -m venv venv
        source venv/bin/activate
        python --version
-        uv pip install -r requirements.txt -r requirements_test.txt
-        uv pip install -e .
+        pip install -r requirements.txt -r requirements_test.txt
+        pip install -e .
    - name: Create Python virtual environment
      if: steps.cache-venv.outputs.cache-hit != 'true' && runner.os == 'Windows'
      shell: bash
@@ -55,5 +43,5 @@ runs:
        python -m venv venv
        source ./venv/Scripts/activate
        python --version
-        uv pip install -r requirements.txt -r requirements_test.txt
-        uv pip install -e .
+        pip install -r requirements.txt -r requirements_test.txt
+        pip install -e .
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1 +1 @@
-../AGENTS.md
+../.ai/instructions.md
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,6 @@ updates:
    directory: "/"
    schedule:
      interval: daily
-    open-pull-requests-limit: 10
    ignore:
      # Hypotehsis is only used for testing and is updated quite often
      - dependency-name: hypothesis
--- a/.github/scripts/auto-label-pr/constants.js
+++ b/.github/scripts/auto-label-pr/constants.js
@@ -35,9 +35,6 @@ module.exports = {
  ],

  DOCS_PR_PATTERNS: [
-    /https:\/\/github\.com\/esphome\/esphome\.io\/pull\/\d+/,
-    /esphome\/esphome\.io#\d+/,
-    // Keep matching the old esphome-docs name during the transition period
    /https:\/\/github\.com\/esphome\/esphome-docs\/pull\/\d+/,
    /esphome\/esphome-docs#\d+/
  ]
--- a/.github/scripts/auto-label-pr/detectors.js
+++ b/.github/scripts/auto-label-pr/detectors.js
@@ -1,3 +1,4 @@
+const fs = require('fs');
 const { DOCS_PR_PATTERNS } = require('./constants');
 const {
  COMPONENT_REGEX,
@@ -8,31 +9,6 @@ const {
 } = require('../detect-tags');
 const { loadCodeowners, getEffectiveOwners } = require('../codeowners');

-// Top-level `CONFIG_SCHEMA = ...` (assignment) or `CONFIG_SCHEMA: ConfigType = ...` (annotation).
-// Ruff/Black enforce exactly one space around `=` and no space before `:`,
-// so we can match strictly: `CONFIG_SCHEMA ` or `CONFIG_SCHEMA:`.
-const CONFIG_SCHEMA_REGEX = /^CONFIG_SCHEMA[ :]/m;
-
-// Fetch a file's contents from the PR head SHA via the GitHub API.
-// The auto-label workflow runs on `pull_request_target`, which checks out the
-// base branch — files added by the PR don't exist in the workspace, so we have
-// to fetch them from the head SHA. Returns null if the file can't be fetched.
-async function fetchPrFileContent(github, context, path) {
-  try {
-    const { owner, repo } = context.repo;
-    const { data } = await github.rest.repos.getContent({
-      owner,
-      repo,
-      path,
-      ref: context.payload.pull_request.head.sha,
-    });
-    return Buffer.from(data.content, 'base64').toString('utf8');
-  } catch (error) {
-    console.log(`Failed to fetch ${path} from PR head:`, error.message);
-    return null;
-  }
-}
-
 // Strategy: Merge branch detection
 async function detectMergeBranch(context) {
  const labels = new Set();
@@ -69,72 +45,52 @@ async function detectComponentPlatforms(changedFiles, apiData) {
 }

 // Strategy: New component detection
-async function detectNewComponents(github, context, prFiles) {
+async function detectNewComponents(prFiles) {
  const labels = new Set();
-  let hasYamlLoadable = false;
  const addedFiles = prFiles.filter(file => file.status === 'added').map(file => file.filename);

  for (const file of addedFiles) {
    const componentMatch = file.match(/^esphome\/components\/([^\/]+)\/__init__\.py$/);
-    if (!componentMatch) continue;
-
-    labels.add('new-component');
-    const content = await fetchPrFileContent(github, context, file);
-    if (content === null) {
-      // Safe default: assume YAML-loadable so needs-docs behaviour is unchanged on fetch failure
-      hasYamlLoadable = true;
-      continue;
-    }
-    if (content.includes('IS_TARGET_PLATFORM = True')) {
-      labels.add('new-target-platform');
-    }
-    if (CONFIG_SCHEMA_REGEX.test(content)) {
-      hasYamlLoadable = true;
+    if (componentMatch) {
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        if (content.includes('IS_TARGET_PLATFORM = True')) {
+          labels.add('new-target-platform');
+        }
+      } catch (error) {
+        console.log(`Failed to read content of ${file}:`, error.message);
+      }
+      labels.add('new-component');
    }
  }

-  return { labels, hasYamlLoadable };
+  return labels;
 }

 // Strategy: New platform detection
-async function detectNewPlatforms(github, context, prFiles, apiData) {
+async function detectNewPlatforms(prFiles, apiData) {
  const labels = new Set();
-  let hasYamlLoadable = false;
  const addedFiles = prFiles.filter(file => file.status === 'added').map(file => file.filename);

-  const platformPathPatterns = [
-    /^esphome\/components\/([^\/]+)\/([^\/]+)\.py$/,
-    /^esphome\/components\/([^\/]+)\/([^\/]+)\/__init__\.py$/,
-  ];
-
-  const removedFiles = new Set(prFiles.filter(file => file.status === 'removed').map(file => file.filename));
-
  for (const file of addedFiles) {
-    for (const re of platformPathPatterns) {
-      const match = file.match(re);
-      if (!match) continue;
-      const platform = match[2];
-      if (!apiData.platformComponents.includes(platform)) break;
-
-      // Skip if this is a restructure between flat and subdirectory forms (either direction):
-      //   <component>/<platform>.py  <->  <component>/<platform>/__init__.py
-      const flatEquivalent = `esphome/components/${match[1]}/${platform}.py`;
-      const subdirEquivalent = `esphome/components/${match[1]}/${platform}/__init__.py`;
-      if (removedFiles.has(flatEquivalent) || removedFiles.has(subdirEquivalent)) break;
-
-      labels.add('new-platform');
-      const content = await fetchPrFileContent(github, context, file);
-      if (content === null) {
-        // Safe default: assume YAML-loadable so needs-docs behaviour is unchanged on fetch failure
-        hasYamlLoadable = true;
-      } else if (CONFIG_SCHEMA_REGEX.test(content)) {
-        hasYamlLoadable = true;
+    const platformFileMatch = file.match(/^esphome\/components\/([^\/]+)\/([^\/]+)\.py$/);
+    if (platformFileMatch) {
+      const [, component, platform] = platformFileMatch;
+      if (apiData.platformComponents.includes(platform)) {
+        labels.add('new-platform');
+      }
+    }
+
+    const platformDirMatch = file.match(/^esphome\/components\/([^\/]+)\/([^\/]+)\/__init__\.py$/);
+    if (platformDirMatch) {
+      const [, component, platform] = platformDirMatch;
+      if (apiData.platformComponents.includes(platform)) {
+        labels.add('new-platform');
      }
-      break;
    }
  }

-  return { labels, hasYamlLoadable };
+  return labels;
 }

 // Strategy: Core files detection
@@ -344,7 +300,7 @@ function detectMaintainerAccess(context) {
 }

 // Strategy: Requirements detection
-async function detectRequirements(allLabels, prFiles, context, hasYamlLoadable) {
+async function detectRequirements(allLabels, prFiles, context) {
  const labels = new Set();

  // Check for missing tests
@@ -352,15 +308,8 @@ async function detectRequirements(allLabels, prFiles, context, hasYamlLoadable)
    labels.add('needs-tests');
  }

-  // Check for missing docs.
-  // `new-feature` (PR-body checkbox) always counts. `new-component` / `new-platform`
-  // only count when at least one newly added file defines a top-level CONFIG_SCHEMA,
-  // i.e. the new component/platform is actually loadable from YAML.
-  const docsEligible =
-    allLabels.has('new-feature') ||
-    ((allLabels.has('new-component') || allLabels.has('new-platform')) && hasYamlLoadable);
-
-  if (docsEligible) {
+  // Check for missing docs
+  if (allLabels.has('new-component') || allLabels.has('new-platform') || allLabels.has('new-feature')) {
    const prBody = context.payload.pull_request.body || '';
    const hasDocsLink = DOCS_PR_PATTERNS.some(pattern => pattern.test(prBody));

--- a/.github/scripts/auto-label-pr/index.js
+++ b/.github/scripts/auto-label-pr/index.js
@@ -106,8 +106,8 @@ module.exports = async ({ github, context }) => {
  const [
    branchLabels,
    componentLabels,
-    newComponentResult,
-    newPlatformResult,
+    newComponentLabels,
+    newPlatformLabels,
    coreLabels,
    sizeLabels,
    dashboardLabels,
@@ -120,8 +120,8 @@ module.exports = async ({ github, context }) => {
  ] = await Promise.all([
    detectMergeBranch(context),
    detectComponentPlatforms(changedFiles, apiData),
-    detectNewComponents(github, context, prFiles),
-    detectNewPlatforms(github, context, prFiles, apiData),
+    detectNewComponents(prFiles),
+    detectNewPlatforms(prFiles, apiData),
    detectCoreChanges(changedFiles),
    detectPRSize(prFiles, totalAdditions, totalDeletions, totalChanges, isMegaPR, SMALL_PR_THRESHOLD, MEDIUM_PR_THRESHOLD, TOO_BIG_THRESHOLD),
    detectDashboardChanges(changedFiles),
@@ -133,13 +133,6 @@ module.exports = async ({ github, context }) => {
    detectMaintainerAccess(context)
  ]);

-  // Extract new-component / new-platform results
-  const newComponentLabels = newComponentResult.labels;
-  const newPlatformLabels = newPlatformResult.labels;
-  // Eligible for needs-docs only if any newly added component or platform file
-  // defines a top-level CONFIG_SCHEMA (i.e. is actually loadable from YAML).
-  const hasYamlLoadable = newComponentResult.hasYamlLoadable || newPlatformResult.hasYamlLoadable;
-
  // Extract deprecated component info
  const deprecatedLabels = deprecatedResult.labels;
  const deprecatedInfo = deprecatedResult.deprecatedInfo;
@@ -161,7 +154,7 @@ module.exports = async ({ github, context }) => {
  ]);

  // Detect requirements based on all other labels
-  const requirementLabels = await detectRequirements(allLabels, prFiles, context, hasYamlLoadable);
+  const requirementLabels = await detectRequirements(allLabels, prFiles, context);
  for (const label of requirementLabels) {
    allLabels.add(label);
  }
--- a/.github/scripts/auto-label-pr/package.json
+++ b/.github/scripts/auto-label-pr/package.json
@@ -1,7 +0,0 @@
-{
-  "name": "auto-label-pr",
-  "private": true,
-  "scripts": {
-    "test": "node --test tests/*.test.js"
-  }
-}
--- a/.github/scripts/auto-label-pr/reviews.js
+++ b/.github/scripts/auto-label-pr/reviews.js
@@ -41,36 +41,16 @@ function generateReviewMessages(finalLabels, originalLabelCount, deprecatedInfo,

    let message = `${TOO_BIG_MARKER}\n### 📦 Pull Request Size\n\n`;

-    message +=
-      `Hey @${prAuthor}, thanks for the contribution! Just a heads up, ` +
-      `this PR is on the large side `;
-
    if (tooManyLabels && tooManyChanges) {
-      message +=
-        `(${nonTestChanges} line changes excluding tests, across ` +
-        `${originalLabelCount} different components/areas)`;
+      message += `This PR is too large with ${nonTestChanges} line changes (excluding tests) and affects ${originalLabelCount} different components/areas.`;
    } else if (tooManyLabels) {
-      message +=
-        `(it touches ${originalLabelCount} different components/areas)`;
+      message += `This PR affects ${originalLabelCount} different components/areas.`;
    } else {
-      message += `(${nonTestChanges} line changes excluding tests)`;
+      message += `This PR is too large with ${nonTestChanges} line changes (excluding tests).`;
    }

-    message += `, which makes it harder for maintainers to review.\n\n`;
-    message +=
-      `Smaller, focused PRs tend to be reviewed much faster since they ` +
-      `fit into the short gaps between other maintainer work; large ones ` +
-      `often have to wait for a rare long uninterrupted block of time. ` +
-      `If you can break this up into smaller pieces that can be reviewed ` +
-      `independently, it will almost certainly land faster overall.\n\n`;
-    message +=
-      `Before putting more time in, it's also worth popping into ` +
-      `\`#devs\` on [Discord](https://esphome.io/chat) so we can help ` +
-      `you scope things and flag anything already in flight.\n\n`;
-    message +=
-      `For more details (including how to split the work up), see: ` +
-      `https://developers.esphome.io/contributing/submitting-your-work/` +
-      `#how-to-approach-large-submissions`;
+    message += ` Please consider breaking it down into smaller, focused PRs to make review easier and reduce the risk of conflicts.\n\n`;
+    message += `For guidance on breaking down large PRs, see: https://developers.esphome.io/contributing/submitting-your-work/#how-to-approach-large-submissions`;

    messages.push(message);
  }
--- a/.github/scripts/auto-label-pr/tests/detectors.test.js
+++ b/.github/scripts/auto-label-pr/tests/detectors.test.js
@@ -1,147 +0,0 @@
-const { describe, it } = require('node:test');
-const assert = require('node:assert/strict');
-const { detectNewPlatforms, detectNewComponents } = require('../detectors');
-
-// Minimal GitHub API mock — only repos.getContent is called by detectNewPlatforms/detectNewComponents
-// to check for CONFIG_SCHEMA in newly added files.
-function makeGithub(content = '') {
-  return {
-    rest: {
-      repos: {
-        getContent: async () => ({
-          data: { content: Buffer.from(content).toString('base64') }
-        })
-      }
-    }
-  };
-}
-
-const CONTEXT = {
-  repo: { owner: 'esphome', repo: 'esphome' },
-  payload: { pull_request: { head: { sha: 'abc123' }, base: { ref: 'dev' } } }
-};
-
-const API_DATA = {
-  targetPlatforms: ['esp32', 'esp8266', 'rp2040'],
-  platformComponents: ['cover', 'sensor', 'binary_sensor', 'switch', 'light', 'fan', 'climate', 'valve']
-};
-
-const WITH_SCHEMA = 'CONFIG_SCHEMA = cv.Schema({})';
-const WITHOUT_SCHEMA = 'CODEOWNERS = ["@esphome/core"]';
-
-// ---------------------------------------------------------------------------
-// detectNewPlatforms
-// ---------------------------------------------------------------------------
-
-describe('detectNewPlatforms', () => {
-  describe('restructure detection (no false positives)', () => {
-    it('flat .py -> subdir __init__.py is not a new platform', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/endstop/cover.py', status: 'removed' },
-        { filename: 'esphome/components/endstop/cover/__init__.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-
-    it('subdir __init__.py -> flat .py is not a new platform', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/endstop/cover/__init__.py', status: 'removed' },
-        { filename: 'esphome/components/endstop/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-  });
-
-  describe('genuine new platforms', () => {
-    it('new subdir platform with CONFIG_SCHEMA sets new-platform and hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover/__init__.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, true);
-    });
-
-    it('new flat platform with CONFIG_SCHEMA sets new-platform and hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, true);
-    });
-
-    it('new platform without CONFIG_SCHEMA sets new-platform but not hasYamlLoadable', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/cover.py', status: 'added' },
-      ];
-      const result = await detectNewPlatforms(makeGithub(WITHOUT_SCHEMA), CONTEXT, prFiles, API_DATA);
-      assert.ok(result.labels.has('new-platform'));
-      assert.equal(result.hasYamlLoadable, false);
-    });
-
-    it('non-platform file addition produces no labels', async () => {
-      const prFiles = [
-        { filename: 'esphome/components/my_sensor/sensor.py', status: 'added' },
-      ];
-      // Override platformComponents so 'sensor' is not a recognized platform -> no label expected.
-      const nonPlatformApiData = { ...API_DATA, platformComponents: ['cover'] };
-      const result = await detectNewPlatforms(makeGithub(WITH_SCHEMA), CONTEXT, prFiles, nonPlatformApiData);
-      assert.equal(result.labels.size, 0);
-      assert.equal(result.hasYamlLoadable, false);
-    });
-  });
-});
-
-// ---------------------------------------------------------------------------
-// detectNewComponents
-// ---------------------------------------------------------------------------
-
-describe('detectNewComponents', () => {
-  it('new top-level __init__.py sets new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/actuator/__init__.py', status: 'added', },
-    ];
-    const result = await detectNewComponents(makeGithub(WITHOUT_SCHEMA), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.equal(result.hasYamlLoadable, false);
-  });
-
-  it('new top-level __init__.py with CONFIG_SCHEMA sets hasYamlLoadable', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/my_component/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.equal(result.hasYamlLoadable, true);
-  });
-
-  it('new top-level __init__.py with IS_TARGET_PLATFORM sets new-target-platform', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/my_platform/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub('IS_TARGET_PLATFORM = True'), CONTEXT, prFiles);
-    assert.ok(result.labels.has('new-component'));
-    assert.ok(result.labels.has('new-target-platform'));
-  });
-
-  it('modified __init__.py does not set new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/existing/__init__.py', status: 'modified' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.equal(result.labels.size, 0);
-  });
-
-  it('nested __init__.py does not set new-component', async () => {
-    const prFiles = [
-      { filename: 'esphome/components/endstop/cover/__init__.py', status: 'added' },
-    ];
-    const result = await detectNewComponents(makeGithub(WITH_SCHEMA), CONTEXT, prFiles);
-    assert.equal(result.labels.size, 0);
-  });
-});
--- a/.github/workflows/auto-label-pr.yml
+++ b/.github/workflows/auto-label-pr.yml
@@ -6,10 +6,9 @@ on:
  pull_request_target:
    types: [labeled, opened, reopened, synchronize, edited]

-# All PR/label/review writes are performed with the App token minted below,
-# so the workflow's GITHUB_TOKEN only needs read access for checkout.
 permissions:
-  contents: read  # actions/checkout reads the workflow source
+  pull-requests: write
+  contents: read

 env:
  SMALL_PR_THRESHOLD: 30
@@ -21,24 +20,20 @@ env:
 jobs:
  label:
    runs-on: ubuntu-latest
-    if: github.event.pull_request.state == 'open' && (github.event.action != 'labeled' || github.event.sender.type != 'Bot')
+    if: github.event.action != 'labeled' || github.event.sender.type != 'Bot'
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
+          app-id: ${{ secrets.ESPHOME_GITHUB_APP_ID }}
          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
-          # Scope the minted App token to the minimum needed by auto-label-pr/*.js.
-          permission-contents: read       # repos.getContent for CODEOWNERS and file lookups in detectors.js
-          permission-issues: write        # listLabelsOnIssue, addLabels, removeLabel, list/createComment
-          permission-pull-requests: write  # pulls.listFiles, list/create/update/dismissReview

      - name: Auto Label PR
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
--- a/.github/workflows/ci-api-proto.yml
+++ b/.github/workflows/ci-api-proto.yml
@@ -12,8 +12,8 @@ on:
      - ".github/workflows/ci-api-proto.yml"

 permissions:
-  contents: read        # actions/checkout for the PR head
-  pull-requests: write  # pulls.createReview / listReviews / dismissReview when generated proto files are stale
+  contents: read
+  pull-requests: write

 jobs:
  check:
@@ -21,21 +21,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"
-      - name: Set up uv
-        # ``--system`` (below) installs into the setup-python interpreter;
-        # no venv is created or restored by this workflow.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-        with:
-          enable-cache: true
-          # Pin uv version so the action does not have to fetch the
-          # manifest from raw.githubusercontent.com on every cache
-          # miss; that fetch flakes on Windows runners.
-          version: "0.11.15"

