Add negative test to WS API test test_test_condition

2026-05-23 01:05:20 +02:00 · 2026-05-20 08:25:11 +02:00
1362 changed files with 17950 additions and 46605 deletions
@@ -18,13 +18,6 @@ description: Reviews GitHub pull requests and provides feedback comments. This i
 4. Ensure any existing review comments have been addressed.
 5. Generate constructive review comments in the CONSOLE. DO NOT POST TO GITHUB YOURSELF.

-## Verification:
-
- After the review, run parallel subagents for each finding to double check it.
- Spawn up to a maximum of 10 parallel subagents at a time.
- Gather the results from the subagents and summarize them in the final review comments.
-
-
 ## IMPORTANT:
 - Just review. DO NOT make any changes
 - Be constructive and specific in your comments
@@ -15,11 +15,11 @@ Dockerfile.dev linguist-language=Dockerfile
 # Generated files
 CODEOWNERS linguist-generated=true
 homeassistant/generated/*.py linguist-generated=true
-pylint/plugins/pylint_home_assistant/generated/*.py linguist-generated=true
 machine/* linguist-generated=true
 mypy.ini linguist-generated=true
 requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true
+requirements_test_all.txt linguist-generated=true
 requirements_test_pre_commit.txt linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
 .github/workflows/*.lock.yml linguist-generated=true
@@ -25,7 +25,6 @@ This repository contains the core of Home Assistant, a Python 3 based home autom

 - When entering a new environment or worktree, run `script/setup` to set up the virtual environment with all development dependencies (pylint, pre-commit hooks, etc.). This is required before committing.
 - .vscode/tasks.json contains useful commands used for development.
- After finishing a code session, run `uv run prek run --all-files` to check for linting and formatting issues.

 ## Python Syntax Notes

@@ -128,7 +128,6 @@
        "standard-aifc",
        "standard-telnetlib",
        "ulid-transform",
-        "unidiff",
        "url-normalize",
        "xmltodict"
      ],
@@ -14,7 +14,7 @@ env:
  UV_HTTP_TIMEOUT: 60
  UV_SYSTEM_PYTHON: "true"
  # Base image version from https://github.com/home-assistant/docker
-  BASE_IMAGE_VERSION: "2026.05.0"
+  BASE_IMAGE_VERSION: "2026.04.0"
  ARCHITECTURES: '["amd64", "aarch64"]'

 permissions: {}
@@ -1,74 +0,0 @@
-name: Check requirements (deterministic)
-
-# Stage 1 of the Check requirements pipeline.
-#
-# Runs the deterministic Python checks and uploads the structured
-# results as an artifact. Stage 2 (the agentic workflow defined in
-# `check-requirements.md`) consumes the artifact on completion.
-
-# yamllint disable-line rule:truthy
-on:
-  # Auto-trigger on PRs that touch tracked requirement files is disabled
-  # for now while we iterate — testing the workflow_run handoff to the
-  # agentic stage is hard with an auto-trigger. Re-enable once the chain
-  # has been validated end-to-end.
-  # pull_request:
-  #   types: [opened, synchronize, reopened]
-  #   paths:
-  #     - "**/requirements*.txt"
-  #     - "homeassistant/package_constraints.txt"
-  workflow_dispatch:
-    inputs:
-      pull_request_number:
-        description: "Pull request number to (re-)check"
-        required: true
-        type: number
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ inputs.pull_request_number || github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  deterministic:
-    name: Run deterministic requirement checks
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      pull-requests: read # To fetch the PR diff via gh CLI
-    timeout-minutes: 10
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version-file: ".python-version"
-          check-latest: true
-      - name: Install script dependencies
-        run: pip install -r script/check_requirements/requirements.txt
-      - name: Collect PR diff
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
-        run: |
-          mkdir -p deterministic
-          gh pr diff "${PR_NUMBER}" > deterministic/pr.diff
-      - name: Run deterministic checks
-        env:
-          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
-        run: |
-          python -m script.check_requirements \
-            --pr-number "${PR_NUMBER}" \
-            --diff deterministic/pr.diff \
-            --output deterministic/results.json
-      - name: Upload deterministic-results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: check-requirements-deterministic
-          path: deterministic/results.json
-          if-no-files-found: error
-          retention-days: 7
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75b8b624ba0c144fb4b28cba143d16a47c30de8afae568fa3256c6febe01a68a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"70aa938926d4aac250b6d7aca7251f663476fc2da39a29d1ffd569dc725c133a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
 # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"d3abfe96a194bce3a523ed2093ddedd5704cdf62","version":"v0.74.4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
@@ -22,7 +22,7 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed Python package requirements on PRs targeting the core repo, then posts the final review comment. Triggered by completion of the deterministic workflow. Reads the uploaded artifact from disk, replaces placeholders for any check whose status is `needs_agent`, and posts the merged comment using the PR number recorded inside the artifact itself. Each check kind has a dedicated instruction section below; if the artifact contains a check kind that does not have a section here, the agent fails hard rather than guess.
+# Checks changed Python package requirements on PRs targeting the core repo (including PRs opened from forks) and verifies licenses match PyPI metadata, source repositories are publicly accessible, PyPI releases were uploaded via automated CI (Trusted Publisher attestation), the package's release pipeline uses OIDC or equivalent automated credentials (not static tokens), and the PR description contains the required links.
 #
 # Secrets used:
 #   - COPILOT_GITHUB_TOKEN
@@ -34,6 +34,7 @@
 #   - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 #   - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
 #   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+#   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
 #   - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
 #   - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
 #   - github/gh-aw-actions/setup@d3abfe96a194bce3a523ed2093ddedd5704cdf62 # v0.74.4
@@ -46,37 +47,48 @@
 #   - ghcr.io/github/github-mcp-server:v1.0.4
 #   - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f

