Merge branch 'next' into doc-ext-remove

Author: jpeletier

.github/workflows/auto-label-pr.yml

@@ -30,13 +30,13 @@ jobs:
 
       - name: Generate a token
         id: generate-token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.ESPHOME_GITHUB_APP_ID }}
           private-key: ${{ secrets.ESPHOME_GITHUB_APP_PRIVATE_KEY }}
 
       - name: Auto Label PR
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.number }}
         with:

.github/workflows/ci.yml

@@ -0,0 +1,69 @@
+name: CI
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install pagefind
+        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+        with:
+          repo: cloudcannon/pagefind
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Hugo
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
+        with:
+          hugo-version: 'latest'
+          extended: true
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: 3.12
+
+      - name: Install Python dependencies
+        run: pip install -r requirements_test.txt
+
+      - name: Run production build
+        run: make production
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+    - name: Set up Python 3.12
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      with:
+        python-version: 3.12
+
+    - name: Install dependencies
+      run: pip install -r requirements_test.txt
+
+    - name: Register problem matchers
+      run: |
+        echo "::add-matcher::.github/workflows/matchers/ci-custom.json"
+
+    - name: markdownlint-cli
+      uses: nosborn/github-action-markdown-cli@508d6cefd8f0cc99eab5d2d4685b1d5f470042c1 # v3.5.0
+      with:
+        config_file: ".markdownlintrc"
+        files: .
+
+    - name: Lint
+      run: python lint.py

.github/workflows/component-image.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Comment
         id: create-comment
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const result = await github.rest.issues.createComment({
@@ -32,11 +32,20 @@ jobs:
 
       - name: Get Component name
         id: get_component
-        run: |-
-          comment="${{ github.event.comment.body }}"
-          component=$(echo $comment | sed -n 's/^@esphomebot generate image //p')
-          echo "name=$component" >> $GITHUB_OUTPUT
-          echo "name_lower=${component,,}" >> $GITHUB_OUTPUT
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        run: |
+          # Extract component name using bash parameter expansion (no external commands)
+          component="${COMMENT_BODY#@esphomebot generate image }"
+
+          # Validate component name: only lowercase alphanumeric and underscores
+          if [[ "$component" =~ ^[a-z0-9_]+$ ]]; then
+            echo "name=$component" >> $GITHUB_OUTPUT
+            echo "name_lower=${component,,}" >> $GITHUB_OUTPUT
+          else
+            echo "::error::Invalid component name. Must contain only lowercase letters, numbers, and underscores."
+            exit 1
+          fi
 
   generate:
     name: Generate
@@ -50,14 +59,14 @@ jobs:
           component: ${{ needs.prepare.outputs.name }}
 
       - name: Upload
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         id: upload-artifact
         with:
           name: ${{ needs.prepare.outputs.name }}
           path: ${{ needs.prepare.outputs.name_lower }}.svg
 
       - name: Update Comment
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             await github.rest.issues.updateComment({

.github/workflows/docker.yml

@@ -31,20 +31,20 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       -
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/labeller-recheck.yml

@@ -15,7 +15,7 @@ jobs:
     if: github.event.label.name == 'labeller-recheck'
     steps:
       - name: Call Auto Label workflow
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v4
         with:
           pr-inactive-days: "1"
           pr-lock-reason: ""

.github/workflows/lock.yml

@@ -16,7 +16,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10
         with:
           days-before-pr-stale: 60
           days-before-pr-close: 7

.github/workflows/stale.yml

@@ -19,6 +19,9 @@ __pycache__/
 *.py[cod]
 *$py.class
 
+# Release notes generator cache (persistent PR cache + version-specific data)
+script/cache/
+
 venv
 
 *.DS_Store

.gitignore

@@ -3,6 +3,7 @@ FROM python:3.13-slim
 RUN apt-get update && apt-get install -y --no-install-recommends \
         curl \
         git \
+        jq \
         make \
         openssh-client \
         hugo \