      - name: Install apt dependencies
        run: |
@@ -44,7 +34,7 @@ jobs:
          sudo apt install -y protobuf-compiler
          protoc --version
      - name: Install python dependencies
-        run: uv pip install --system aioesphomeapi -c requirements.txt -r requirements_dev.txt
+        run: pip install aioesphomeapi -c requirements.txt -r requirements_dev.txt
      - name: Generate files
        run: script/api_protobuf/api_protobuf.py
      - name: Check for changes
@@ -57,7 +47,7 @@ jobs:
          fi
      - if: failure()
        name: Review PR
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            await github.rest.pulls.createReview({
@@ -72,7 +62,7 @@ jobs:
        run: git diff
      - if: failure()
        name: Archive artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: generated-proto-files
          path: |
@@ -80,7 +70,7 @@ jobs:
            esphome/components/api/api_pb2_service.*
      - if: success()
        name: Dismiss review
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            let reviews = await github.rest.pulls.listReviews({
--- a/.github/workflows/ci-clang-tidy-hash.yml
+++ b/.github/workflows/ci-clang-tidy-hash.yml
@@ -0,0 +1,76 @@
+name: Clang-tidy Hash CI
+
+on:
+  pull_request:
+    paths:
+      - ".clang-tidy"
+      - "platformio.ini"
+      - "requirements_dev.txt"
+      - "sdkconfig.defaults"
+      - ".clang-tidy.hash"
+      - "script/clang_tidy_hash.py"
+      - ".github/workflows/ci-clang-tidy-hash.yml"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  verify-hash:
+    name: Verify clang-tidy hash
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Verify hash
+        run: |
+          python script/clang_tidy_hash.py --verify
+
+      - if: failure()
+        name: Show hash details
+        run: |
+          python script/clang_tidy_hash.py
+          echo "## Job Failed" | tee -a $GITHUB_STEP_SUMMARY
+          echo "You have modified clang-tidy configuration but have not updated the hash." | tee -a $GITHUB_STEP_SUMMARY
+          echo "Please run 'script/clang_tidy_hash.py --update' and commit the changes." | tee -a $GITHUB_STEP_SUMMARY
+
+      - if: failure() && github.event.pull_request.head.repo.full_name == github.repository
+        name: Request changes
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            await github.rest.pulls.createReview({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              event: 'REQUEST_CHANGES',
+              body: 'You have modified clang-tidy configuration but have not updated the hash.\nPlease run `script/clang_tidy_hash.py --update` and commit the changes.'
+            })
+
+      - if: success() && github.event.pull_request.head.repo.full_name == github.repository
+        name: Dismiss review
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            let reviews = await github.rest.pulls.listReviews({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+            for (let review of reviews.data) {
+              if (review.user.login === 'github-actions[bot]' && review.state === 'CHANGES_REQUESTED') {
+                await github.rest.pulls.dismissReview({
+                  pull_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  review_id: review.id,
+                  message: 'Clang-tidy hash now matches configuration.'
+                });
+              }
+            }
--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -1,41 +1,29 @@
 ---
 name: CI for docker images

-# Only run on PRs that touch the docker image, its build inputs, or any code
-# whose toolchain the compile smoke test exercises (core + target platforms).
+# Only run when docker paths change

 on:
-  pull_request:
+  push:
+    branches: [dev, beta, release]
+    paths:
+      - "docker/**"
+      - ".github/workflows/ci-docker.yml"
+      - "requirements*.txt"
+      - "platformio.ini"
+      - "script/platformio_install_deps.py"
+
+  pull_request:
    paths:
-      # Docker image and its build inputs.
      - "docker/**"
      - ".github/workflows/ci-docker.yml"
      - "requirements*.txt"
-      - "pyproject.toml"
      - "platformio.ini"
-      - "esphome/idf_component.yml"
      - "script/platformio_install_deps.py"
-      # Core, build pipeline, toolchain, and target-platform changes can change
-      # how a toolchain is set up or built, so re-run the per-toolchain compile
-      # smoke test when they change.
-      - "esphome/core/**"
-      - "esphome/writer.py"
-      - "esphome/build_gen/**"
-      - "esphome/espidf/**"
-      - "esphome/platformio/**"
-      - "esphome/components/bk72xx/**"
-      - "esphome/components/esp32/**"
-      - "esphome/components/esp8266/**"
-      - "esphome/components/host/**"
-      - "esphome/components/libretiny/**"
-      - "esphome/components/ln882x/**"
-      - "esphome/components/nrf52/**"
-      - "esphome/components/rp2040/**"
-      - "esphome/components/rtl87xx/**"
-      - "esphome/components/zephyr/**"

 permissions:
-  contents: read  # actions/checkout only
+  contents: read
+  packages: read

 concurrency:
  # yamllint disable-line rule:line-length
@@ -46,9 +34,6 @@ jobs:
  check-docker:
    name: Build docker containers
    runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read   # actions/checkout to load Dockerfile and build context
-      packages: write  # push branch-tagged images to ghcr.io for local testing
    strategy:
      fail-fast: false
      matrix:
@@ -57,161 +42,23 @@ jobs:
          - "ha-addon"
          - "docker"
          # - "lint"
-    outputs:
-      tag: ${{ steps.tag.outputs.tag }}
-      push: ${{ steps.tag.outputs.push }}
    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

-      - name: Determine tag and whether to push
-        id: tag
+      - name: Set TAG
        run: |
-          # Sanitize the branch name into a valid docker tag: replace invalid
-          # characters, ensure the first character is valid (tags must start
-          # with [A-Za-z0-9_]), and cap the length at 128 characters.
-          branch="${{ github.head_ref || github.ref_name }}"
-          tag="${branch//[^a-zA-Z0-9_.-]/-}"
-          case "$tag" in
-            [a-zA-Z0-9_]*) ;;
-            *) tag="pr-${tag}" ;;
-          esac
-          tag="${tag:0:128}"
-          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
-          # Only push branch images for same-repo pull requests. Push events
-          # only fire for dev/beta/release, whose images are owned by the
-          # release pipeline -- never overwrite those from here.
-          if [ "${{ github.event_name }}" = "pull_request" ] \
-            && [ "${{ github.repository }}" = "esphome/esphome" ] \
-            && [ "${{ github.event.pull_request.head.repo.full_name }}" = "esphome/esphome" ]; then
-            echo "push=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "push=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Log in to the GitHub container registry
-        if: steps.tag.outputs.push == 'true'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          echo "TAG=check" >> $GITHUB_ENV

      - name: Run build
        run: |
          docker/build.py \
-            --tag "${{ steps.tag.outputs.tag }}" \
+            --tag "${TAG}" \
            --arch "${{ matrix.os == 'ubuntu-24.04-arm' && 'aarch64' || 'amd64' }}" \
            --build-type "${{ matrix.build_type }}" \
-            --registry ghcr \
-            build ${{ steps.tag.outputs.push == 'true' && '--push --no-cache-to' || '' }} ${{ (matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker') && '--load' || '' }}
-
-      # The amd64 "docker" image is also loaded locally (above) and handed to
-      # compile-test as an artifact, so the smoke test reuses this build instead
-      # of building the image a second time. Using an artifact (rather than the
-      # pushed image) keeps it working for fork PRs, which never push to ghcr.io.
-      - name: Export image for compile-test
-        if: matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker'
-        run: docker save "ghcr.io/esphome/esphome-amd64:${{ steps.tag.outputs.tag }}" | gzip > compile-test-image.tar.gz
-
-      - name: Upload compile-test image artifact
-        if: matrix.os == 'ubuntu-24.04' && matrix.build_type == 'docker'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          # The tar is already gzipped, so upload it as-is. archive: false skips
-          # the redundant zip and makes the file name the artifact name (the
-          # `name` input is ignored in that mode).
-          path: compile-test-image.tar.gz
-          retention-days: 1
-          archive: false
-
-  manifest:
-    name: Push ${{ matrix.build_type }} manifest to ghcr.io
-    needs: [check-docker]
-    if: needs.check-docker.outputs.push == 'true'
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read   # actions/checkout to run docker/build.py
-      packages: write  # buildx imagetools writes the multi-arch tag to ghcr.io
-    strategy:
-      fail-fast: false
-      matrix:
-        build_type:
-          - "ha-addon"
-          - "docker"
-    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Log in to the GitHub container registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create and push manifest
-        run: |
-          docker/build.py \
-            --tag "${{ needs.check-docker.outputs.tag }}" \
-            --build-type "${{ matrix.build_type }}" \
-            --registry ghcr \
-            manifest
-
-  # Smoke-test the built image by compiling one minimal config per target
-  # platform / toolchain. This catches missing system dependencies in the image
-  # that only surface when a given toolchain is downloaded and run. The image is
-  # the amd64 "docker" build produced by check-docker (shared as an artifact).
-  compile-test:
-    name: Compile ${{ matrix.id }}
-    needs: check-docker
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read  # actions/checkout to load the test configs
-    strategy:
-      fail-fast: false
-      # Cap concurrency so this smoke test doesn't hog all the shared runners.
-      max-parallel: 2
-      matrix:
-        # One entry per distinct toolchain. ESP32 variants (c3/c6/s2/s3/p4)
-        # share a toolchain bundle, so esp32 is exercised on the base variant
-        # across the full framework x toolchain cross-product (arduino/esp-idf
-        # framework, each built with the platformio and native esp-idf
-        # toolchains) so both toolchains stay covered regardless of which one is
-        # the default.
-        id:
-          - esp8266-arduino
-          - esp32-arduino-platformio
-          - esp32-arduino-esp-idf
-          - esp32-idf-platformio
-          - esp32-idf-esp-idf
-          - rp2040-arduino
-          - bk72xx-arduino
-          - rtl87xx-arduino
-          - ln882x-arduino
-          - nrf52
-          - host
-    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-      - name: Download image artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: compile-test-image.tar.gz
-      - name: Load image
-        run: docker load --input compile-test-image.tar.gz
-      - name: Compile ${{ matrix.id }}
-        run: |
-          docker run --rm \
-            -v "${{ github.workspace }}/docker/test_configs:/config" \
-            "ghcr.io/esphome/esphome-amd64:${{ needs.check-docker.outputs.tag }}" \
-            compile "${{ matrix.id }}.yaml"
+            build
--- a/.github/workflows/ci-github-scripts.yml
+++ b/.github/workflows/ci-github-scripts.yml
@@ -1,27 +0,0 @@
-name: CI - GitHub Scripts
-
-on:
-  push:
-    branches: [dev, beta, release]
-    paths:
-      - ".github/scripts/**"
-      - ".github/workflows/ci-github-scripts.yml"
-  pull_request:
-    paths:
-      - ".github/scripts/**"
-      - ".github/workflows/ci-github-scripts.yml"
-
-permissions:
-  contents: read
-
-jobs:
-  test-auto-label-pr:
-    name: Test auto-label-pr scripts
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-
-      - name: Run tests
-        working-directory: .github/scripts/auto-label-pr
-        run: npm test
--- a/.github/workflows/ci-memory-impact-comment.yml
+++ b/.github/workflows/ci-memory-impact-comment.yml
@@ -7,9 +7,9 @@ on:
    types: [completed]

 permissions:
-  contents: read        # actions/checkout of the base repo at the PR's target branch
-  pull-requests: write  # gh api to look up the PR by head SHA and post/update the memory-impact comment
-  actions: read         # gh run download for the memory-analysis artifacts produced by the CI workflow run
+  contents: read
+  pull-requests: write
+  actions: read

 jobs:
  memory-impact-comment:
@@ -49,7 +49,7 @@ jobs:

      - name: Check out code from base repository
        if: steps.pr.outputs.skip != 'true'
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Always check out from the base repository (esphome/esphome), never from forks
          # Use the PR's target branch to ensure we run trusted code from the main repo
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,10 +6,18 @@ on:
    branches: [dev, beta, release]

  pull_request:
+    paths:
+      - "**"
+      - "!.github/workflows/*.yml"
+      - "!.github/actions/build-image/*"
+      - ".github/workflows/ci.yml"
+      - "!.yamllint"
+      - "!.github/dependabot.yml"
+      - "!docker/**"
  merge_group:

 permissions:
-  contents: read  # actions/checkout for all jobs; individual jobs add their own scopes when they need to write
+  contents: read

 env:
  DEFAULT_PYTHON: "3.11"
@@ -28,10 +36,10 @@ jobs:
      cache-key: ${{ steps.cache-key.outputs.key }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Generate cache-key
        id: cache-key
-        run: echo key="${{ hashFiles('requirements.txt', 'requirements_dev.txt', 'requirements_test.txt', '.pre-commit-config.yaml') }}" >> $GITHUB_OUTPUT
+        run: echo key="${{ hashFiles('requirements.txt', 'requirements_test.txt', '.pre-commit-config.yaml') }}" >> $GITHUB_OUTPUT
      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
        id: python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -39,31 +47,19 @@ jobs:
          python-version: ${{ env.DEFAULT_PYTHON }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          # yamllint disable-line rule:line-length
          key: ${{ runner.os }}-${{ steps.python.outputs.python-version }}-venv-${{ steps.cache-key.outputs.key }}
-      - name: Set up uv
-        # Only needed on cache miss to populate the venv. ``uv pip install``
-        # detects the activated venv via ``VIRTUAL_ENV`` so downstream jobs
-        # that ``. venv/bin/activate`` see an identical layout.
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-        with:
-          enable-cache: true
-          # Pin uv version so the action does not have to fetch the
-          # manifest from raw.githubusercontent.com on every cache
-          # miss; that fetch flakes on Windows runners.
-          version: "0.11.15"
      - name: Create Python virtual environment
        if: steps.cache-venv.outputs.cache-hit != 'true'
        run: |
          python -m venv venv
          . venv/bin/activate
          python --version
-          uv pip install -r requirements.txt -r requirements_dev.txt -r requirements_test.txt pre-commit
-          uv pip install -e .
+          pip install -r requirements.txt -r requirements_test.txt pre-commit
+          pip install -e .

  pylint:
    name: Check pylint
@@ -74,7 +70,7 @@ jobs:
    if: needs.determine-jobs.outputs.python-linters == 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
@@ -93,11 +89,9 @@ jobs:
    runs-on: ubuntu-24.04
    needs:
      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.core-ci == 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
@@ -113,89 +107,6 @@ jobs:
          script/build_language_schema.py --check
          script/generate-esp32-boards.py --check
          script/generate-rp2040-boards.py --check
-          script/ci_check_duplicate_test_ids.py
-
-  import-time:
-    name: Check import esphome.__main__ time
-    runs-on: ubuntu-24.04
-    needs:
-      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.import-time == 'true'
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-      - name: Restore Python
-        uses: ./.github/actions/restore-python
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache-key: ${{ needs.common.outputs.cache-key }}
-      - name: Check import time against budget and write waterfall HAR
-        run: |
-          . venv/bin/activate
-          script/check_import_time.py --check --har importtime.har
-      - name: Upload waterfall HAR
-        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: import-time-waterfall
-          path: importtime.har
-          if-no-files-found: ignore
-          retention-days: 14
-
-  device-builder:
-    name: Test downstream esphome/device-builder
-    runs-on: ubuntu-24.04
-    needs:
-      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.device-builder == 'true'
-    steps:
-      - name: Check out esphome (this PR)
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-        with:
-          path: esphome
-      - name: Check out esphome/device-builder
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-        with:
-          repository: esphome/device-builder
-          ref: main
-          path: device-builder
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.13"
-      - name: Set up uv
-        # Mirrors the install shape device-builder's own CI uses
-        # (esphome/device-builder#192): uv replaces pip for the
-        # install step (order-of-magnitude faster on cold boots,
-        # with its own wheel cache). actions/setup-python still
-        # provides the interpreter.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-        with:
-          enable-cache: true
-          # Pin uv version so the action does not have to fetch the
-          # manifest from raw.githubusercontent.com on every cache
-          # miss; that fetch flakes on Windows runners.
-          version: "0.11.15"
-      - name: Install device-builder + esphome from PR
-        # Install device-builder with its esphome + test extras
-        # first so its pinned versions of pytest/etc. land, then
-        # overlay the PR's esphome so the downstream tests run
-        # against this PR's Python code. ``--system`` installs into
-        # the runner's Python instead of a venv.
-        run: |
-          uv pip install --system -e './device-builder[esphome,test]'
-          uv pip install --system -e ./esphome
-      - name: Run device-builder pytest
-        # ``-n auto`` runs under pytest-xdist (matches device-builder's
-        # own CI). No ``--cov`` here -- this is purely a downstream
-        # smoke check against this PR's esphome code. ``tests/e2e/slow``
-        # is excluded: those are real multi-minute toolchain compiles
-        # (LibreTiny SDK clone, native ESP-IDF install) that device-builder
-        # runs in its own dedicated jobs, not this smoke check.
-        working-directory: device-builder
-        run: pytest -q -n auto --maxfail=5 --durations=30 --no-cov --ignore=tests/benchmarks --ignore=tests/e2e/slow

  pytest:
    name: Run pytest
@@ -221,11 +132,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    needs:
      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.core-ci == 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        id: restore-python
        uses: ./.github/actions/restore-python
@@ -238,19 +147,19 @@ jobs:
        if: matrix.os == 'windows-latest'
        run: |
          . ./venv/Scripts/activate.ps1
-          pytest -vv --cov-report=xml --tb=native --durations=30 -n auto tests --ignore=tests/integration/
+          pytest -vv --cov-report=xml --tb=native -n auto tests --ignore=tests/integration/
      - name: Run pytest
        if: matrix.os == 'ubuntu-latest' || matrix.os == 'macOS-latest'
        run: |
          . venv/bin/activate
-          pytest -vv --cov-report=xml --tb=native --durations=30 -n auto tests --ignore=tests/integration/
+          pytest -vv --cov-report=xml --tb=native -n auto tests --ignore=tests/integration/
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
      - name: Save Python virtual environment cache
        if: github.ref == 'refs/heads/dev'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: ${{ runner.os }}-${{ steps.restore-python.outputs.python-version }}-venv-${{ needs.common.outputs.cache-key }}
@@ -261,17 +170,12 @@ jobs:
    needs:
      - common
    outputs:
-      core-ci: ${{ steps.determine.outputs.core-ci }}
      integration-tests: ${{ steps.determine.outputs.integration-tests }}
-      integration-test-buckets: ${{ steps.determine.outputs.integration-test-buckets }}
+      integration-tests-run-all: ${{ steps.determine.outputs.integration-tests-run-all }}
+      integration-test-files: ${{ steps.determine.outputs.integration-test-files }}
      clang-tidy: ${{ steps.determine.outputs.clang-tidy }}
      clang-tidy-mode: ${{ steps.determine.outputs.clang-tidy-mode }}
-      clang-tidy-full-scan: ${{ steps.determine.outputs.clang-tidy-full-scan }}
      python-linters: ${{ steps.determine.outputs.python-linters }}
-      import-time: ${{ steps.determine.outputs.import-time }}
-      device-builder: ${{ steps.determine.outputs.device-builder }}
-      esp32-platformio: ${{ steps.determine.outputs.esp32-platformio }}
-      esp32-platformio-components: ${{ steps.determine.outputs.esp32-platformio-components }}
      changed-components: ${{ steps.determine.outputs.changed-components }}
      changed-components-with-tests: ${{ steps.determine.outputs.changed-components-with-tests }}
      directly-changed-components-with-tests: ${{ steps.determine.outputs.directly-changed-components-with-tests }}
@@ -281,11 +185,10 @@ jobs:
      cpp-unit-tests-run-all: ${{ steps.determine.outputs.cpp-unit-tests-run-all }}
      cpp-unit-tests-components: ${{ steps.determine.outputs.cpp-unit-tests-components }}
      component-test-batches: ${{ steps.determine.outputs.component-test-batches }}
-      validate-only-components: ${{ steps.determine.outputs.validate-only-components }}
      benchmarks: ${{ steps.determine.outputs.benchmarks }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Fetch enough history to find the merge base
          fetch-depth: 2
@@ -295,7 +198,7 @@ jobs:
          python-version: ${{ env.DEFAULT_PYTHON }}
          cache-key: ${{ needs.common.outputs.cache-key }}
      - name: Restore components graph cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: .temp/components_graph.json
          key: components-graph-${{ hashFiles('esphome/components/**/*.py') }}
@@ -305,27 +208,17 @@ jobs:
          GH_TOKEN: ${{ github.token }}
        run: |
          . venv/bin/activate
-          EXTRA_ARGS=""
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'ci-run-all') }}" == "true" ]]; then
-            EXTRA_ARGS="--force-all"
-            echo "::notice::ci-run-all label detected -- forcing every CI job to run"
-          fi
-          output=$(python script/determine-jobs.py $EXTRA_ARGS)
+          output=$(python script/determine-jobs.py)
          echo "Test determination output:"
          echo "$output" | jq