-name: "Check requirements (AW)"
+name: "Requirements License and Availability Check"
 on:
-  workflow_run:
-    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
+  pull_request:
+    # forks: # Fork filtering applied via job conditions
+    # - "*" # Fork filtering applied via job conditions
+    paths:
+    - requirements*.txt
+    - homeassistant/package_constraints.txt
+    - pyproject.toml
    types:
-    - completed
-    workflows:
-    - Check requirements (deterministic)
+    - opened
+    - synchronize
+    - reopened
+  # roles: all # Roles processed as role check in pre-activation job
+  workflow_dispatch:
+    inputs:
+      aw_context:
+        default: ""
+        description: Agent caller context (used internally by Agentic Workflows).
+        required: false
+        type: string
+      pull_request_number:
+        description: Pull request number to (re-)check
+        required: true
+        type: number

 permissions: {}

 concurrency:
+  group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}"
  cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}

-run-name: "Check requirements (AW)"
+run-name: "Requirements License and Availability Check"

 jobs:
  activation:
-    needs:
-      - extract_pr_number
-      - pre_activation
-    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
-    if: >
-      (needs.pre_activation.outputs.activated == 'true') && (github.event_name != 'workflow_run' || github.event.workflow_run.repository.id == github.repository_id &&
-      (!(github.event.workflow_run.repository.fork)))
    runs-on: ubuntu-slim
    permissions:
      actions: read
      contents: read
    outputs:
+      body: ${{ steps.sanitized.outputs.body }}
      comment_id: ""
      comment_repo: ""
      engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
@@ -87,6 +99,8 @@ jobs:
      setup-span-id: ${{ steps.setup.outputs.span-id }}
      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
      stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
+      text: ${{ steps.sanitized.outputs.text }}
+      title: ${{ steps.sanitized.outputs.title }}
    steps:
      - name: Setup Scripts
        id: setup
@@ -94,10 +108,8 @@ jobs:
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
-          trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
-          parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -110,7 +122,7 @@ jobs:
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_AGENT_VERSION: "1.0.48"
          GH_AW_INFO_CLI_VERSION: "v0.74.4"
-          GH_AW_INFO_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_INFO_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_INFO_EXPERIMENTAL: "false"
          GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
          GH_AW_INFO_STAGED: "false"
@@ -175,6 +187,17 @@ jobs:
            setupGlobals(core, github, context, exec, io, getOctokit);
            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
            await main();
+      - name: Compute current body text
+        id: sanitized
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
+        with:
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/compute_text.cjs');
+            await main();
      - name: Create prompt with built-in context
        env:
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
@@ -191,20 +214,20 @@ jobs:
        run: |
          bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
          {
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
          <system>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_f9148b37e60758ba_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
          <safe-output-tools>
          Tools: add_comment, missing_tool, missing_data, noop
          </safe-output-tools>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_f9148b37e60758ba_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
          <github-context>
          The following GitHub context information is available for this workflow:
          {{#if github.actor}}
@@ -233,12 +256,12 @@ jobs:
          {{/if}}
          </github-context>
          