          # Extract individual fields
-          echo "core-ci=$(echo "$output" | jq -r '.core_ci')" >> $GITHUB_OUTPUT
          echo "integration-tests=$(echo "$output" | jq -r '.integration_tests')" >> $GITHUB_OUTPUT
-          echo "integration-test-buckets=$(echo "$output" | jq -c '.integration_test_buckets')" >> $GITHUB_OUTPUT
+          echo "integration-tests-run-all=$(echo "$output" | jq -r '.integration_tests_run_all')" >> $GITHUB_OUTPUT
+          echo "integration-test-files=$(echo "$output" | jq -c '.integration_test_files')" >> $GITHUB_OUTPUT
          echo "clang-tidy=$(echo "$output" | jq -r '.clang_tidy')" >> $GITHUB_OUTPUT
          echo "clang-tidy-mode=$(echo "$output" | jq -r '.clang_tidy_mode')" >> $GITHUB_OUTPUT
-          echo "clang-tidy-full-scan=$(echo "$output" | jq -r '.clang_tidy_full_scan')" >> $GITHUB_OUTPUT
          echo "python-linters=$(echo "$output" | jq -r '.python_linters')" >> $GITHUB_OUTPUT
-          echo "import-time=$(echo "$output" | jq -r '.import_time')" >> $GITHUB_OUTPUT
-          echo "device-builder=$(echo "$output" | jq -r '.device_builder')" >> $GITHUB_OUTPUT
-          echo "esp32-platformio=$(echo "$output" | jq -r '.esp32_platformio')" >> $GITHUB_OUTPUT
-          echo "esp32-platformio-components=$(echo "$output" | jq -r '.esp32_platformio_components')" >> $GITHUB_OUTPUT
          echo "changed-components=$(echo "$output" | jq -c '.changed_components')" >> $GITHUB_OUTPUT
          echo "changed-components-with-tests=$(echo "$output" | jq -c '.changed_components_with_tests')" >> $GITHUB_OUTPUT
          echo "directly-changed-components-with-tests=$(echo "$output" | jq -c '.directly_changed_components_with_tests')" >> $GITHUB_OUTPUT
@@ -335,29 +228,24 @@ jobs:
          echo "cpp-unit-tests-run-all=$(echo "$output" | jq -r '.cpp_unit_tests_run_all')" >> $GITHUB_OUTPUT
          echo "cpp-unit-tests-components=$(echo "$output" | jq -c '.cpp_unit_tests_components')" >> $GITHUB_OUTPUT
          echo "component-test-batches=$(echo "$output" | jq -c '.component_test_batches')" >> $GITHUB_OUTPUT
-          echo "validate-only-components=$(echo "$output" | jq -c '.validate_only_components')" >> $GITHUB_OUTPUT
          echo "benchmarks=$(echo "$output" | jq -r '.benchmarks')" >> $GITHUB_OUTPUT
      - name: Save components graph cache
        if: github.ref == 'refs/heads/dev'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: .temp/components_graph.json
          key: components-graph-${{ hashFiles('esphome/components/**/*.py') }}

  integration-tests:
-    name: Run integration tests (${{ matrix.bucket.name }})
+    name: Run integration tests
    runs-on: ubuntu-latest
    needs:
      - common
      - determine-jobs
    if: needs.determine-jobs.outputs.integration-tests == 'true'
-    strategy:
-      fail-fast: false
-      matrix:
-        bucket: ${{ fromJson(needs.determine-jobs.outputs.integration-test-buckets) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python 3.13
        id: python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -365,40 +253,35 @@ jobs:
          python-version: "3.13"
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: ${{ runner.os }}-${{ steps.python.outputs.python-version }}-venv-${{ needs.common.outputs.cache-key }}
-      - name: Set up uv
-        # Only needed on cache miss to populate the venv.
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-        with:
-          enable-cache: true
-          # Pin uv version so the action does not have to fetch the
-          # manifest from raw.githubusercontent.com on every cache
-          # miss; that fetch flakes on Windows runners.
-          version: "0.11.15"
      - name: Create Python virtual environment
        if: steps.cache-venv.outputs.cache-hit != 'true'
        run: |
          python -m venv venv
          . venv/bin/activate
          python --version
-          uv pip install -r requirements.txt -r requirements_test.txt
-          uv pip install -e .
+          pip install -r requirements.txt -r requirements_test.txt
+          pip install -e .
      - name: Register matcher
        run: echo "::add-matcher::.github/workflows/matchers/pytest.json"
      - name: Run integration tests
        env:
-          # JSON array of test paths; parsed into a bash array below to avoid
-          # shell word-splitting / glob hazards.
-          BUCKET_TESTS: ${{ toJson(matrix.bucket.tests) }}
+          INTEGRATION_TEST_FILES: ${{ needs.determine-jobs.outputs.integration-test-files }}
+          INTEGRATION_TESTS_RUN_ALL: ${{ needs.determine-jobs.outputs.integration-tests-run-all }}
        run: |
          . venv/bin/activate
-          mapfile -t test_files < <(echo "$BUCKET_TESTS" | jq -r '.[]')
-          echo "Bucket ${{ matrix.bucket.name }}: running ${#test_files[@]} integration tests"
-          pytest -vv --no-cov --tb=native --durations=30 -n auto "${test_files[@]}"
+          if [[ "$INTEGRATION_TESTS_RUN_ALL" == "true" ]]; then
+            echo "Running all integration tests"
+            pytest -vv --no-cov --tb=native -n auto tests/integration/
+          else
+            # Parse JSON array into bash array to avoid shell expansion issues
+            mapfile -t test_files < <(echo "$INTEGRATION_TEST_FILES" | jq -r '.[]')
+            echo "Running ${#test_files[@]} specific integration tests"
+            pytest -vv --no-cov --tb=native -n auto "${test_files[@]}"
+          fi

  cpp-unit-tests:
    name: Run C++ unit tests
@@ -409,7 +292,7 @@ jobs:
    if: github.event_name == 'pull_request' && (needs.determine-jobs.outputs.cpp-unit-tests-run-all == 'true' || needs.determine-jobs.outputs.cpp-unit-tests-components != '[]')
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Restore Python
        uses: ./.github/actions/restore-python
@@ -438,7 +321,7 @@ jobs:
      (github.event_name == 'pull_request' && needs.determine-jobs.outputs.benchmarks == 'true')
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Restore Python
        uses: ./.github/actions/restore-python
@@ -456,12 +339,9 @@ jobs:
          echo "binary=$BINARY" >> $GITHUB_OUTPUT

      - name: Run CodSpeed benchmarks
-        uses: CodSpeedHQ/action@63f3e98b61959fe67f146a3ff022e4136fe9bb9c # v4.17.6
+        uses: CodSpeedHQ/action@db35df748deb45fdef0960669f57d627c1956c30 # v4
        with:
-          run: |
-            . venv/bin/activate
-            ${{ steps.build.outputs.binary }}
-            pytest tests/benchmarks/python/ --codspeed --no-cov
+          run: ${{ steps.build.outputs.binary }}
          mode: simulation

  clang-tidy-single:
@@ -473,8 +353,6 @@ jobs:
    if: needs.determine-jobs.outputs.clang-tidy == 'true'
    env:
      GH_TOKEN: ${{ github.token }}
-      # esp32-arduino-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
    strategy:
      fail-fast: false
      max-parallel: 2
@@ -485,9 +363,9 @@ jobs:
            options: --environment esp8266-arduino-tidy --grep USE_ESP8266
            pio_cache_key: tidyesp8266
          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 Arduino
-            options: --environment esp32-arduino-tidy --grep USE_ARDUINO
-            cache_idf: true
+            name: Run script/clang-tidy for ESP32 IDF
+            options: --environment esp32-idf-tidy --grep USE_ESP_IDF
+            pio_cache_key: tidyesp32-idf
          - id: clang-tidy
            name: Run script/clang-tidy for ZEPHYR
            options: --environment nrf52-tidy --grep USE_ZEPHYR --grep USE_NRF52
@@ -496,7 +374,7 @@ jobs:

    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Need history for HEAD~1 to work for checking changed files
          fetch-depth: 2
@@ -508,40 +386,38 @@ jobs:
          cache-key: ${{ needs.common.outputs.cache-key }}

      - name: Cache platformio
-        if: github.ref == 'refs/heads/dev' && matrix.pio_cache_key
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.platformio
          key: platformio-${{ matrix.pio_cache_key }}-${{ hashFiles('platformio.ini') }}

      - name: Cache platformio
-        if: github.ref != 'refs/heads/dev' && matrix.pio_cache_key
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        if: github.ref != 'refs/heads/dev'
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.platformio
          key: platformio-${{ matrix.pio_cache_key }}-${{ hashFiles('platformio.ini') }}

-      - name: Cache ESP-IDF install
-        if: matrix.cache_idf
-        uses: ./.github/actions/cache-esp-idf
-        with:
-          framework: arduino
-
      - name: Register problem matchers
        run: |
          echo "::add-matcher::.github/workflows/matchers/gcc.json"
          echo "::add-matcher::.github/workflows/matchers/clang-tidy.json"

+      - name: Run 'pio run --list-targets -e esp32-idf-tidy'
+        if: matrix.name == 'Run script/clang-tidy for ESP32 IDF'
+        run: |
+          . venv/bin/activate
+          mkdir -p .temp
+          pio run --list-targets -e esp32-idf-tidy
+
      - name: Check if full clang-tidy scan needed
        id: check_full_scan
        run: |
          . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
-          if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
+          if python script/clang_tidy_hash.py --check; then
            echo "full_scan=true" >> $GITHUB_OUTPUT
-            echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
          else
            echo "full_scan=false" >> $GITHUB_OUTPUT
            echo "reason=normal" >> $GITHUB_OUTPUT
@@ -551,7 +427,7 @@ jobs:
        run: |
          . venv/bin/activate
          if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
-            echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
+            echo "Running FULL clang-tidy scan (hash changed)"
            script/clang-tidy --all-headers --fix ${{ matrix.options }} ${{ matrix.ignore_errors && '|| true' || '' }}
          else
            echo "Running clang-tidy on changed files only"
@@ -567,7 +443,7 @@ jobs:
        if: always()

  clang-tidy-nosplit:
-    name: Run script/clang-tidy for ESP32 IDF
+    name: Run script/clang-tidy for ESP32 Arduino
    runs-on: ubuntu-24.04
    needs:
      - common
@@ -575,11 +451,9 @@ jobs:
    if: needs.determine-jobs.outputs.clang-tidy-mode == 'nosplit'
    env:
      GH_TOKEN: ${{ github.token }}
-      # esp32-idf-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Need history for HEAD~1 to work for checking changed files
          fetch-depth: 2
@@ -590,8 +464,19 @@ jobs:
          python-version: ${{ env.DEFAULT_PYTHON }}
          cache-key: ${{ needs.common.outputs.cache-key }}

-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
+      - name: Cache platformio
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
+
+      - name: Cache platformio
+        if: github.ref != 'refs/heads/dev'
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}

      - name: Register problem matchers
        run: |
@@ -602,12 +487,9 @@ jobs:
        id: check_full_scan
        run: |
          . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
-          if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
+          if python script/clang_tidy_hash.py --check; then
            echo "full_scan=true" >> $GITHUB_OUTPUT
-            echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
          else
            echo "full_scan=false" >> $GITHUB_OUTPUT
            echo "reason=normal" >> $GITHUB_OUTPUT
@@ -617,11 +499,11 @@ jobs:
        run: |
          . venv/bin/activate
          if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
-            echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
-            script/clang-tidy --all-headers --fix --environment esp32-idf-tidy
+            echo "Running FULL clang-tidy scan (hash changed)"
+            script/clang-tidy --all-headers --fix --environment esp32-arduino-tidy
          else
            echo "Running clang-tidy on changed files only"
-            script/clang-tidy --all-headers --fix --changed --environment esp32-idf-tidy
+            script/clang-tidy --all-headers --fix --changed --environment esp32-arduino-tidy
          fi
        env:
          # Also cache libdeps, store them in a ~/.platformio subfolder
@@ -640,26 +522,27 @@ jobs:
    if: needs.determine-jobs.outputs.clang-tidy-mode == 'split'
    env:
      GH_TOKEN: ${{ github.token }}
-      # esp32-idf-tidy installs ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
    strategy:
      fail-fast: false
-      max-parallel: 3
+      max-parallel: 2
      matrix:
        include:
          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 1/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 1
+            name: Run script/clang-tidy for ESP32 Arduino 1/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 1
          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 2/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 2
+            name: Run script/clang-tidy for ESP32 Arduino 2/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 2
          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 IDF 3/3
-            options: --environment esp32-idf-tidy --split-num 3 --split-at 3
+            name: Run script/clang-tidy for ESP32 Arduino 3/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 3
+          - id: clang-tidy
+            name: Run script/clang-tidy for ESP32 Arduino 4/4
+            options: --environment esp32-arduino-tidy --split-num 4 --split-at 4

    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Need history for HEAD~1 to work for checking changed files
          fetch-depth: 2
@@ -670,8 +553,19 @@ jobs:
          python-version: ${{ env.DEFAULT_PYTHON }}
          cache-key: ${{ needs.common.outputs.cache-key }}

-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
+      - name: Cache platformio
+        if: github.ref == 'refs/heads/dev'
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}
+
+      - name: Cache platformio
+        if: github.ref != 'refs/heads/dev'
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ~/.platformio
+          key: platformio-tidyesp32-${{ hashFiles('platformio.ini') }}

      - name: Register problem matchers
        run: |
@@ -682,12 +576,9 @@ jobs:
        id: check_full_scan
        run: |
          . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
-          if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
+          if python script/clang_tidy_hash.py --check; then
            echo "full_scan=true" >> $GITHUB_OUTPUT
-            echo "reason=determine_jobs" >> $GITHUB_OUTPUT
+            echo "reason=hash_changed" >> $GITHUB_OUTPUT
          else
            echo "full_scan=false" >> $GITHUB_OUTPUT
            echo "reason=normal" >> $GITHUB_OUTPUT
@@ -697,7 +588,7 @@ jobs:
        run: |
          . venv/bin/activate
          if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
-            echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
+            echo "Running FULL clang-tidy scan (hash changed)"
            script/clang-tidy --all-headers --fix ${{ matrix.options }}
          else
            echo "Running clang-tidy on changed files only"
@@ -711,89 +602,6 @@ jobs:
        run: script/ci-suggest-changes
        if: always()

-  clang-tidy-esp32-variants:
-    name: ${{ matrix.name }}
-    runs-on: ubuntu-24.04
-    needs:
-      - common
-      - determine-jobs
-    if: needs.determine-jobs.outputs.clang-tidy == 'true'
-    env:
-      GH_TOKEN: ${{ github.token }}
-      # The variant tidy envs install ESP-IDF natively; share the native IDF cache.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
-    strategy:
-      fail-fast: false
-      max-parallel: 3
-      matrix:
-        include:
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 S3
-            options: --environment esp32s3-idf-tidy --grep USE_ESP32_VARIANT_ESP32S3
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 P4
-            # P4 has no native Wi-Fi/BLE; those run over the hosted co-processor,
-            # so their code paths differ -- lint them under the P4 build too.
-            # yamllint disable-line rule:line-length
-            options: --environment esp32p4-idf-tidy --grep USE_ESP32_VARIANT_ESP32P4 --grep USE_ESP32_HOSTED --grep USE_WIFI --grep USE_BLE
-          - id: clang-tidy
-            name: Run script/clang-tidy for ESP32 C6
-            # yamllint disable-line rule:line-length
-            options: --environment esp32c6-idf-tidy --grep USE_ESP32_VARIANT_ESP32C6 --grep USE_OPENTHREAD --grep USE_ZIGBEE
-
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-        with:
-          # Need history for HEAD~1 to work for checking changed files
-          fetch-depth: 2
-
-      - name: Restore Python
-        uses: ./.github/actions/restore-python
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache-key: ${{ needs.common.outputs.cache-key }}
-
-      - name: Cache ESP-IDF install
-        uses: ./.github/actions/cache-esp-idf
-
-      - name: Register problem matchers
-        run: |
-          echo "::add-matcher::.github/workflows/matchers/gcc.json"
-          echo "::add-matcher::.github/workflows/matchers/clang-tidy.json"
-
-      - name: Check if full clang-tidy scan needed
-        id: check_full_scan
-        run: |
-          . venv/bin/activate
-          # determine-jobs.clang-tidy-full-scan is true when core C++ or a
-          # clang-tidy-relevant config file changed, or the ci-run-all label
-          # forced --force-all.
-          if [ "${{ needs.determine-jobs.outputs.clang-tidy-full-scan }}" = "true" ]; then
-            echo "full_scan=true" >> $GITHUB_OUTPUT
-            echo "reason=determine_jobs" >> $GITHUB_OUTPUT
-          else
-            echo "full_scan=false" >> $GITHUB_OUTPUT
-            echo "reason=normal" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run clang-tidy
-        # Limited variant scan: only the files carrying that variant's code paths
-        # (no --all-headers; the comprehensive esp32-idf pass covers the shared tree).
-        run: |
-          . venv/bin/activate
-          if [ "${{ steps.check_full_scan.outputs.full_scan }}" = "true" ]; then
-            echo "Running FULL clang-tidy scan (reason: ${{ steps.check_full_scan.outputs.reason }})"
-            script/clang-tidy --fix ${{ matrix.options }}
-          else
-            echo "Running clang-tidy on changed files only"
-            script/clang-tidy --fix --changed ${{ matrix.options }}
-          fi
-
-      - name: Suggested changes
-        run: script/ci-suggest-changes
-        if: always()
-
  test-build-components-split:
    name: Test components batch (${{ matrix.components }})
    runs-on: ubuntu-24.04
@@ -801,10 +609,6 @@ jobs:
      - common
      - determine-jobs
    if: github.event_name == 'pull_request' && fromJSON(needs.determine-jobs.outputs.component-test-count) > 0
-    env:
-      # esp32 component builds use the native ESP-IDF toolchain (default), so
-      # share the tidy jobs' install location -- the restore below lands here.
-      ESPHOME_ESP_IDF_PREFIX: ~/.esphome-idf
    strategy:
      fail-fast: false
      max-parallel: ${{ (startsWith(github.base_ref, 'beta') || startsWith(github.base_ref, 'release')) && 8 || 4 }}
@@ -826,18 +630,12 @@ jobs:
          version: 1.0

      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
          cache-key: ${{ needs.common.outputs.cache-key }}
-      - name: Cache ESP-IDF install (restore-only)
-        # A batch may contain no esp32 build, so never save -- just reuse the
-        # shared install the dev tidy jobs already cached when present.
-        uses: ./.github/actions/cache-esp-idf
-        with:
-          restore-only: true
      - name: Validate and compile components with intelligent grouping
        run: |
          . venv/bin/activate
@@ -889,7 +687,7 @@ jobs:
          fi
          echo ""

-          # Show disk space before validation
+          # Show disk space before validation (after bind mounts setup)
          echo "Disk space before config validation:"
          df -h
          echo ""
@@ -901,97 +699,23 @@ jobs:
          echo "Config validation passed! Starting compilation..."
          echo ""

-          # Compute the compile-stage component list. Components whose only
-          # changes are validate.*.yaml files are config-only -- their source
-          # and test fixtures didn't move, so rebuilding firmware adds no
-          # signal. Subtract them from this batch before invoking compile.
-          validate_only_json='${{ needs.determine-jobs.outputs.validate-only-components }}'
-          if [ -z "$validate_only_json" ]; then
-            validate_only_json='[]'
-          fi
-          if ! validate_only_csv=$(echo "$validate_only_json" | jq -r 'join(",")'); then
-            echo "::error::Failed to render validate-only-components as CSV from: $validate_only_json"
-            exit 1
-          fi
-          if [ -z "$validate_only_csv" ]; then
-            compile_csv="$components_csv"
-          else
-            components_sorted=$(echo "$components_csv" | tr ',' '\n' | sort -u)
-            validate_sorted=$(echo "$validate_only_csv" | tr ',' '\n' | sort -u)
-            if ! diff_out=$(comm -23 <(echo "$components_sorted") <(echo "$validate_sorted")); then
-              echo "::error::Failed to compute compile component subset."
-              exit 1
-            fi
-            compile_csv=$(echo "$diff_out" | paste -sd ',' -)
-            skipped=$(comm -12 <(echo "$components_sorted") <(echo "$validate_sorted") | paste -sd ',' -)
-            if [ -n "$skipped" ]; then
-              echo "Validate-only components in this batch (skipping compile): $skipped"
-            fi
-          fi
-
          # Show disk space before compilation
          echo "Disk space before compilation:"
          df -h
          echo ""

-          if [ -n "$compile_csv" ]; then
-            # Run compilation with grouping and isolation
-            python3 script/test_build_components.py -e compile -c "$compile_csv" -f --isolate "$directly_changed_csv"
-          else
-            echo "All components in this batch are validate-only -- skipping compile stage."
-          fi
-
-  test-esp32-platformio:
-    name: Test esp32 components with PlatformIO
-    runs-on: ubuntu-24.04
-    needs:
-      - common
-      - determine-jobs
-    if: github.event_name == 'pull_request' && needs.determine-jobs.outputs.esp32-platformio == 'true'
-    env:
-      # Comma-joined subset of the esp32 PlatformIO representative component list,
-      # computed by script/determine-jobs.py (esp32_platformio_components_to_test).
-      # Single source of truth -- the full list lives in
-      # script/determine-jobs.py::ESP32_PLATFORMIO_TEST_COMPONENTS.
-      TEST_COMPONENTS: ${{ needs.determine-jobs.outputs.esp32-platformio-components }}
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
-
-      - name: Restore Python
-        uses: ./.github/actions/restore-python
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache-key: ${{ needs.common.outputs.cache-key }}
-
-      - name: Run PlatformIO compile test
-        run: |
-          . venv/bin/activate
-
-          echo "Testing components: $TEST_COMPONENTS"
-          echo ""
-
-          # compile validates config first, so a separate config pass is
-          # redundant for this smoke test. ESP-IDF framework via PlatformIO:
-          python3 script/test_build_components.py -e compile -t esp32-idf -c "$TEST_COMPONENTS" -f --toolchain platformio
-
-          echo ""
-          echo "ESP-IDF-via-PlatformIO build passed! Starting Arduino smoke test..."
-          echo ""
-
-          # Arduino framework via PlatformIO (only components with an esp32-ard test are built):
-          python3 script/test_build_components.py -e compile -t esp32-ard -c "$TEST_COMPONENTS" -f --toolchain platformio
+          # Run compilation with grouping and isolation
+          python3 script/test_build_components.py -e compile -c "$components_csv" -f --isolate "$directly_changed_csv"

  pre-commit-ci-lite:
    name: pre-commit.ci lite
    runs-on: ubuntu-latest
    needs:
      - common
-      - determine-jobs
-    if: github.event_name == 'pull_request' && !startsWith(github.base_ref, 'beta') && !startsWith(github.base_ref, 'release') && needs.determine-jobs.outputs.core-ci == 'true'
+    if: github.event_name == 'pull_request' && !startsWith(github.base_ref, 'beta') && !startsWith(github.base_ref, 'release')
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
@@ -999,7 +723,7 @@ jobs:
          cache-key: ${{ needs.common.outputs.cache-key }}
      - uses: esphome/pre-commit-action@43cd1109c09c544d97196f7730ee5b2e0cc6d81e # v3.0.1 fork with pinned actions/cache
        env:
-          SKIP: pylint,ci-custom
+          SKIP: pylint,clang-tidy-hash,ci-custom
      - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
        if: always()

@@ -1017,7 +741,7 @@ jobs:
      skip: ${{ steps.check-script.outputs.skip || steps.check-tests.outputs.skip }}
    steps:
      - name: Check out target branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.base_ref }}

@@ -1093,7 +817,7 @@ jobs:
      - name: Restore cached memory analysis
        id: cache-memory-analysis
        if: steps.check-script.outputs.skip != 'true' && steps.check-tests.outputs.skip != 'true'
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: memory-analysis-target.json
          key: ${{ steps.cache-key.outputs.cache-key }}
@@ -1117,7 +841,7 @@ jobs:

      - name: Cache platformio
        if: steps.check-script.outputs.skip != 'true' && steps.check-tests.outputs.skip != 'true' && steps.cache-memory-analysis.outputs.cache-hit != 'true'
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.platformio
          key: platformio-memory-${{ fromJSON(needs.determine-jobs.outputs.memory_impact).platform }}-${{ hashFiles('platformio.ini') }}
@@ -1159,7 +883,7 @@ jobs:

      - name: Save memory analysis to cache
        if: steps.check-script.outputs.skip != 'true' && steps.check-tests.outputs.skip != 'true' && steps.cache-memory-analysis.outputs.cache-hit != 'true' && steps.build.outcome == 'success'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: memory-analysis-target.json
          key: ${{ steps.cache-key.outputs.cache-key }}
@@ -1180,7 +904,7 @@ jobs:
          fi

      - name: Upload memory analysis JSON
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: memory-analysis-target
          path: memory-analysis-target.json
@@ -1199,14 +923,14 @@ jobs:
      flash_usage: ${{ steps.extract.outputs.flash_usage }}
    steps:
      - name: Check out PR branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
          cache-key: ${{ needs.common.outputs.cache-key }}
      - name: Cache platformio
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.platformio
          key: platformio-memory-${{ fromJSON(needs.determine-jobs.outputs.memory_impact).platform }}-${{ hashFiles('platformio.ini') }}
@@ -1245,7 +969,7 @@ jobs:
            --platform "$platform"

      - name: Upload memory analysis JSON
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: memory-analysis-pr
          path: memory-analysis-pr.json
@@ -1262,13 +986,13 @@ jobs:
      - memory-impact-pr-branch
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && fromJSON(needs.determine-jobs.outputs.memory_impact).should_run == 'true' && needs.memory-impact-target-branch.outputs.skip != 'true'
    permissions:
-      contents: read        # actions/checkout to load the comment-posting script
-      pull-requests: write  # ci_memory_impact_comment.py posts/updates the memory-impact comment on the PR
+      contents: read
+      pull-requests: write
    env:
      GH_TOKEN: ${{ github.token }}
    steps:
      - name: Check out code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Restore Python
        uses: ./.github/actions/restore-python
        with:
@@ -1311,11 +1035,8 @@ jobs:
      - clang-tidy-single
      - clang-tidy-nosplit
      - clang-tidy-split
-      - clang-tidy-esp32-variants
      - determine-jobs
-      - device-builder
      - test-build-components-split
-      - test-esp32-platformio
      - pre-commit-ci-lite
      - memory-impact-target-branch
      - memory-impact-pr-branch
@@ -1331,7 +1052,4 @@ jobs:
          # 1. The target branch has a build issue independent of this PR
          # 2. This PR fixes a build issue on the target branch
          # In either case, we only care that the PR branch builds successfully.
-          # Every other job must have succeeded or been skipped; a "cancelled" or
-          # "failure" result fails this check so CI is not reported green when the
-          # workflow was cancelled.
-          echo "$NEEDS_JSON" | jq -e 'del(.["memory-impact-target-branch"]) | all(.result == "success" or .result == "skipped")'
+          echo "$NEEDS_JSON" | jq -e 'del(.["memory-impact-target-branch"]) | all(.result != "failure")'
--- a/.github/workflows/close-pr-from-fork-default-branch.yml
+++ b/.github/workflows/close-pr-from-fork-default-branch.yml
@@ -1,72 +0,0 @@
-name: Close PR From Fork Default Branch
-
-on:
-  # pull_request_target is required so we have permission to comment and close PRs from forks.
-  pull_request_target:
-    types: [opened, reopened]
-
-permissions:
-  pull-requests: write  # pulls.update to close the PR opened from a fork's default branch
-  issues: write         # issues.createComment to explain to the contributor why the PR was closed
-
-jobs:
-  close:
-    name: Close PR opened from fork's default branch
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
-      && github.event.pull_request.head.ref == github.event.repository.default_branch
-    steps:
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const { owner, repo } = context.repo;
-            const prNumber = context.payload.pull_request.number;
-            const author = context.payload.pull_request.user.login;
-            const defaultBranch = context.payload.repository.default_branch;
-            const headRepo = context.payload.pull_request.head.repo.full_name;
-
-            const body = [
-              `Hi @${author}, thanks for opening a pull request! :tada:`,
-              ``,
-              `It looks like this PR was opened from the \`${defaultBranch}\` branch of your fork (\`${headRepo}\`), which is the same name as this repository's default branch. Working directly on \`${defaultBranch}\` in your fork causes a few problems:`,
-              ``,
-              `- Your fork's \`${defaultBranch}\` branch will permanently diverge from \`esphome/esphome:${defaultBranch}\`, making it hard to keep your fork up to date.`,
-              `- Any additional commits you push to \`${defaultBranch}\` will be added to this PR, so you can't easily work on multiple changes at once.`,
-              `- Pushing maintainer fixes to your branch is awkward, since it means committing directly to your fork's default branch.`,
-              `- It makes local collaboration painful — \`${defaultBranch}\` in a checkout becomes ambiguous between upstream and your fork, and maintainers end up with naming collisions when fetching your branch.`,
-              ``,
-              `Please re-open this as a new PR from a dedicated feature branch. The usual flow looks like:`,
-              ``,
-              `\`\`\`bash`,
-              `# Make sure your fork's ${defaultBranch} is up to date with upstream`,
-              `git remote add upstream https://github.com/${owner}/${repo}.git  # if you haven't already`,
-              `git fetch upstream`,
-              `git checkout ${defaultBranch}`,
-              `git reset --hard upstream/${defaultBranch}`,
-              `git push --force-with-lease origin ${defaultBranch}`,
-              ``,
-              `# Create a new branch for your change and cherry-pick / re-apply your commits there`,
-              `git checkout -b my-feature-branch upstream/${defaultBranch}`,
-              `# ...re-apply your changes, then:`,
-              `git push origin my-feature-branch`,
-              `\`\`\``,
-              ``,
-              `Then open a new pull request from \`my-feature-branch\` into \`${owner}/${repo}:${defaultBranch}\`.`,
-              ``,
-              `Closing this PR for now — sorry for the friction, and thanks again for contributing! :heart:`,
-            ].join('\n');
-
-            await github.rest.issues.createComment({
-              owner,
-              repo,
-              issue_number: prNumber,
-              body,
-            });
-
-            await github.rest.pulls.update({
-              owner,
-              repo,
-              pull_number: prNumber,
-              state: 'closed',
-            });
--- a/.github/workflows/codeowner-approved-label-update.yml
+++ b/.github/workflows/codeowner-approved-label-update.yml
@@ -15,9 +15,9 @@ on:
      - beta

 permissions:
-  issues: write       # issues.addLabels / removeLabel to manage the 'code-owner-approved' label on the PR
-  pull-requests: read  # listReviews to determine whether a codeowner has approved
-  contents: read       # actions/checkout to read CODEOWNERS and the shared codeowners.js helper
+  issues: write
+  pull-requests: read
+  contents: read

 jobs:
  codeowner-approved:
@@ -26,7 +26,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout base branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.base.sha }}
          sparse-checkout: |
@@ -34,7 +34,7 @@ jobs:
            CODEOWNERS

      - name: Check codeowner approval and update label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        with:
--- a/.github/workflows/codeowner-review-request.yml
+++ b/.github/workflows/codeowner-review-request.yml
@@ -17,10 +17,9 @@ on:
      - release
      - beta

-# PR/review writes (requestReviewers, issues.createComment) are performed with the App token minted below,
-# so the workflow's GITHUB_TOKEN only needs read access for checkout.
 permissions:
-  contents: read  # actions/checkout to read CODEOWNERS and the shared codeowners.js helper
+  pull-requests: write
+  contents: read

 jobs:
  request-codeowner-reviews:
@@ -29,24 +28,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout base branch
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.base.sha }}

-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
-          # Scope the minted App token to the minimum needed by the github-script step below.
-          permission-pull-requests: write  # pulls.listFiles, pulls.get, pulls.listReviews, pulls.requestReviewers
-          permission-issues: write         # issues.listComments and issues.createComment (PR comments use the issues API)
-
      - name: Request reviews from component codeowners
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
-          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const { loadCodeowners, getEffectiveOwners } = require('./.github/scripts/codeowners.js');

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -16,9 +16,6 @@ on:
  schedule:
    - cron: "30 18 * * 4"

-# Deny by default; the analyze job opts in to exactly what it needs.
-permissions: {}
-
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
@@ -29,10 +26,15 @@ jobs:
    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    permissions:
-      security-events: write  # upload CodeQL SARIF results to the Code Scanning API
-      packages: read          # fetch internal or private CodeQL query packs
-      actions: read           # required by codeql-action when run from a private repo
-      contents: read          # actions/checkout to scan the repository
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read

    strategy:
      fail-fast: false
@@ -52,11 +54,11 @@ jobs:
            # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
@@ -84,6 +86,6 @@ jobs:
          exit 1

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/dashboard-deprecation-comment.yml
+++ b/.github/workflows/dashboard-deprecation-comment.yml
@@ -1,119 +0,0 @@
-name: Add Dashboard Deprecation Comment
-
-on:
-  pull_request_target:
-    types: [opened, synchronize]
-
-# All API calls (pulls.listFiles + issues.{list,create,update}Comment) are performed with
-# the App token minted below, so the workflow's GITHUB_TOKEN does not need any scopes.
-permissions: {}
-
-jobs:
-  dashboard-deprecation-comment:
-    name: Dashboard deprecation comment
-    runs-on: ubuntu-latest
-    # Release-bump PRs (bump-X.Y.Z -> beta, beta -> release) inevitably
-    # roll up everything merged into dev since the last cut, which can
-    # include dashboard changes that have already been reviewed once.
-    # The bot's purpose is to warn new contributors before they invest
-    # time -- that only applies to PRs entering dev.
-    if: github.event.pull_request.base.ref == 'dev'
-    steps:
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
-          # pulls.listFiles + issues.{list,create,update}Comment on PRs. For PR resources
-          # the issues.*Comment APIs require the pull-requests scope, not issues.
-          permission-pull-requests: write
-
-      - name: Add dashboard deprecation comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          github-token: ${{ steps.generate-token.outputs.token }}
-          script: |
-            const commentMarker = "<!-- This comment was generated automatically by the dashboard-deprecation-comment workflow. -->";
-
-            const commentBody = `Thanks for opening this PR!
-
-            Heads up: the legacy ESPHome dashboard (\`esphome/dashboard/\` and \`tests/dashboard/\`) is **deprecated** and is being replaced by [ESPHome Device Builder](https://github.com/esphome/device-builder). We are not adding new features to the legacy dashboard and it will eventually be removed from this repository.
-
-            What this means for your PR:
-
-            - **New features / enhancements**: please port the change to [esphome/device-builder](https://github.com/esphome/device-builder) instead. We are unlikely to review or merge new dashboard features here.
-            - **Bug fixes**: small fixes may still be considered, but please check first whether the same issue exists in Device Builder, where the fix will have a longer life.
-            - **Security issues**: please do not file a public PR. Report privately via [GitHub security advisories](https://github.com/esphome/esphome/security/advisories/new) so we can coordinate a fix.
-
-            We appreciate the contribution and apologize for the friction; flagging this early so your time isn't spent on a change that may not land.
-
-            ---
-            (Added by the PR bot)
-
-            ${commentMarker}`;
-
-            async function getDashboardChanges(github, owner, repo, prNumber) {
-                const changedFiles = await github.paginate(
-                    github.rest.pulls.listFiles,
-                    {
-                        owner: owner,
-                        repo: repo,
-                        pull_number: prNumber,
-                        per_page: 100,
-                    }
-                );
-
-                return changedFiles.filter(file =>
-                    file.filename.startsWith('esphome/dashboard/') ||
-                    file.filename.startsWith('tests/dashboard/')
-                );
-            }
-
-            async function findBotComment(github, owner, repo, prNumber) {
-                const comments = await github.paginate(
-                    github.rest.issues.listComments,
-                    {
-                        owner: owner,
-                        repo: repo,
-                        issue_number: prNumber,
-                        per_page: 100,
-                    }
-                );
-
-                return comments.find(comment =>
-                    comment.body.includes(commentMarker) && comment.user.type === "Bot"
-                );
-            }
-
-            const prNumber = context.payload.pull_request.number;
-            const { owner, repo } = context.repo;
-
-            const dashboardChanges = await getDashboardChanges(github, owner, repo, prNumber);
-            const existingComment = await findBotComment(github, owner, repo, prNumber);
-
-            if (dashboardChanges.length === 0) {
-                // PR doesn't (or no longer) touches the legacy dashboard. If we previously
-                // commented (e.g. files were removed in a later push), leave the comment in
-                // place for history rather than thrash on edit/delete.
-                return;
-            }
-
-            if (existingComment) {
-                if (existingComment.body === commentBody) {
-                    return;
-                }
-                await github.rest.issues.updateComment({
-                    owner: owner,
-                    repo: repo,
-                    comment_id: existingComment.id,
-                    body: commentBody,
-                });
-            } else {
-                await github.rest.issues.createComment({
-                    owner: owner,
-                    repo: repo,
-                    issue_number: prNumber,
-                    body: commentBody,
-                });
-            }
--- a/.github/workflows/external-component-bot.yml
+++ b/.github/workflows/external-component-bot.yml
@@ -4,29 +4,20 @@ on:
  pull_request_target:
    types: [opened, synchronize]

-# All API calls (pulls.listFiles + issues.{list,create,update}Comment) are performed with
-# the App token minted below, so the workflow's GITHUB_TOKEN does not need any scopes.
-permissions: {}
+permissions:
+  contents: read       #  Needed to fetch PR details
+  issues: write        #  Needed to create and update comments (PR comments are managed via the issues REST API)
+  pull-requests: write  # also needed?

 jobs:
  external-comment:
    name: External component comment
    runs-on: ubuntu-latest
    steps:
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
-          # pulls.listFiles + issues.{list,create,update}Comment on PRs. For PR resources
-          # the issues.*Comment APIs require the pull-requests scope, not issues.
-          permission-pull-requests: write
-
      - name: Add external component comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
-          github-token: ${{ steps.generate-token.outputs.token }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            // Generate external component usage instructions
            function generateExternalComponentInstructions(prNumber, componentNames, owner, repo) {
--- a/.github/workflows/issue-codeowner-notify.yml
+++ b/.github/workflows/issue-codeowner-notify.yml
@@ -9,8 +9,8 @@ on:
    types: [labeled]

 permissions:
-  issues: write   # issues.createComment to mention component codeowners on the newly labelled issue
-  contents: read  # repos.getContent to fetch CODEOWNERS from the default branch
+  issues: write
+  contents: read

 jobs:
  notify-codeowners:
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Notify codeowners for component issues
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const owner = context.repo.owner;
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -6,12 +6,6 @@ on:
    - cron: "30 0 * * *"  # Run daily at 00:30 UTC
  workflow_dispatch:

-# Deny by default; the lock job opts in to exactly what the reusable workflow needs.
-permissions: {}
-
 jobs:
  lock:
-    permissions:
-      issues: write         # issues.lock on closed issues
-      pull-requests: write  # issues.lock on closed pull requests
-    uses: esphome/workflows/.github/workflows/lock.yml@025a1e6255610c498ed590403b7e510b69e474df  # 2026.4.1
+    uses: esphome/workflows/.github/workflows/lock.yml@main
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -8,17 +8,17 @@ on:
      - beta

 permissions:
-  contents: read       # actions/checkout to load detect-tags.js
-  pull-requests: read  # pulls.listFiles to map changed files to component/core/dashboard/ci tags
+  contents: read
+  pull-requests: read

 jobs:
  check:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const {
@@ -29,11 +29,10 @@ jobs:
            } = require('./.github/scripts/detect-tags.js');

            const title = context.payload.pull_request.title;
-            const user = context.payload.pull_request.user;
+            const author = context.payload.pull_request.user.login;

-            // Skip bot PRs (e.g. dependabot, esphome[bot] device-class sync) -
-            // they have their own title formats.
-            if (user.type === 'Bot') {
+            // Skip bot PRs (e.g. dependabot) - they have their own title format
+            if (author === 'dependabot[bot]') {
              return;
            }

@@ -69,15 +68,14 @@ jobs:
              return;
            }

-            // Check for MDX syntax characters not wrapped in backticks.
-            // Astro docs MDX treats bare `<` as JSX component opening tags and
-            // bare `{` as JS expressions, so both must be escaped in changelog entries.
+            // Check for angle brackets not wrapped in backticks.
+            // Astro docs MDX treats bare < as JSX component opening tags.
            const stripped = title.replace(/`[^`]*`/g, '');
-            if (/[<>{}]/.test(stripped)) {
+            if (/[<>]/.test(stripped)) {
              core.setFailed(
-                'PR title contains `<`, `>`, `{`, or `}` not wrapped in backticks.\n' +
-                'Astro docs MDX interprets bare `<` as JSX components and bare `{` as JS expressions.\n' +
-                'Please wrap these characters with backticks, e.g.: [component] Add `<feature>` support'
+                'PR title contains `<` or `>` not wrapped in backticks.\n' +
+                'Astro docs MDX interprets bare `<` as JSX components.\n' +
+                'Please wrap angle brackets with backticks, e.g.: [component] Add `<feature>` support'
              );
              return;
            }
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
    - cron: "0 2 * * *"

 permissions:
-  contents: read  # actions/checkout for all jobs; deploy jobs add their own scopes when they need to write
+  contents: read

 jobs:
  init:
@@ -20,7 +20,7 @@ jobs:
      branch_build: ${{ steps.tag.outputs.branch_build }}
      deploy_env: ${{ steps.tag.outputs.deploy_env }}
    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Get tag
        id: tag
        # yamllint disable rule:line-length
@@ -57,10 +57,10 @@ jobs:
    if: github.repository == 'esphome/esphome' && github.event_name == 'release'
    runs-on: ubuntu-latest
    permissions:
-      contents: read   # actions/checkout to build the sdist/wheel
-      id-token: write  # OIDC token for PyPI Trusted Publishing (pypa/gh-action-pypi-publish)
+      contents: read
+      id-token: write
    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
@@ -78,8 +78,8 @@ jobs:
    name: Build ESPHome ${{ matrix.platform.arch }}
    if: github.repository == 'esphome/esphome'
    permissions:
-      contents: read   # actions/checkout to load Dockerfile and build context
-      packages: write  # docker/login-action + build-push-action push image digests to ghcr.io
+      contents: read
+      packages: write
    runs-on: ${{ matrix.platform.os }}
    needs: [init]
    strategy:
@@ -92,22 +92,22 @@ jobs:
            os: "ubuntu-24.04-arm"

    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to docker hub
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Log in to the GitHub container registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -138,7 +138,7 @@ jobs:
      #     version: ${{ needs.init.outputs.tag }}

      - name: Upload digests
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: digests-${{ matrix.platform.arch }}
          path: /tmp/digests
@@ -152,8 +152,8 @@ jobs:
      - deploy-docker
    if: github.repository == 'esphome/esphome'
    permissions:
-      contents: read   # actions/checkout to load Dockerfile and build context
-      packages: write  # docker/login-action + build-push-action push image digests to ghcr.io
+      contents: read
+      packages: write
    strategy:
      fail-fast: false
      matrix:
@@ -168,7 +168,7 @@ jobs:
          - ghcr
          - dockerhub
    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Download digests
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -178,17 +178,17 @@ jobs:
          merge-multiple: true

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to docker hub
        if: matrix.registry == 'dockerhub'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Log in to the GitHub container registry
        if: matrix.registry == 'ghcr'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -212,6 +212,72 @@ jobs:
          docker buildx imagetools create $(jq -Rcnr 'inputs | . / "," | map("-t " + .) | join(" ")' <<< "${{ steps.tags.outputs.tags}}") \
            $(printf '${{ steps.tags.outputs.image }}@sha256:%s ' *)

+  deploy-ha-addon-repo:
+    if: github.repository == 'esphome/esphome' && needs.init.outputs.branch_build == 'false'
+    runs-on: ubuntu-latest
+    needs:
+      - init
+      - deploy-manifest
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.ESPHOME_GITHUB_APP_ID }}
+          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
+          owner: esphome
+          repositories: home-assistant-addon
+
+      - name: Trigger Workflow
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ steps.generate-token.outputs.token }}
+          script: |
+            let description = "ESPHome";
+            if (context.eventName == "release") {
+              description = ${{ toJSON(github.event.release.body) }};
+            }
+            github.rest.actions.createWorkflowDispatch({
+              owner: "esphome",
+              repo: "home-assistant-addon",
+              workflow_id: "bump-version.yml",
+              ref: "main",
+              inputs: {
+                version: "${{ needs.init.outputs.tag }}",
+                content: description
+              }
+            })
+
+  deploy-esphome-schema:
+    if: github.repository == 'esphome/esphome' && needs.init.outputs.branch_build == 'false'
+    runs-on: ubuntu-latest
+    needs: [init]
+    environment: ${{ needs.init.outputs.deploy_env }}
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.ESPHOME_GITHUB_APP_ID }}
+          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
+          owner: esphome
+          repositories: esphome-schema
+
+      - name: Trigger Workflow
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ steps.generate-token.outputs.token }}
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: "esphome",
+              repo: "esphome-schema",
+              workflow_id: "generate-schemas.yml",
+              ref: "main",
+              inputs: {
+                version: "${{ needs.init.outputs.tag }}",
+              }
+            })
+
  version-notifier:
    if: github.repository == 'esphome/esphome' && needs.init.outputs.branch_build == 'false'
    runs-on: ubuntu-latest
@@ -221,20 +287,19 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
+          app-id: ${{ secrets.ESPHOME_GITHUB_APP_ID }}
          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
          owner: esphome
          repositories: version-notifier
-          permission-actions: write  # actions.createWorkflowDispatch on the target repo (only API call made with this token)

      - name: Trigger Workflow
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
-            await github.rest.actions.createWorkflowDispatch({
+            github.rest.actions.createWorkflowDispatch({
              owner: "esphome",
              repo: "version-notifier",
              workflow_id: "notify.yml",
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,8 +7,8 @@ on:
  workflow_dispatch:

 permissions:
-  issues: write         # actions/stale labels, comments on, and closes stale issues
-  pull-requests: write  # actions/stale labels, comments on, and closes stale pull requests
+  issues: write
+  pull-requests: write

 concurrency:
  group: lock
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Stale
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
+        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          debug-only: ${{ github.ref != 'refs/heads/dev' }} # Dry-run when not run on dev branch
          remove-stale-when-updated: true
--- a/.github/workflows/status-check-labels.yml
+++ b/.github/workflows/status-check-labels.yml
@@ -4,9 +4,6 @@ on:
  pull_request:
    types: [opened, reopened, labeled, unlabeled, synchronize]

-permissions:
-  pull-requests: read  # issues.listLabelsOnIssue to detect blocking labels (needs-docs, merge-after-release, chained-pr)
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
@@ -17,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for blocking labels
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const blockingLabels = ['needs-docs', 'merge-after-release', 'chained-pr'];
--- a/.github/workflows/sync-device-classes.yml
+++ b/.github/workflows/sync-device-classes.yml
@@ -6,32 +6,17 @@ on:
  schedule:
    - cron: "45 6 * * *"

-# Repo writes (branch push, PR open) happen via the App token minted below,
-# so the workflow's GITHUB_TOKEN does not need any write scopes.
-permissions:
-  contents: read  # actions/checkout for this repo and home-assistant/core
-
 jobs:
  sync:
    name: Sync Device Classes
    runs-on: ubuntu-latest
    if: github.repository == 'esphome/esphome'
    steps:
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        with:
-          client-id: ${{ vars.ESPHOME_GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
-          # Scope the minted App token to the minimum needed by peter-evans/create-pull-request.
-          permission-contents: write       # git.createCommit + refs.create/update to push the sync/device-classes branch
-          permission-pull-requests: write  # pulls.create / pulls.update to open or refresh the sync PR
-
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Checkout Home Assistant
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: home-assistant/core
          path: lib/home-assistant
@@ -41,59 +26,22 @@ jobs:
        with:
          python-version: "3.14"

-      - name: Set up uv
-        # An order of magnitude faster than pip on cold boots, with its
-        # own wheel cache. ``--system`` (below) installs into the
-        # setup-python interpreter so subsequent ``pre-commit`` /
-        # ``script/run-in-env.py`` steps find the deps without a
-        # ``uv run`` prefix.
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
-        with:
-          enable-cache: true
-          # Pin uv version so the action does not have to fetch the
-          # manifest from raw.githubusercontent.com on every cache
-          # miss; that fetch flakes on Windows runners.
-          version: "0.11.15"
-
      - name: Install Home Assistant
        run: |
-          uv pip install --system -e lib/home-assistant
-          uv pip install --system -r requirements.txt -r requirements_test.txt pre-commit
+          python -m pip install --upgrade pip
+          pip install -e lib/home-assistant
+          pip install -r requirements_test.txt pre-commit

      - name: Sync
        run: |
          python ./script/sync-device_class.py

-      - name: Apply pre-commit auto-fixes
-        # First pass: let formatters (ruff, end-of-file-fixer, etc.) modify
-        # files. pre-commit exits non-zero whenever a hook touches anything,
-        # which would otherwise abort the workflow before the auto-fixes
-        # can flow into the sync PR.
-        #
-        # SKIP:
-        #   - no-commit-to-branch is a local guard against committing on
-        #     dev/release/beta; CI runs on dev by definition, and
-        #     peter-evans/create-pull-request creates the branch itself.
-        #   - pylint surfaces import-error / relative-beyond-top-level
-        #     noise here because this workflow installs only a subset of
-        #     the runtime deps (HA + requirements*.txt); main CI already
-        #     gates pylint on real PRs.
-        env:
-          SKIP: pylint,no-commit-to-branch
-        run: python script/run-in-env.py pre-commit run --all-files || true
-
-      - name: Verify pre-commit clean
-        # Second pass: re-run all hooks against the now-fixed tree.
-        # Auto-fixers exit 0 (nothing to change); any remaining failure
-        # from a check-only hook (flake8 / yamllint / ci-custom) is a
-        # real issue and fails the workflow loudly. Same SKIP list as
-        # above for the same reasons.
-        env:
-          SKIP: pylint,no-commit-to-branch
-        run: python script/run-in-env.py pre-commit run --all-files
+      - name: Run pre-commit hooks
+        run: |
+          python script/run-in-env.py pre-commit run --all-files

      - name: Commit changes
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          commit-message: "Synchronise Device Classes from Home Assistant"
          committer: esphomebot <esphome@openhomefoundation.org>
@@ -102,4 +50,4 @@ jobs:
          delete-branch: true
          title: "Synchronise Device Classes from Home Assistant"
          body-path: .github/PULL_REQUEST_TEMPLATE.md
-          token: ${{ steps.generate-token.outputs.token }}
+          token: ${{ secrets.DEVICE_CLASS_SYNC_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -141,12 +141,10 @@ tests/.esphome/

 sdkconfig.*
 !sdkconfig.defaults
-!sdkconfig.defaults.*

 .tests/

 /components
 /managed_components
-/dependencies.lock

 api-docs/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,12 +6,12 @@ ci:
  autoupdate_commit_msg: 'pre-commit: autoupdate'
  autoupdate_schedule: off  # Disabled until ruff versions are synced between deps and pre-commit
  # Skip hooks that have issues in pre-commit CI environment
-  skip: [pylint]
+  skip: [pylint, clang-tidy-hash]

 repos:
  - repo: https://github.com/astral-sh/ruff-pre-commit
    # Ruff version.
-    rev: v0.15.15
+    rev: v0.15.10
    hooks:
      # Run the linter.
      - id: ruff
@@ -55,11 +55,17 @@ repos:
    hooks:
      - id: pylint
        name: pylint
-        entry: python script/run-in-env.py pylint
+        entry: python3 script/run-in-env.py pylint
        language: system
        types: [python]
-        files: ^esphome/.+\.py$
+      - id: clang-tidy-hash
+        name: Update clang-tidy hash
+        entry: python script/clang_tidy_hash.py --update-if-changed
+        language: python
+        files: ^(\.clang-tidy|platformio\.ini|requirements_dev\.txt)$
+        pass_filenames: false
+        additional_dependencies: []
      - id: ci-custom
        name: ci-custom
-        entry: python script/run-in-env.py script/ci-custom.py
+        entry: python3 script/run-in-env.py script/ci-custom.py
        language: system
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1 +1 @@
-AGENTS.md
+.ai/instructions.md
--- a/25
+++ b/25
@@ -19,6 +19,7 @@ esphome/components/ac_dimmer/* @glmnet
 esphome/components/adc/* @esphome/core
 esphome/components/adc128s102/* @DeerMaximum
 esphome/components/addressable_light/* @justfalter
+esphome/components/ade7880/* @kpfleming
 esphome/components/ade7953/* @angelnu
 esphome/components/ade7953_base/* @angelnu
 esphome/components/ade7953_i2c/* @angelnu
@@ -27,7 +28,7 @@ esphome/components/ads1118/* @solomondg1
 esphome/components/ags10/* @mak-42
 esphome/components/aic3204/* @kbx81
 esphome/components/airthings_ble/* @jeromelaban
-esphome/components/airthings_wave_base/* @jeromelaban @ncareau
+esphome/components/airthings_wave_base/* @jeromelaban @kpfleming @ncareau
 esphome/components/airthings_wave_mini/* @ncareau
 esphome/components/airthings_wave_plus/* @jeromelaban @precurse
 esphome/components/alarm_control_panel/* @grahambrown11 @hwstar
@@ -55,7 +56,6 @@ esphome/components/audio_adc/* @kbx81
 esphome/components/audio_dac/* @kbx81
 esphome/components/audio_file/* @kahrendt
 esphome/components/audio_file/media_source/* @kahrendt
-esphome/components/audio_http/* @kahrendt
 esphome/components/axs15231/* @clydebarrow
 esphome/components/b_parasite/* @rbaron
 esphome/components/ballu/* @bazuchan
@@ -83,7 +83,6 @@ esphome/components/bme680_bsec/* @trvrnrth
 esphome/components/bme68x_bsec2/* @kbx81 @neffs
 esphome/components/bme68x_bsec2_i2c/* @kbx81 @neffs
 esphome/components/bmi160/* @flaviut
-esphome/components/bmi270/* @clydebarrow
 esphome/components/bmp280_base/* @ademuri
 esphome/components/bmp280_i2c/* @ademuri
 esphome/components/bmp280_spi/* @ademuri
@@ -139,7 +138,7 @@ esphome/components/dfplayer/* @glmnet
 esphome/components/dfrobot_sen0395/* @niklasweber
 esphome/components/dht/* @OttoWinter
 esphome/components/display_menu_base/* @numo68
-esphome/components/dlms_meter/* @latonita @PolarGoose @SimonFischer04 @Tomer27cz
+esphome/components/dlms_meter/* @SimonFischer04
 esphome/components/dps310/* @kbx81
 esphome/components/ds1307/* @badbadc0ffee
 esphome/components/ds2484/* @mrk-its
@@ -291,7 +290,6 @@ esphome/components/lock/* @esphome/core
 esphome/components/logger/* @esphome/core
 esphome/components/logger/select/* @clydebarrow
 esphome/components/lps22/* @nagisa
-esphome/components/lsm6ds/* @clydebarrow
 esphome/components/ltr390/* @latonita @sjtrny
 esphome/components/ltr501/* @latonita
 esphome/components/ltr_als_ps/* @latonita
@@ -348,11 +346,9 @@ esphome/components/modbus_controller/select/* @martgras @stegm
 esphome/components/modbus_controller/sensor/* @martgras
 esphome/components/modbus_controller/switch/* @martgras
 esphome/components/modbus_controller/text_sensor/* @martgras
-esphome/components/modbus_server/* @exciton
 esphome/components/mopeka_ble/* @Fabian-Schmidt @spbrogan
 esphome/components/mopeka_pro_check/* @spbrogan
 esphome/components/mopeka_std_check/* @Fabian-Schmidt
-esphome/components/motion/* @esphome/core
 esphome/components/mpl3115a2/* @kbickar
 esphome/components/mpu6886/* @fabaff
 esphome/components/ms8607/* @e28eta
@@ -381,7 +377,6 @@ esphome/components/pca6416a/* @Mat931
 esphome/components/pca9554/* @bdraco @clydebarrow @hwstar
 esphome/components/pcf85063/* @brogon
 esphome/components/pcf8563/* @KoenBreeman
-esphome/components/pcm5122/* @remcom
 esphome/components/pi4ioe5v6408/* @jesserockz
 esphome/components/pid/* @OttoWinter
 esphome/components/pipsolar/* @andreashergert1984
@@ -408,7 +403,6 @@ esphome/components/qmp6988/* @andrewpc
 esphome/components/qr_code/* @wjtje
 esphome/components/qspi_dbi/* @clydebarrow
 esphome/components/qwiic_pir/* @kahrendt
-esphome/components/radio_frequency/* @kbx81
 esphome/components/radon_eye_ble/* @jeffeb3
 esphome/components/radon_eye_rd200/* @jeffeb3
 esphome/components/rc522/* @glmnet
@@ -419,8 +413,6 @@ esphome/components/resampler/speaker/* @kahrendt
 esphome/components/restart/* @esphome/core
 esphome/components/rf_bridge/* @jesserockz
 esphome/components/rgbct/* @jesserockz
-esphome/components/ring_buffer/* @kahrendt
-esphome/components/router/speaker/* @kahrendt
 esphome/components/rp2040/* @jesserockz
 esphome/components/rp2040_ble/* @bdraco
 esphome/components/rp2040_pio_led_strip/* @Papa-DMan
@@ -445,12 +437,7 @@ esphome/components/select/* @esphome/core
 esphome/components/sen0321/* @notjj
 esphome/components/sen21231/* @shreyaskarnik
 esphome/components/sen5x/* @martgras
-esphome/components/sen6x/* @martgras @mebner86 @tuct
-esphome/components/sendspin/* @kahrendt
-esphome/components/sendspin/media_player/* @kahrendt
-esphome/components/sendspin/media_source/* @kahrendt
-esphome/components/sendspin/sensor/* @kahrendt
-esphome/components/sendspin/text_sensor/* @kahrendt
+esphome/components/sen6x/* @martgras @mebner86 @mikelawrence @tuct
 esphome/components/sensirion_common/* @martgras
 esphome/components/sensor/* @esphome/core
 esphome/components/serial_proxy/* @kbx81
@@ -561,7 +548,6 @@ esphome/components/uart/packet_transport/* @clydebarrow
 esphome/components/udp/* @clydebarrow
 esphome/components/ufire_ec/* @pvizeli
 esphome/components/ufire_ise/* @pvizeli
-esphome/components/ufm01/* @ljungqvist
 esphome/components/ultrasonic/* @ssieb @swoboda1337
 esphome/components/update/* @jesserockz
 esphome/components/uponor_smatrix/* @kroimon
@@ -599,7 +585,6 @@ esphome/components/wk2212_spi/* @DrCoolZic
 esphome/components/wl_134/* @hobbypunk90
 esphome/components/wts01/* @alepee
 esphome/components/x9c/* @EtienneMD
-esphome/components/xdb401/* @RT530
 esphome/components/xgzp68xx/* @gcormier
 esphome/components/xiaomi_hhccjcy10/* @fariouche
 esphome/components/xiaomi_lywsd02mmc/* @juanluss31
@@ -614,6 +599,6 @@ esphome/components/xxtea/* @clydebarrow
 esphome/components/zephyr/* @tomaszduda23
 esphome/components/zephyr_mcumgr/ota/* @tomaszduda23
 esphome/components/zhlt01/* @cfeenstra1024
-esphome/components/zigbee/* @luar123 @tomaszduda23
+esphome/components/zigbee/* @tomaszduda23
 esphome/components/zio_ultrasonic/* @kahrendt
 esphome/components/zwave_proxy/* @kbx81
--- a/2
+++ b/2
@@ -48,7 +48,7 @@ PROJECT_NAME           = ESPHome
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 2026.7.0-dev
+PROJECT_NUMBER         = 2026.5.0-dev