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_f9148b37e60758ba_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
          </system>
          {{#runtime-import .github/workflows/check-requirements.md}}
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_f9148b37e60758ba_EOF
          } > "$GH_AW_PROMPT"
      - name: Interpolate variables and render templates
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -264,7 +287,6 @@ jobs:
          GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
          GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
          GH_AW_MCP_CLI_SERVERS_LIST: '- `safeoutputs` — run `safeoutputs --help` to see available tools'
-          GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }}
        with:
          script: |
            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
@@ -284,8 +306,7 @@ jobs:
                GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
                GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
                GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
-                GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST,
-                GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED
+                GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST
              }
            });
      - name: Validate prompt placeholders
@@ -316,17 +337,12 @@ jobs:
          retention-days: 1

  agent:
-    needs:
-      - activation
-      - extract_pr_number
+    needs: activation
    runs-on: ubuntu-latest
    permissions:
-      actions: read
      contents: read
      issues: read
      pull-requests: read
-    concurrency:
-      group: "gh-aw-copilot-${{ github.workflow }}"
    env:
      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
      GH_AW_ASSETS_ALLOWED_EXTS: ""
@@ -359,7 +375,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -381,15 +397,6 @@ jobs:
        run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
        env:
          GH_TOKEN: ${{ github.token }}
-      - if: github.event.workflow_run.conclusion == 'success'
-        name: Download deterministic-results artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          name: check-requirements-deterministic
-          path: /tmp/gh-aw/deterministic
-          run-id: ${{ github.event.workflow_run.id }}
-
      - name: Configure Git credentials
        env:
          REPO_NAME: ${{ github.repository }}
@@ -423,13 +430,16 @@ jobs:
          GH_HOST: github.com
      - name: Install AWF binary
        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
-      - name: Parse integrity filter lists
-        id: parse-guard-vars
+      - name: Determine automatic lockdown mode for GitHub MCP Server
+        id: determine-automatic-lockdown
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
        env:
-          GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }}
-          GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS || '' }}
-          GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }}
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh"
+          GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
+          GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
+        with:
+          script: |
+            const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
+            await determineAutomaticLockdown(github, context, core);
      - name: Download activation artifact
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
@@ -453,15 +463,15 @@ jobs:
          mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
          mkdir -p /tmp/gh-aw/safeoutputs
          mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF'
-          {"add_comment":{"max":1,"target":"${{ needs.extract_pr_number.outputs.pr_number }}"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_e3fcd372e2542806_EOF'
+          {"add_comment":{"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
+          GH_AW_SAFE_OUTPUTS_CONFIG_e3fcd372e2542806_EOF
      - name: Generate Safe Outputs Tools
        env:
          GH_AW_TOOLS_META_JSON: |
            {
              "description_suffixes": {
-                "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Target: ${{ needs.extract_pr_number.outputs.pr_number }}. Supports reply_to_id for discussion threading."
+                "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Supports reply_to_id for discussion threading."
              },
              "repo_params": {},
              "dynamic_tools": []
@@ -617,6 +627,8 @@ jobs:
          GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
          GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
          GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
+          GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
+          GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
          GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -eo pipefail
@@ -647,7 +659,7 @@ jobs:
          