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
--- a/GEMINI.md
+++ b/GEMINI.md
@@ -1 +1 @@
-AGENTS.md
+.ai/instructions.md
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -4,5 +4,4 @@ include requirements.txt
 recursive-include esphome *.yaml
 recursive-include esphome *.cpp *.h *.tcc *.c
 recursive-include esphome *.py.script
-recursive-include esphome *.jinja
 recursive-include esphome LICENSE.txt
--- a/THREAT_MODEL.md
+++ b/THREAT_MODEL.md
@@ -1,104 +0,0 @@
-# ESPHome Threat Model
-
-This document defines the trust boundary for the **ESPHome** repository — the
-Python compiler/CLI and the device firmware it generates — so that real security
-bugs can be told apart from defense-in-depth improvements. It gives contributors,
-reviewers, and security researchers a clear answer to one question:
-**does this issue let an _unauthenticated_ attacker do something they shouldn't?**
-
-Related documents:
-
- Deployment guidance for operators:
-  https://esphome.io/guides/security_best_practices/
- The **Device Builder dashboard** (the web UI, its authentication, ingress,
-  Origin/Host gates, and peer-link pairing) lives in a separate repository and
-  has its own threat model. If your report concerns any of that, please read and
-  report there instead:
-  https://github.com/esphome/device-builder/blob/main/docs/THREAT_MODEL.md
-
-## The trust boundary
-
-For this repository there are two trusted inputs by design:
-
-1. **The configuration.** Anyone who can supply or edit a YAML config is trusted
-   (see below).
-2. **Authenticated peers of a running device** — clients holding the device's
-   API encryption key / password, OTA password, or web server credentials.
-
-The security boundary is therefore **unauthenticated network traffic vs. those
-trusted inputs.** A bug that lets an unauthenticated attacker cross it is a
-security bug.
-
-## Config authors are host-equivalent by design
-
-Anyone who can supply or edit a configuration is **trusted with full code
-execution on the host that runs `esphome`**, on purpose. This is what the product
-does, not a flaw. A config author can already, through fully supported features:
-
- Run arbitrary **Python** at validation/compile time via `external_components:`
-  (and other component-import mechanisms) — ESPHome imports those packages as
-  ordinary Python.
- Run arbitrary **shell** commands through the compile/validate/flash toolchain
-  that ESPHome invokes as subprocesses.
- Read and write arbitrary files reachable by the process (e.g. via `!include`,
-  `packages:`, `dashboard_import:`, and generated build output).
-
-Because of this, a malicious config author is equivalent to shell access on the
-host running the build.
-
-## What is *not* a security vulnerability
-
-If exploiting an issue requires the ability to supply or edit configuration, it
-is **not** a vulnerability in ESPHome, because that ability already grants host
-code execution. This explicitly includes, among others:
-
- Template / expression injection in substitutions or any YAML string value
-  (e.g. Jinja `${...}` evaluation reaching Python internals). This grants no
-  capability a config author lacks.
- `!include` / `packages:` / `dashboard_import:` reading or fetching content
-  from surprising or remote locations.
- The validator or compiler crashing or behaving unexpectedly on adversarial
-  YAML.
- ESPHome running as root in the official container — that is the documented
-  deployment posture, reachable by the same caller through the features above.
-
-These do not warrant a CVE or coordinated disclosure. Hardening in these areas
-(for example, sandboxing template evaluation as least-surprise defense-in-depth)
-is welcome as a normal enhancement PR, framed as cleanliness rather than a
-security fix — not as a vulnerability remediation.
-
-## What we do defend
-
-These *are* security bugs in this repo, and we want to hear about them privately:
-
- Memory-safety or protocol bugs in the generated **device firmware** that are
-  remotely triggerable over the network (native API, web server, OTA, BLE,
-  captive portal, etc.) **without** valid credentials.
- Authentication or encryption bypass on the device — reaching API calls, OTA
-  updates, or the web server without the configured key/password.
- Flaws that weaken the device's API encryption (Noise), OTA, or web server auth
-  below their documented guarantees.
-
-## Explicitly out of scope
-
- Local attackers who already have shell access on the host that runs `esphome`.
- Supply-chain attacks against ESPHome or its dependencies.
- Operator-supplied hostile YAML (covered above — config authoring is trusted).
- Attacks that require an already-authenticated device peer (someone who already
-  holds the API key / OTA / web credentials).
- Anything in the dashboard / device-builder — report that in its own repository
-  (linked at the top).
- The legacy bundled dashboard in this repo (`esphome/dashboard/`) — it is
-  deprecated and being replaced by Device Builder; report dashboard issues there.
- Deployments where the operator removed protections or exposed credentials. See
-  the security best practices guide:
-  https://esphome.io/guides/security_best_practices/
-
-## Reporting a vulnerability
-
-If you believe you've found an issue that crosses the unauthenticated boundary
-above, please report it privately via GitHub Security Advisories rather than a
-public issue. For issues that require config-write access, please review this
-document first — they are very likely out of scope by design. For dashboard /
-device-builder issues, report against that repository and consult its threat
-model (linked at the top).
--- a/codecov.yml
+++ b/codecov.yml
@@ -1,18 +0,0 @@
-coverage:
-  status:
-    patch:
-      default:
-        target: 100%
-        threshold: 0%
-    project:
-      default:
-        informational: true
-
-ignore:
-  - "esphome/components/**/*"
-  - "esphome/analyze_memory/**/*"
-  - "tests/integration/**/*"
-
-comment:
-  layout: "reach, diff, flags, files"
-  require_changes: true
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
 ARG BUILD_VERSION=dev
-ARG BUILD_BASE_VERSION=2026.06.0
+ARG BUILD_OS=alpine
+ARG BUILD_BASE_VERSION=2025.04.0
 ARG BUILD_TYPE=docker

-FROM ghcr.io/esphome/docker-base:debian-${BUILD_BASE_VERSION} AS base-source-docker
-FROM ghcr.io/esphome/docker-base:debian-ha-addon-${BUILD_BASE_VERSION} AS base-source-ha-addon
+FROM ghcr.io/esphome/docker-base:${BUILD_OS}-${BUILD_BASE_VERSION} AS base-source-docker
+FROM ghcr.io/esphome/docker-base:${BUILD_OS}-ha-addon-${BUILD_BASE_VERSION} AS base-source-ha-addon

 ARG BUILD_TYPE
 FROM base-source-${BUILD_TYPE} AS base
@@ -12,14 +13,14 @@ RUN git config --system --add safe.directory "*" \
    && git config --system advice.detachedHead false

 # Install build tools for Python packages that require compilation
-# (e.g., ruamel.yaml.clib used by ESP-IDF's idf-component-manager).
-# Also install libusb-1.0 at runtime so the ESP-IDF tools installer can
-# validate openocd-esp32 (it dynamically links libusb-1.0.so.0); without
-# it idf_tools.py rejects the openocd install with exit 127 and aborts
-# the whole framework setup.
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends build-essential libusb-1.0-0 \
-    && rm -rf /var/lib/apt/lists/*
+# (e.g., ruamel.yaml.clibz used by ESP-IDF's idf-component-manager)
+RUN if command -v apk > /dev/null; then \
+        apk add --no-cache build-base; \
+    else \
+        apt-get update \
+        && apt-get install -y --no-install-recommends build-essential \
+        && rm -rf /var/lib/apt/lists/*; \
+    fi

 ENV PIP_DISABLE_PIP_VERSION_CHECK=1

@@ -31,9 +32,6 @@ RUN \
    uv pip install --no-cache-dir \
    -r /requirements.txt

-# Install the ESPHome Device Builder dashboard.
-RUN uv pip install --no-cache-dir esphome-device-builder==1.0.12
-
 RUN \
    platformio settings set enable_telemetry No \
    && platformio settings set check_platformio_interval 1000000 \
--- a/docker/build.py
+++ b/docker/build.py
@@ -20,10 +20,6 @@ TYPE_HA_ADDON = "ha-addon"
 TYPE_LINT = "lint"
 TYPES = [TYPE_DOCKER, TYPE_HA_ADDON, TYPE_LINT]

-REGISTRY_GHCR = "ghcr"
-REGISTRY_DOCKERHUB = "dockerhub"
-REGISTRIES = [REGISTRY_GHCR, REGISTRY_DOCKERHUB]
-

 parser = argparse.ArgumentParser()
 parser.add_argument(
@@ -38,12 +34,6 @@ parser.add_argument(
 parser.add_argument(
    "--build-type", choices=TYPES, required=True, help="The type of build to run"
 )
-parser.add_argument(
-    "--registry",
-    choices=REGISTRIES,
-    action="append",
-    help="Restrict to specific registries (default: all). May be passed multiple times.",
-)
 parser.add_argument(
    "--dry-run", action="store_true", help="Don't run any commands, just print them"
 )
@@ -55,11 +45,6 @@ build_parser.add_argument("--push", help="Also push the images", action="store_t
 build_parser.add_argument(
    "--load", help="Load the docker image locally", action="store_true"
 )
-build_parser.add_argument(
-    "--no-cache-to",
-    help="Don't write the build cache (avoids polluting the shared cache)",
-    action="store_true",
-)
 manifest_parser = subparsers.add_parser(
    "manifest", help="Create a manifest from already pushed images"
 )
@@ -110,14 +95,11 @@ def main():
                print("Command failed")
                sys.exit(1)

-    registries = args.registry or REGISTRIES
-
    # detect channel from tag
    match = re.match(r"^(\d+\.\d+)(?:\.\d+)?(b\d+)?$", args.tag)
    major_minor_version = None
    if match is None:
-        # Custom tag (e.g. a branch name) -- push only the tag itself
-        channel = None
+        channel = CHANNEL_DEV
    elif match.group(2) is None:
        major_minor_version = match.group(1)
        channel = CHANNEL_RELEASE
@@ -146,18 +128,11 @@ def main():
            CHANNEL_DEV: "cache-dev",
            CHANNEL_BETA: "cache-beta",
            CHANNEL_RELEASE: "cache-latest",
-        }.get(channel, "cache-dev")
-        # Cache images live alongside the pushed images; prefer GHCR when it is
-        # one of the selected registries, otherwise fall back to Docker Hub so a
-        # registry-restricted build doesn't need GHCR auth.
-        cache_prefix = "ghcr.io/" if REGISTRY_GHCR in registries else ""
-        cache_img = f"{cache_prefix}{params.build_to}:{cache_tag}"
+        }[channel]
+        cache_img = f"ghcr.io/{params.build_to}:{cache_tag}"

-        imgs = []
-        if REGISTRY_DOCKERHUB in registries:
-            imgs += [f"{params.build_to}:{tag}" for tag in tags_to_push]
-        if REGISTRY_GHCR in registries:
-            imgs += [f"ghcr.io/{params.build_to}:{tag}" for tag in tags_to_push]
+        imgs = [f"{params.build_to}:{tag}" for tag in tags_to_push]
+        imgs += [f"ghcr.io/{params.build_to}:{tag}" for tag in tags_to_push]

        # 3. build
        cmd = [
@@ -180,9 +155,7 @@ def main():
        for img in imgs:
            cmd += ["--tag", img]
        if args.push:
-            cmd += ["--push"]
-            if not args.no_cache_to:
-                cmd += ["--cache-to", f"type=registry,ref={cache_img},mode=max"]
+            cmd += ["--push", "--cache-to", f"type=registry,ref={cache_img},mode=max"]
        if args.load:
            cmd += ["--load"]

@@ -190,22 +163,20 @@ def main():
    elif args.command == "manifest":
        manifest = DockerParams.for_type_arch(args.build_type, ARCH_AMD64).manifest_to

-        targets = []
-        if REGISTRY_DOCKERHUB in registries:
-            targets += [f"{manifest}:{tag}" for tag in tags_to_push]
-        if REGISTRY_GHCR in registries:
-            targets += [f"ghcr.io/{manifest}:{tag}" for tag in tags_to_push]
-        # Use buildx imagetools (not `docker manifest`) so the per-arch sources,
-        # which buildx pushes as single-platform manifest lists, are combined
-        # and pushed correctly in one step.
+        targets = [f"{manifest}:{tag}" for tag in tags_to_push]
+        targets += [f"ghcr.io/{manifest}:{tag}" for tag in tags_to_push]
+        # 1. Create manifests
        for target in targets:
-            cmd = ["docker", "buildx", "imagetools", "create", "--tag", target]
+            cmd = ["docker", "manifest", "create", target]
            for arch in ARCHS:
                src = f"{DockerParams.for_type_arch(args.build_type, arch).build_to}:{args.tag}"
                if target.startswith("ghcr.io"):
                    src = f"ghcr.io/{src}"
                cmd.append(src)
            run_command(*cmd)
+        # 2. Push manifests
+        for target in targets:
+            run_command("docker", "manifest", "push", target)


 if __name__ == "__main__":
--- a/docker/docker_entrypoint.sh
+++ b/docker/docker_entrypoint.sh
@@ -27,12 +27,4 @@ if [[ -d /build ]]; then
    export ESPHOME_BUILD_PATH=/build
 fi

-# The default CMD is "dashboard /config". Route the dashboard to the new
-# Device Builder, but pass every other subcommand (compile, run, config,
-# logs, ...) straight through to the esphome CLI so direct CLI use keeps working.
-if [[ "$1" == "dashboard" ]]; then
-    shift
-    exec esphome-device-builder "$@"
-fi
-
 exec esphome "$@"
--- a/docker/ha-addon-rootfs/etc/nginx/includes/mime.types
+++ b/docker/ha-addon-rootfs/etc/nginx/includes/mime.types
@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}
--- a/docker/ha-addon-rootfs/etc/nginx/includes/proxy_params.conf
+++ b/docker/ha-addon-rootfs/etc/nginx/includes/proxy_params.conf
@@ -0,0 +1,16 @@
+proxy_http_version          1.1;
+proxy_ignore_client_abort   off;
+proxy_read_timeout          86400s;
+proxy_redirect              off;
+proxy_send_timeout          86400s;
+proxy_max_temp_file_size    0;
+
+proxy_set_header Accept-Encoding "";
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-NginX-Proxy true;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Authorization "";
--- a/docker/ha-addon-rootfs/etc/nginx/includes/server_params.conf
+++ b/docker/ha-addon-rootfs/etc/nginx/includes/server_params.conf
@@ -0,0 +1,8 @@
+root            /dev/null;
+server_name     $hostname;
+
+client_max_body_size 512m;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
--- a/docker/ha-addon-rootfs/etc/nginx/includes/ssl_params.conf
+++ b/docker/ha-addon-rootfs/etc/nginx/includes/ssl_params.conf
@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
--- a/docker/ha-addon-rootfs/etc/nginx/includes/upstream.conf
+++ b/docker/ha-addon-rootfs/etc/nginx/includes/upstream.conf
@@ -0,0 +1,3 @@
+upstream esphome {
+    server unix:/var/run/esphome.sock;
+}
--- a/docker/ha-addon-rootfs/etc/nginx/nginx.conf
+++ b/docker/ha-addon-rootfs/etc/nginx/nginx.conf
@@ -0,0 +1,30 @@
+daemon off;
+user root;
+pid /var/run/nginx.pid;
+worker_processes 1;
+error_log /proc/1/fd/1 error;
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/includes/mime.types;
+
+    access_log              off;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    sendfile                on;
+    server_tokens           off;
+
+    tcp_nodelay             on;
+    tcp_nopush              on;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+    include /etc/nginx/includes/upstream.conf;
+    include /etc/nginx/servers/*.conf;
+}
--- a/docker/ha-addon-rootfs/etc/nginx/servers/.gitkeep
+++ b/docker/ha-addon-rootfs/etc/nginx/servers/.gitkeep
@@ -0,0 +1 @@
+Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)
--- a/docker/ha-addon-rootfs/etc/nginx/templates/direct.gtpl
+++ b/docker/ha-addon-rootfs/etc/nginx/templates/direct.gtpl
@@ -0,0 +1,28 @@
+server {
+    {{ if not .ssl }}
+    listen 6052 default_server;
+    {{ else }}
+    listen 6052 default_server ssl http2;
+    {{ end }}
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    {{ if .ssl }}
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl_certificate /ssl/{{ .certfile }};
+    ssl_certificate_key /ssl/{{ .keyfile }};
+
+    # Redirect http requests to https on the same port.
+    # https://rageagainstshell.com/2016/11/redirect-http-to-https-on-the-same-port-in-nginx/
+    error_page 497 https://$http_host$request_uri;
+    {{ end }}
+
+    # Clear Home Assistant Ingress header
+    proxy_set_header X-HA-Ingress "";
+
+    location / {
+        proxy_pass http://esphome;
+    }
+}
--- a/docker/ha-addon-rootfs/etc/nginx/templates/ingress.gtpl
+++ b/docker/ha-addon-rootfs/etc/nginx/templates/ingress.gtpl
@@ -0,0 +1,18 @@
+server {
+    listen 127.0.0.1:{{ .port }} default_server;
+    listen {{ .interface }}:{{ .port }} default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+    include /etc/nginx/includes/proxy_params.conf;
+
+    # Set Home Assistant Ingress header
+    proxy_set_header X-HA-Ingress "YES";
+
+    location / {
+        allow   172.30.32.2;
+        allow   127.0.0.1;
+        deny    all;
+
+        proxy_pass http://esphome;
+    }
+}
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/discovery/dependencies.d/nginx
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/discovery/dependencies.d/nginx
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/discovery/run
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/discovery/run
@@ -16,7 +16,7 @@ fi

 port=$(bashio::addon.ingress_port)

-# Wait for the ESPHome Device Builder to become available
+# Wait for NGINX to become available
 bashio::net.wait_for "${port}" "127.0.0.1" 300

 config=$(\
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/finish
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/finish
@@ -2,7 +2,7 @@
 # shellcheck shell=bash
 # ==============================================================================
 # Home Assistant Community Add-on: ESPHome
-# Take down the S6 supervision tree when ESPHome Device Builder fails
+# Take down the S6 supervision tree when ESPHome dashboard fails
 # ==============================================================================
 declare exit_code
 readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
@@ -10,7 +10,7 @@ readonly exit_code_service="${1}"
 readonly exit_code_signal="${2}"

 bashio::log.info \
-  "Service ESPHome Device Builder exited with code ${exit_code_service}" \
+  "Service ESPHome dashboard exited with code ${exit_code_service}" \
  "(by signal ${exit_code_signal})"

 if [[ "${exit_code_service}" -eq 256 ]]; then
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/run
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/esphome/run
@@ -2,7 +2,7 @@
 # shellcheck shell=bash
 # ==============================================================================
 # Community Hass.io Add-ons: ESPHome
-# Runs the ESPHome Device Builder
+# Runs the ESPHome dashboard
 # ==============================================================================
 readonly pio_cache_base=/data/cache/platformio

@@ -49,21 +49,5 @@ if bashio::fs.directory_exists '/config/esphome/.esphome'; then
    rm -rf /config/esphome/.esphome
 fi

-# Only signal device-builder to expose the public LAN port when the operator
-# mapped port 6052, matching the legacy dashboard where nginx listened on the
-# fixed port 6052 only when it was configured. We use the mapping purely as a
-# presence check and don't forward the published value; device-builder binds
-# its default port 6052 (the fixed container port, as the legacy
-# "listen 6052" did). --ha-addon-allow-public is inert on its own: the no-auth
-# gate is the DISABLE_HA_AUTHENTICATION env var set above, so both opt-ins are
-# required to bind 6052 unauthenticated; either alone stays ingress-only.
-set --
-if bashio::var.has_value "$(bashio::addon.port 6052)"; then
-    set -- --ha-addon-allow-public
-fi
-
-bashio::log.info "Starting ESPHome Device Builder..."
-exec esphome-device-builder /config/esphome \
-    --ha-addon \
-    --ingress-port "$(bashio::addon.ingress_port)" \
-    "$@"
+bashio::log.info "Starting ESPHome dashboard..."
+exec esphome dashboard /config/esphome --socket /var/run/esphome.sock --ha-addon
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/dependencies.d/base
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/dependencies.d/base
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run
@@ -0,0 +1,27 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Configures NGINX for use with ESPHome
+# ==============================================================================
+mkdir -p /var/log/nginx
+
+# Generate Ingress configuration
+bashio::var.json \
+    interface "$(bashio::addon.ip_address)" \
+    port "^$(bashio::addon.ingress_port)" \
+    | tempio \
+        -template /etc/nginx/templates/ingress.gtpl \
+        -out /etc/nginx/servers/ingress.conf
+
+# Generate direct access configuration, if enabled.
+if bashio::var.has_value "$(bashio::addon.port 6052)"; then
+    bashio::config.require.ssl
+    bashio::var.json \
+        certfile "$(bashio::config 'certfile')" \
+        keyfile "$(bashio::config 'keyfile')" \
+        ssl "^$(bashio::config 'ssl')" \
+        | tempio \
+            -template /etc/nginx/templates/direct.gtpl \
+            -out /etc/nginx/servers/direct.conf
+fi
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/type
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/type
@@ -0,0 +1 @@
+oneshot
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/up
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/init-nginx/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-nginx/run
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/esphome
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/esphome
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/init-nginx
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/init-nginx
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/finish
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/finish
@@ -0,0 +1,25 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Take down the S6 supervision tree when NGINX fails
+# ==============================================================================
+declare exit_code
+readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+
+bashio::log.info \
+  "Service NGINX exited with code ${exit_code_service}" \
+  "(by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + $exit_code_signal)) > /run/s6-linux-init-container-results/exitcode
+  fi
+  [[ "${exit_code_signal}" -eq 15 ]] && exec /run/s6/basedir/bin/halt
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" > /run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@@ -0,0 +1,15 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Community Hass.io Add-ons: ESPHome
+# Runs the NGINX proxy
+# ==============================================================================
+
+bashio::log.info "Waiting for ESPHome dashboard to come up..."
+
+while [[ ! -S /var/run/esphome.sock ]]; do
+  sleep 0.5
+done
+
+bashio::log.info "Starting NGINX..."
+exec nginx
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/type
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/nginx/type
@@ -0,0 +1 @@
+longrun
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/init-nginx
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/init-nginx
--- a/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx
+++ b/docker/ha-addon-rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx
--- a/docker/test_configs/bk72xx-arduino.yaml
+++ b/docker/test_configs/bk72xx-arduino.yaml
@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-bk72xx-arduino
-
-bk72xx:
-  board: generic-bk7231n-qfn32-tuya
-
-logger:
--- a/docker/test_configs/esp32-arduino-esp-idf.yaml
+++ b/docker/test_configs/esp32-arduino-esp-idf.yaml
@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-ard-idf
-
-esp32:
-  variant: esp32
-  framework:
-    type: arduino
-  toolchain: esp-idf
-
-logger:
--- a/docker/test_configs/esp32-arduino-platformio.yaml
+++ b/docker/test_configs/esp32-arduino-platformio.yaml
@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-ard-pio
-
-esp32:
-  variant: esp32
-  framework:
-    type: arduino
-  toolchain: platformio
-
-logger:
--- a/docker/test_configs/esp32-idf-esp-idf.yaml
+++ b/docker/test_configs/esp32-idf-esp-idf.yaml
@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-idf-idf
-
-esp32:
-  variant: esp32
-  framework:
-    type: esp-idf
-  toolchain: esp-idf
-
-logger:
--- a/docker/test_configs/esp32-idf-platformio.yaml
+++ b/docker/test_configs/esp32-idf-platformio.yaml
@@ -1,10 +0,0 @@
-esphome:
-  name: docker-test-esp32-idf-pio
-
-esp32:
-  variant: esp32
-  framework:
-    type: esp-idf
-  toolchain: platformio
-
-logger:
--- a/docker/test_configs/esp8266-arduino.yaml
+++ b/docker/test_configs/esp8266-arduino.yaml
@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-esp8266-arduino
-
-esp8266:
-  board: d1_mini
-
-logger:
--- a/docker/test_configs/host.yaml
+++ b/docker/test_configs/host.yaml
@@ -1,6 +0,0 @@
-esphome:
-  name: docker-test-host
-
-host:
-
-logger:
--- a/docker/test_configs/ln882x-arduino.yaml
+++ b/docker/test_configs/ln882x-arduino.yaml
@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-ln882x-arduino
-
-ln882x:
-  board: generic-ln882hki
-
-logger:
--- a/docker/test_configs/nrf52.yaml
+++ b/docker/test_configs/nrf52.yaml
@@ -1,8 +0,0 @@
-esphome:
-  name: docker-test-nrf52
-
-nrf52:
-  board: adafruit_itsybitsy_nrf52840
-  bootloader: adafruit_nrf52_sd140_v6
-
-logger:
--- a/docker/test_configs/rp2040-arduino.yaml
+++ b/docker/test_configs/rp2040-arduino.yaml
@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-rp2040-arduino
-
-rp2040:
-  variant: rp2040
-
-logger:
--- a/docker/test_configs/rtl87xx-arduino.yaml
+++ b/docker/test_configs/rtl87xx-arduino.yaml
@@ -1,7 +0,0 @@
-esphome:
-  name: docker-test-rtl87xx-arduino
-
-rtl87xx:
-  board: generic-rtl8710bn-2mb-788k
-
-logger:
--- a/esphome/main.py
+++ b/esphome/main.py
--- a/esphome/address_cache.py
+++ b/esphome/address_cache.py
@@ -101,17 +101,6 @@ class AddressCache:
        """Check if any cache entries exist."""
        return bool(self.mdns_cache or self.dns_cache)

-    def add_mdns_addresses(self, hostname: str, addresses: list[str]) -> None:
-        """Store resolved mDNS addresses for ``hostname`` in the cache.
-
-        Callers that discover ``.local`` hosts (e.g. via mDNS browse) can use
-        this to avoid a second resolution round-trip during the upload path.
-        No-op when ``addresses`` is empty.
-        """
-        if not addresses:
-            return
-        self.mdns_cache[normalize_hostname(hostname)] = addresses
-
    @classmethod
    def from_cli_args(
        cls, mdns_args: Iterable[str], dns_args: Iterable[str]
--- a/esphome/analyze_memory/init.py
+++ b/esphome/analyze_memory/init.py
@@ -24,7 +24,7 @@ from .helpers import (
 from .toolchain import find_tool, resolve_tool_path, run_tool

 if TYPE_CHECKING:
-    from esphome.platformio.toolchain import IDEData
+    from esphome.platformio_api import IDEData

 _LOGGER = logging.getLogger(__name__)

@@ -793,11 +793,8 @@ class MemoryAnalyzer:
        """Scan ESPHome source object files to map extern "C" symbols to components.

        When no linker map file is available, this uses ``nm`` to scan ``.o`` files
-        under ``src/`` (including ``src/main.cpp.o`` and everything beneath
-        ``src/esphome/``) and build a symbol-to-component mapping. This catches
-        ``extern "C"`` functions, the ESPHome-generated ``setup()``/``loop()``
-        entry points in ``main.cpp``, and other symbols that lack C++ namespace
-        prefixes.
+        under ``src/esphome/`` and build a symbol-to-component mapping. This catches
+        ``extern "C"`` functions and other symbols that lack C++ namespace prefixes.

        Skips scanning if ``_source_symbol_map`` was already populated by
        ``_parse_map_file()``.
@@ -809,12 +806,12 @@ class MemoryAnalyzer:
        if obj_dir is None:
            return

-        # Scan all ESPHome-owned source object files: src/main.cpp.o and src/esphome/...
-        src_dir = obj_dir / "src"
-        if not src_dir.is_dir():
+        # Find ESPHome source object files
+        esphome_src_dir = obj_dir / "src" / "esphome"
+        if not esphome_src_dir.is_dir():
            return

-        obj_files = sorted(src_dir.rglob("*.o"))
+        obj_files = sorted(esphome_src_dir.rglob("*.o"))
        if not obj_files:
            return

@@ -1067,10 +1064,6 @@ class MemoryAnalyzer:
                if component_name in self.external_components:
                    return f"{_COMPONENT_PREFIX_EXTERNAL}{component_name}"

-        # ESPHome-generated entry point: src/main.cpp.o (contains setup()/loop())
-        if len(parts) >= 2 and parts[-2:] == ("src", "main.cpp.o"):
-            return _COMPONENT_CORE
-
        # ESPHome core: src/esphome/core/... or src/esphome/...
        if "core" in parts and "esphome" in parts:
            return _COMPONENT_CORE
--- a/esphome/analyze_memory/cli.py
+++ b/esphome/analyze_memory/cli.py
@@ -5,9 +5,7 @@ from __future__ import annotations
 from collections import defaultdict
 from collections.abc import Callable
 import heapq
-import json
 from operator import itemgetter
-from pathlib import Path
 import sys
 from typing import TYPE_CHECKING

@@ -42,7 +40,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):

    # Symbol size threshold for detailed analysis
    SYMBOL_SIZE_THRESHOLD: int = (
-        10  # Show symbols larger than this in detailed analysis
+        100  # Show symbols larger than this in detailed analysis
    )
    # Lower threshold for RAM symbols (RAM is more constrained)
    RAM_SYMBOL_SIZE_THRESHOLD: int = 24
@@ -511,7 +509,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
            lines.append(
                f"{_COMPONENT_CORE} Symbols > {self.SYMBOL_SIZE_THRESHOLD} B ({len(large_core_symbols)} symbols):"
            )
-            for i, (_symbol, demangled, size) in enumerate(large_core_symbols):
+            for i, (symbol, demangled, size) in enumerate(large_core_symbols):
                # Core symbols only track (symbol, demangled, size) without section info,
                # so we don't show section labels here
                lines.append(
@@ -603,7 +601,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
                lines.append(
                    f"{comp_name} Symbols > {self.SYMBOL_SIZE_THRESHOLD} B & storage ({len(large_symbols)} symbols):"
                )
-                for i, (_symbol, demangled, size, section) in enumerate(large_symbols):
+                for i, (symbol, demangled, size, section) in enumerate(large_symbols):
                    lines.append(
                        f"{i + 1}. {self._format_symbol_with_section(demangled, size, section)}"
                    )
@@ -642,7 +640,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
                lines.append(
                    f"  Symbols > {self.RAM_SYMBOL_SIZE_THRESHOLD} B ({len(large_ram_syms)}):"
                )
-                for _symbol, demangled, size, section in large_ram_syms[:10]:
+                for symbol, demangled, size, section in large_ram_syms[:10]:
                    # Format section label consistently by stripping leading dot
                    section_label = section.lstrip(".") if section else ""
                    display_name = _format_pstorage_name(demangled)
@@ -701,7 +699,7 @@ class MemoryAnalyzerCLI(MemoryAnalyzer):
        content = "\n".join(lines)

        if output_file:
-            with Path(output_file).open("w", encoding="utf-8") as f:
+            with open(output_file, "w", encoding="utf-8") as f:
                f.write(content)
        else:
            print(content)
@@ -739,8 +737,9 @@ def main():

    # Load build directory
    import json
+    from pathlib import Path

-    from esphome.platformio.toolchain import IDEData
+    from esphome.platformio_api import IDEData

    build_path = Path(build_dir)

@@ -786,7 +785,7 @@ def main():
        if not idedata_path.exists():
            continue
        try:
-            with idedata_path.open(encoding="utf-8") as f:
+            with open(idedata_path, encoding="utf-8") as f:
                raw_data = json.load(f)
            idedata = IDEData(raw_data)
            print(f"Loaded idedata from: {idedata_path}", file=sys.stderr)
--- a/esphome/analyze_memory/demangle.py
+++ b/esphome/analyze_memory/demangle.py
@@ -154,7 +154,7 @@ def batch_demangle(
    failed_count = 0

    for original, stripped, prefix, demangled in zip(
-        symbols, symbols_stripped, symbols_prefixes, demangled_lines, strict=True
+        symbols, symbols_stripped, symbols_prefixes, demangled_lines
    ):
        # Add back any prefix that was removed
        demangled = _restore_symbol_prefix(prefix, stripped, demangled)
--- a/esphome/analyze_memory/toolchain.py
+++ b/esphome/analyze_memory/toolchain.py
@@ -3,6 +3,7 @@
 from __future__ import annotations

 import logging
+import os
 from pathlib import Path
 import subprocess
 from typing import TYPE_CHECKING
@@ -36,7 +37,7 @@ def _find_in_platformio_packages(tool_name: str) -> str | None:
        Full path to the tool or None if not found
    """
    # Get PlatformIO packages directory
-    platformio_home = Path("~/.platformio/packages").expanduser()
+    platformio_home = Path(os.path.expanduser("~/.platformio/packages"))
    if not platformio_home.exists():
        return None

--- a/esphome/async_thread.py
+++ b/esphome/async_thread.py
@@ -1,56 +0,0 @@
-"""Helpers for running an async coroutine from sync code via a daemon thread.
-
-``asyncio.run(coro())`` in the main thread blocks until the loop's cleanup
-cycle finishes, which can add hundreds of milliseconds before the caller
-receives the result. Running the loop in a daemon thread lets the caller
-observe the result as soon as the coroutine completes while cleanup finishes
-in the background.
-"""
-
-from __future__ import annotations
-
-import asyncio
-from collections.abc import Awaitable, Callable
-import threading
-from typing import Generic, TypeVar
-
-_T = TypeVar("_T")
-
-
-class AsyncThreadRunner(threading.Thread, Generic[_T]):
-    """Run an async coroutine in a daemon thread and expose its result.
-
-    The runner catches all exceptions from the coroutine and stores them in
-    ``exception`` so ``event`` is always set — this prevents callers waiting
-    on ``event`` from hanging forever when the coroutine crashes.
-
-    Typical usage::
-
-        runner = AsyncThreadRunner(lambda: my_coro(arg))
-        runner.start()
-        if not runner.event.wait(timeout=5.0):
-            ...  # timed out
-        if runner.exception is not None:
-            raise runner.exception
-        result = runner.result
-    """
-
-    def __init__(self, coro_factory: Callable[[], Awaitable[_T]]) -> None:
-        super().__init__(daemon=True)
-        self._coro_factory = coro_factory
-        self.result: _T | None = None
-        self.exception: BaseException | None = None
-        self.event = threading.Event()
-
-    async def _runner(self) -> None:
-        try:
-            self.result = await self._coro_factory()
-        except Exception as exc:  # noqa: BLE001  # pylint: disable=broad-except
-            # Capture all exceptions so ``event`` is always set — otherwise a
-            # crash would hang the waiter forever.
-            self.exception = exc
-        finally:
-            self.event.set()
-
-    def run(self) -> None:
-        asyncio.run(self._runner())
--- a/esphome/automation.py
+++ b/esphome/automation.py
@@ -127,7 +127,7 @@ def validate_potentially_or_condition(value):
    return validate_condition(value)


-DelayAction = cg.esphome_ns.class_("DelayAction", Action)
+DelayAction = cg.esphome_ns.class_("DelayAction", Action, cg.Component)
 LambdaAction = cg.esphome_ns.class_("LambdaAction", Action)
 StatelessLambdaAction = cg.esphome_ns.class_("StatelessLambdaAction", Action)
 IfAction = cg.esphome_ns.class_("IfAction", Action)
@@ -199,10 +199,11 @@ def validate_automation(extra_schema=None, extra_validators=None, single=False):
                    return cv.Schema([schema])(value)
                except cv.Invalid as err2:
                    if "extra keys not allowed" in str(err2) and len(err2.path) == 2:
-                        raise err from None
+                        # pylint: disable=raise-missing-from
+                        raise err
                    if "Unable to find action" in str(err):
-                        raise err2 from None
-                    raise cv.MultipleInvalid([err, err2]) from None
+                        raise err2
+                    raise cv.MultipleInvalid([err, err2])
        elif isinstance(value, dict):
            if CONF_THEN in value:
                return [schema(value)]
@@ -396,6 +397,7 @@ async def delay_action_to_code(
    args: TemplateArgsType,
 ) -> MockObj:
    var = cg.new_Pvariable(action_id, template_arg)
+    await cg.register_component(var, {})
    template_ = await cg.templatable(config, args, cg.uint32)
    cg.add(var.set_delay(template_))
    return var
@@ -596,7 +598,7 @@ async def component_resume_action_to_code(
    comp = await cg.get_variable(config[CONF_ID])
    var = cg.new_Pvariable(action_id, template_arg, comp)
    if CONF_UPDATE_INTERVAL in config:
-        template_ = await cg.templatable(config[CONF_UPDATE_INTERVAL], args, cg.uint32)
+        template_ = await cg.templatable(config[CONF_UPDATE_INTERVAL], args, int)
        cg.add(var.set_update_interval(template_))
    return var

--- a/esphome/build_gen/espidf.py
+++ b/esphome/build_gen/espidf.py
@@ -3,39 +3,23 @@
 import json
 from pathlib import Path

-from esphome.components.esp32 import get_esp32_variant, idf_version
-import esphome.config_validation as cv
+from esphome.components.esp32 import get_esp32_variant
 from esphome.core import CORE
-from esphome.framework_helpers import get_project_compile_flags, get_project_link_flags
 from esphome.helpers import mkdir_p, write_file_if_changed

-# Replaces the IDF default C++ standard (-std=gnu++2b appended to
-# CXX_COMPILE_OPTIONS by project.cmake's __build_init) with the one set via
-# cg.set_cpp_standard(). Emitted between include(project.cmake) and project(),
-# i.e. after IDF appends its default and before the options are consumed, and
-# applies project-wide like PlatformIO build_unflags.
-CPP_STANDARD_TEMPLATE = """\
-idf_build_get_property(esphome_cxx_compile_options CXX_COMPILE_OPTIONS)
-list(FILTER esphome_cxx_compile_options EXCLUDE REGEX "^-std=")
-list(APPEND esphome_cxx_compile_options "-std={standard}")
-idf_build_set_property(CXX_COMPILE_OPTIONS "${{esphome_cxx_compile_options}}")"""
-

 def get_available_components() -> list[str] | None:
-    """Get list of built-in ESP-IDF components from project_description.json.
+    """Get list of available ESP-IDF components from project_description.json.

-    Excludes ``src``, IDF-managed components (``managed_components/``), and
-    converted PIO libs (``pio_components/``). Returns ``None`` if the build
-    dir or ``project_description.json`` isn't ready yet.
+    Returns only internal ESP-IDF components, excluding external/managed
+    components (from idf_component.yml).
    """
-    if CORE.build_path is None:
-        return None
    project_desc = Path(CORE.build_path) / "build" / "project_description.json"
    if not project_desc.exists():
        return None

    try:
-        with project_desc.open(encoding="utf-8") as f:
+        with open(project_desc, encoding="utf-8") as f:
            data = json.load(f)

        component_info = data.get("build_component_info", {})
@@ -46,9 +30,9 @@ def get_available_components() -> list[str] | None:
            if name == "src":
                continue

-            # Exclude IDF-managed and converted-PIO components (external).
+            # Exclude managed/external components
            comp_dir = info.get("dir", "")
-            if "managed_components" in comp_dir or "pio_components" in comp_dir:
+            if "managed_components" in comp_dir:
                continue

            result.append(name)
@@ -63,156 +47,72 @@ def has_discovered_components() -> bool:
    return get_available_components() is not None


-def get_project_cmakelists(minimal: bool = False) -> str:
-    """Generate the top-level CMakeLists.txt for ESP-IDF project.
-
-    When ``minimal`` is true, omit ``ESPHOME_PROJECT_BUILTIN_COMPONENTS``
-    since ``project_description.json`` may be stale on the first write.
-    """
+def get_project_cmakelists() -> str:
+    """Generate the top-level CMakeLists.txt for ESP-IDF project."""
    # Get IDF target from ESP32 variant (e.g., ESP32S3 -> esp32s3)
    variant = get_esp32_variant()
    idf_target = variant.lower().replace("-", "")

-    # esp_idf_size 2.x (bundled with IDF >=6.0) made NG the default and
-    # removed the --ng flag; on 1.x (IDF 5.5) --ng is required to get
-    # --format=raw because the legacy mode doesn't support it.
-    size_ng_flag = "--ng" if idf_version() < cv.Version(6, 0, 0) else ""
-
-    # Project-wide compile options: -D defines and -W warning flags (skip
-    # -Wl, linker flags — those go on the src component via
-    # target_link_options below). Emitted via idf_build_set_property so the
-    # flags propagate to every IDF component (including managed ones like
-    # esphome__micro-mp3) rather than just src/. Required so suppressions
-    # like ``-Wno-error=maybe-uninitialized`` actually silence warnings in
-    # third-party components we don't author.
-    project_compile_opts = get_project_compile_flags()
+    # Extract compile definitions from build flags (-DXXX -> XXX)
+    compile_defs = [flag for flag in CORE.build_flags if flag.startswith("-D")]
    extra_compile_options = "\n".join(
-        f'idf_build_set_property(COMPILE_OPTIONS "{flag}" APPEND)'
-        for flag in project_compile_opts
-    )
-
-    cpp_standard_options = (
-        CPP_STANDARD_TEMPLATE.format(standard=CORE.cpp_standard)
-        if CORE.cpp_standard
-        else ""
-    )
-
-    # Per-project list exposed as a CMake variable so converted PIO libs
-    # can reference ${ESPHOME_PROJECT_MANAGED_COMPONENTS} without baking
-    # project-specific names into their cached CMakeLists.
-    #
-    # Emit via idf_build_set_property (not plain set()) so the value is
-    # serialised into build_properties.temp.cmake and visible to IDF's
-    # early requirements-expansion pass (component_get_requirements.cmake
-    # runs as a separate CMake script invocation that doesn't load the
-    # project's top-level CMakeLists; without this, ${ESPHOME_PROJECT_
-    # MANAGED_COMPONENTS} in a converted-lib REQUIRES expands to empty).
-    from esphome.components.esp32 import get_managed_component_require_names
-
-    managed_components_property = "\n".join(
-        f"idf_build_set_property(ESPHOME_PROJECT_MANAGED_COMPONENTS {name} APPEND)"
-        for name in get_managed_component_require_names()
-    )
-
-    # Built-in IDF components exposed via our own property (not IDF's
-    # __COMPONENT_REQUIRES_COMMON, which would append them to every
-    # component's REQUIRES including real IDF components). Referenced by
-    # src/CMakeLists and by each converted PIO lib's CMakeLists. Skipped
-    # on minimal writes because project_description.json may be stale.
-    builtin_components_property = (
-        ""
-        if minimal
-        else "\n".join(
-            f"idf_build_set_property(ESPHOME_PROJECT_BUILTIN_COMPONENTS {name} APPEND)"
-            for name in sorted(get_available_components() or [])
-        )
+        f'idf_build_set_property(COMPILE_OPTIONS "{compile_def}" APPEND)'
+        for compile_def in compile_defs
    )

    return f"""\
 # Auto-generated by ESPHome
 cmake_minimum_required(VERSION 3.16)

-# On Windows, Ninja can fail with:
-#   "CreateProcess: The parameter is incorrect (is the command line too long?)"
-# when compiler/linker command lines exceed the OS length limit.
-#
-# The following settings force CMake/Ninja to use *response files* (@file.rsp)
-# to pass long lists of includes, objects, and other arguments indirectly,
-# avoiding command-line length limits and fixing the build failure.
-#
-# This is especially useful for large ESP-IDF / ESPHome projects with many
-# source files or include directories.
-set(CMAKE_C_USE_RESPONSE_FILE_FOR_INCLUDES 1)
-set(CMAKE_CXX_USE_RESPONSE_FILE_FOR_INCLUDES 1)
-set(CMAKE_C_USE_RESPONSE_FILE_FOR_OBJECTS 1)
-set(CMAKE_CXX_USE_RESPONSE_FILE_FOR_OBJECTS 1)
-set(CMAKE_NINJA_FORCE_RESPONSE_FILE 1)
-
 set(IDF_TARGET {idf_target})
 set(EXTRA_COMPONENT_DIRS ${{CMAKE_SOURCE_DIR}}/src)

 include($ENV{{IDF_PATH}}/tools/cmake/project.cmake)

-{cpp_standard_options}
-
 {extra_compile_options}

-{managed_components_property}
-
-{builtin_components_property}
-
 project({CORE.name})
-
-# Emit raw JSON size data for ESPHome to read post-build.
-add_custom_command(
-    TARGET ${{CMAKE_PROJECT_NAME}}.elf POST_BUILD
-    COMMAND ${{PYTHON}} -m esp_idf_size {size_ng_flag} --format=raw
-            -o ${{CMAKE_BINARY_DIR}}/esp_idf_size.json
-            ${{CMAKE_PROJECT_NAME}}.map
-    WORKING_DIRECTORY ${{CMAKE_BINARY_DIR}}
-    VERBATIM
-)
 """


-def get_component_cmakelists() -> str:
-    """Generate the main component CMakeLists.txt.
+def get_component_cmakelists(minimal: bool = False) -> str:
+    """Generate the main component CMakeLists.txt."""
+    idf_requires = [] if minimal else (get_available_components() or [])
+    requires_str = " ".join(idf_requires)

-    REQUIRES pulls in the discovered built-in IDF components via the
-    project-level variables set in the top-level CMakeLists.
-    """
-    # Extract linker options (-Wl, flags). Compile flags (-D, -W) are
-    # emitted project-wide via idf_build_set_property in
-    # get_project_cmakelists so they reach every component, not just src/.
-    link_opts = get_project_link_flags()
-    link_opts_str = "\n    ".join(link_opts) if link_opts else ""
+    # Extract compile options (-W flags, excluding linker flags)
+    compile_opts = [
+        flag
+        for flag in CORE.build_flags
+        if flag.startswith("-W") and not flag.startswith("-Wl,")
+    ]
+    compile_opts_str = "\n    ".join(sorted(compile_opts)) if compile_opts else ""
+
+    # Extract linker options (-Wl, flags)
+    link_opts = [flag for flag in CORE.build_flags if flag.startswith("-Wl,")]
+    link_opts_str = "\n    ".join(sorted(link_opts)) if link_opts else ""

    return f"""\
 # Auto-generated by ESPHome
-# CONFIGURE_DEPENDS asks CMake to re-check the glob each build so test
-# runs that reuse the build dir don't compile stale source paths. It's
-# invalid in script mode (cmake -P), which is how IDF's
-# component_get_requirements.cmake includes us, so skip it there.
-if(CMAKE_SCRIPT_MODE_FILE)
-    file(GLOB_RECURSE app_sources
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/*.cpp"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/*.c"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.cpp"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.c"
-    )
-else()
-    file(GLOB_RECURSE app_sources CONFIGURE_DEPENDS
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/*.cpp"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/*.c"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.cpp"
-        "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.c"
-    )
-endif()
+file(GLOB_RECURSE app_sources
+    "${{CMAKE_CURRENT_SOURCE_DIR}}/*.cpp"
+    "${{CMAKE_CURRENT_SOURCE_DIR}}/*.c"
+    "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.cpp"
+    "${{CMAKE_CURRENT_SOURCE_DIR}}/esphome/*.c"
+)

 idf_component_register(
    SRCS ${{app_sources}}
    INCLUDE_DIRS "." "esphome"
-    REQUIRES ${{ESPHOME_PROJECT_BUILTIN_COMPONENTS}}
+    REQUIRES {requires_str}
+)
+
+# Apply C++ standard
+target_compile_features(${{COMPONENT_LIB}} PUBLIC cxx_std_20)
+
+# ESPHome compile options
+target_compile_options(${{COMPONENT_LIB}} PUBLIC
+    {compile_opts_str}
 )

 # ESPHome linker options
@@ -230,11 +130,11 @@ def write_project(minimal: bool = False) -> None:
    # Write top-level CMakeLists.txt
    write_file_if_changed(
        CORE.relative_build_path("CMakeLists.txt"),
-        get_project_cmakelists(minimal=minimal),
+        get_project_cmakelists(),
    )

    # Write component CMakeLists.txt in src/
    write_file_if_changed(
        CORE.relative_src_path("CMakeLists.txt"),
-        get_component_cmakelists(),
+        get_component_cmakelists(minimal=minimal),
    )
--- a/esphome/build_gen/platformio.py
+++ b/esphome/build_gen/platformio.py
@@ -1,7 +1,7 @@
 from esphome.const import __version__
 from esphome.core import CORE
 from esphome.helpers import mkdir_p, read_file, write_file_if_changed
-from esphome.writer import find_begin_end
+from esphome.writer import find_begin_end, update_storage_json

 INI_AUTO_GENERATE_BEGIN = "; ========== AUTO GENERATED CODE BEGIN ==========="
 INI_AUTO_GENERATE_END = "; =========== AUTO GENERATED CODE END ============"
@@ -33,27 +33,12 @@ def format_ini(data: dict[str, str | list[str]]) -> str:
    return content


-# All -std= variants a platform/framework may set by default, in both the GNU
-# and strict dialects; unflagged so the cg.set_cpp_standard() value is the
-# only standard left in the build.
-CPP_STD_VARIANTS = [
-    f"{prefix}{year}"
-    for year in ("11", "14", "17", "20", "23", "26", "2a", "2b", "2c")
-    for prefix in ("gnu++", "c++")
-]
-
-
 def get_ini_content():
    CORE.add_platformio_option(
        "lib_deps",
        [x.as_lib_dep for x in CORE.platformio_libraries.values()]
        + ["${common.lib_deps}"],
    )
-    if CORE.cpp_standard:
-        for variant in CPP_STD_VARIANTS:
-            if variant != CORE.cpp_standard:
-                CORE.add_build_unflag(f"-std={variant}")
-        CORE.add_build_flag(f"-std={CORE.cpp_standard}")
    # Sort to avoid changing build flags order
    CORE.add_platformio_option("build_flags", sorted(CORE.build_flags))

@@ -73,6 +58,7 @@ def get_ini_content():


 def write_ini(content):
+    update_storage_json()
    path = CORE.relative_build_path("platformio.ini")

    if path.is_file():
--- a/esphome/bundle.py
+++ b/esphome/bundle.py
@@ -98,13 +98,11 @@ _KNOWN_FILE_EXTENSIONS = frozenset(
 )


-# Matches !secret references in YAML text.  An optional surrounding
-# quote pair around the key is allowed and ignored: YAML treats
-# ``!secret 'foo'`` and ``!secret foo`` as the same key.  This is
-# intentionally a simple regex scan rather than a YAML parse — it may
-# match inside comments or multi-line strings, which is the conservative
-# direction (include more secrets rather than fewer).
-_SECRET_RE = re.compile(r"""!secret\s+['"]?([^\s'"]+)""")
+# Matches !secret references in YAML text.  This is intentionally a simple
+# regex scan rather than a YAML parse — it may match inside comments or
+# multi-line strings, which is the conservative direction (include more
+# secrets rather than fewer).
+_SECRET_RE = re.compile(r"!secret\s+(\S+)")


 def _find_used_secret_keys(yaml_files: list[Path]) -> set[str]:
@@ -153,8 +151,8 @@ class ConfigBundleCreator:

    def __init__(self, config: dict[str, Any]) -> None:
        self._config = config
-        self._config_dir = Path(CORE.config_dir).resolve()
-        self._config_path = Path(CORE.config_path).resolve()
+        self._config_dir = CORE.config_dir
+        self._config_path = CORE.config_path
        self._files: list[BundleFile] = []
        self._seen_paths: set[Path] = set()
        self._secrets_paths: set[Path] = set()
@@ -260,20 +258,27 @@ class ConfigBundleCreator:
    def _discover_yaml_includes(self) -> None:
        """Discover YAML files loaded during config parsing.

-        Delegates to :func:`yaml_util.discover_user_yaml_files`, which does a
-        fresh re-parse and force-loads every deferred ``IncludeFile`` so that
-        *all* potentially-reachable includes are captured (even branches not
-        selected by local substitutions). Bundles are meant to be compiled on
-        another system where command-line substitution overrides may choose a
-        different branch — e.g. ``!include network/${eth_model}/config.yaml``
-        must ship every candidate so the remote build can pick any one.
+        We track files by wrapping _load_yaml_internal. The config has already
+        been loaded at this point (bundle is a POST_CONFIG_ACTION), so we
+        re-load just to discover the file list.
+
+        Secrets files are tracked separately so we can filter them to
+        only include the keys this config actually references.
        """
-        discovered = yaml_util.discover_user_yaml_files(self._config_path)
-        self._secrets_paths.update(discovered.secrets)
-        config_resolved = self._config_path.resolve()
-        for fpath in discovered.files:
-            if fpath == config_resolved:
+        with yaml_util.track_yaml_loads() as loaded_files:
+            try:
+                yaml_util.load_yaml(self._config_path)
+            except EsphomeError:
+                _LOGGER.debug(
+                    "Bundle: re-loading YAML for include discovery failed, "
+                    "proceeding with partial file list"
+                )
+
+        for fpath in loaded_files:
+            if fpath == self._config_path.resolve():
                continue  # Already added as config
+            if fpath.name in const.SECRETS_FILES:
+                self._secrets_paths.add(fpath)
            self._add_file(fpath)

    def _discover_component_files(self) -> None:
@@ -412,7 +417,7 @@ class ConfigBundleCreator:
    @staticmethod
    def _add_to_tar(tar: tarfile.TarFile, bf: BundleFile) -> None:
        """Add a BundleFile to the tar archive with deterministic metadata."""
-        with bf.source.open("rb") as f:
+        with open(bf.source, "rb") as f:
            _add_bytes_to_tar(tar, bf.path, f.read())


--- a/esphome/codegen.py
+++ b/esphome/codegen.py
@@ -10,7 +10,6 @@
 # pylint: disable=unused-import
 from esphome.cpp_generator import (  # noqa: F401
    ArrayInitializer,
-    ComponentMarker,
    Expression,
    FlashStringLiteral,
    LineComment,
--- a/esphome/compiled_config.py
+++ b/esphome/compiled_config.py
@@ -1,76 +0,0 @@
-"""Validated-config cache for the upload/logs fast path.
-
-compile dumps the validated config to <data_dir>/storage/<file>.validated.yaml;
-the next upload/logs for that YAML reuses it instead of running the full
-read_config pipeline. YAML round-trip (yaml_util.dump/load_yaml) keeps
-!lambda/!include/IDs/paths intact; mtime gates staleness.
-"""
-
-from __future__ import annotations
-
-import logging
-from pathlib import Path
-
-from esphome.core import CORE
-from esphome.helpers import write_file
-from esphome.storage_json import StorageJSON, ext_storage_path
-from esphome.types import ConfigType
-
-_LOGGER = logging.getLogger(__name__)
-
-
-def compiled_config_path(config_filename: str) -> Path:
-    """Path to the cached validated config alongside the storage sidecar."""
-    return CORE.data_dir / "storage" / f"{config_filename}.validated.yaml"
-
-
-def _cache_is_fresh(cache_path: Path, source_path: Path) -> bool:
-    """True iff the cache file exists and isn't older than the source."""
-    try:
-        return cache_path.stat().st_mtime >= source_path.stat().st_mtime
-    except OSError:
-        return False
-
-
-def save_compiled_config(config: ConfigType) -> None:
-    """Write the validated-config cache. Always-write so mtime stays fresh.
-
-    Mode 0600 because show_secrets=True resolves !secret inline.
-    Failures are non-fatal: the fast path falls back to read_config.
-    """
-    from esphome import yaml_util
-
-    try:
-        rendered = yaml_util.dump(config, show_secrets=True)
-        write_file(compiled_config_path(CORE.config_filename), rendered, private=True)
-    except Exception as err:  # noqa: BLE001  # pylint: disable=broad-except
-        _LOGGER.debug("Skipping compiled config cache write: %s", err)
-
-
-def load_compiled_config(conf_path: Path) -> ConfigType | None:
-    """Load the cached validated config and apply storage metadata to CORE.
-
-    Returns None (caller falls back to read_config) when the cache is
-    missing, older than the source YAML, unparseable, or the sidecar
-    is incomplete.
-    """
-    cache_path = compiled_config_path(conf_path.name)
-    if not _cache_is_fresh(cache_path, conf_path):
-        return None
-
-    from esphome import yaml_util
-
-    try:
-        config = yaml_util.load_yaml(cache_path, clear_secrets=False)
-    except Exception:  # noqa: BLE001  # pylint: disable=broad-except
-        return None
-
-    storage = StorageJSON.load(ext_storage_path(conf_path.name))
-    if storage is None:
-        return None
-    # apply_to_core assumes a real compile wrote the sidecar; wizard-only
-    # sidecars leave both of these unset and can't drive upload/logs.
-    if not storage.core_platform and not storage.target_platform:
-        return None
-    storage.apply_to_core()
-    return config
--- a/esphome/components/a01nyub/a01nyub.cpp
+++ b/esphome/components/a01nyub/a01nyub.cpp
@@ -4,7 +4,8 @@
 #include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

-namespace esphome::a01nyub {
+namespace esphome {
+namespace a01nyub {

 static const char *const TAG = "a01nyub.sensor";

@@ -41,4 +42,5 @@ void A01nyubComponent::check_buffer_() {

 void A01nyubComponent::dump_config() { LOG_SENSOR("", "A01nyub Sensor", this); }

-}  // namespace esphome::a01nyub
+}  // namespace a01nyub
+}  // namespace esphome
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
J. Nick Koston	cb2e8320f0	[api] Pass pos by value through encode_varint_raw_loop	2026-04-09 22:13:14 -10:00
J. Nick Koston	49ef5f9ad6	[api] Force inline encode_varint_raw_loop so pos stays in a register	2026-04-09 22:07:15 -10:00
J. Nick Koston	707f3f4749	[api] Unroll varint encode loop for compile-time bounded types	2026-04-09 21:59:35 -10:00
				`@@ -0,0 +1 @@`
				`f31f13994768b5b07e29624406c9b053bf4bb26e1623ac2bc1e9d4a9477502d6`
				`@@ -0,0 +1 @@`
				`Without requirements or design, programming is the art of adding bugs to an empty text file. (Louis Srygley)`