          mkdir -p /home/runner/.copilot
          GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_175174907e5a28b4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_710f47825b96ccb9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
          {
            "mcpServers": {
              "github": {
@@ -657,15 +669,12 @@ jobs:
                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
                  "GITHUB_READ_ONLY": "1",
-                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
+                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                },
                "guard-policies": {
                  "allow-only": {
-                    "approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
-                    "blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
-                    "min-integrity": "unapproved",
-                    "repos": "all",
-                    "trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
+                    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
+                    "repos": "$GITHUB_MCP_GUARD_REPOS"
                  }
                }
              },
@@ -691,7 +700,7 @@ jobs:
              "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
            }
          }
-          GH_AW_MCP_CONFIG_175174907e5a28b4_EOF
+          GH_AW_MCP_CONFIG_710f47825b96ccb9_EOF
      - name: Mount MCP servers as CLIs
        id: mount-mcp-clis
        continue-on-error: true
@@ -890,21 +899,6 @@ jobs:
          if [ ! -f /tmp/gh-aw/agent_output.json ]; then
            echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
          fi
-      - if: always() && github.event.workflow_run.conclusion == 'success'
-        name: Verify agent produced an add_comment safe-output
-        run: |-
-          OUTPUT=/tmp/gh-aw/agent_output.json
-          if [ ! -f "${OUTPUT}" ]; then
-            echo "::error::Agent output file ${OUTPUT} is missing; the agent did not run to completion."
-            exit 1
-          fi
-          if ! grep -q '"add_comment"' "${OUTPUT}"; then
-            echo "::error::Agent did not emit an add_comment safe-output; no review comment was posted to the PR."
-            echo "Agent output:"
-            cat "${OUTPUT}"
-            exit 1
-          fi
-
      - name: Upload agent artifacts
        if: always()
        continue-on-error: true
@@ -916,8 +910,6 @@ jobs:
            /tmp/gh-aw/sandbox/agent/logs/
            /tmp/gh-aw/redacted-urls.log
            /tmp/gh-aw/mcp-logs/
-            /tmp/gh-aw/proxy-logs/
-            !/tmp/gh-aw/proxy-logs/proxy-tls/
            /tmp/gh-aw/agent_usage.json
            /tmp/gh-aw/agent-stdio.log
            /tmp/gh-aw/pre-agent-audit.txt
@@ -938,7 +930,6 @@ jobs:
      - activation
      - agent
      - detection
-      - extract_pr_number
      - safe_outputs
    if: >
      always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
@@ -968,7 +959,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -992,7 +983,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_NOOP_MAX: "1"
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_NOOP_REPORT_AS_ISSUE: "true"
@@ -1008,7 +999,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
          GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
@@ -1025,7 +1016,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1039,7 +1030,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1053,7 +1044,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_WORKFLOW_ID: "check-requirements"
@@ -1107,7 +1098,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -1175,8 +1166,8 @@ jobs:
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
-          WORKFLOW_NAME: "Check requirements (AW)"
-          WORKFLOW_DESCRIPTION: "Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed Python package requirements on PRs targeting the core repo, then posts the final review comment. Triggered by completion of the deterministic workflow. Reads the uploaded artifact from disk, replaces placeholders for any check whose status is `needs_agent`, and posts the merged comment using the PR number recorded inside the artifact itself. Each check kind has a dedicated instruction section below; if the artifact contains a check kind that does not have a section here, the agent fails hard rather than guess."
+          WORKFLOW_NAME: "Requirements License and Availability Check"
+          WORKFLOW_DESCRIPTION: "Checks changed Python package requirements on PRs targeting the core repo (including PRs opened from forks) and verifies licenses match PyPI metadata, source repositories are publicly accessible, PyPI releases were uploaded via automated CI (Trusted Publisher attestation), the package's release pipeline uses OIDC or equivalent automated credentials (not static tokens), and the PR description contains the required links."
          HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
        with:
          script: |
@@ -1283,76 +1274,11 @@ jobs:
              }
            }

-  extract_pr_number:
-    if: github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-
-    outputs:
-      pr_number: ${{ steps.extract.outputs.pr_number }}
-    steps:
-      - name: Configure GH_HOST for enterprise compatibility
-        id: ghes-host-config
-        shell: bash
-        run: |
-          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
-          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
-          GH_HOST="${GITHUB_SERVER_URL#https://}"
-          GH_HOST="${GH_HOST#http://}"
-          echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
-      - name: Download deterministic-results artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          name: check-requirements-deterministic
-          path: /tmp/deterministic
-          run-id: ${{ github.event.workflow_run.id }}
-      - name: Extract PR number from artifact
-        id: extract
-        run: |
-          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
-          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
-
-  pre_activation:
-    runs-on: ubuntu-slim
-    outputs:
-      activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
-      matched_command: ''
-      setup-parent-span-id: ${{ steps.setup.outputs.parent-span-id || steps.setup.outputs.span-id }}
-      setup-span-id: ${{ steps.setup.outputs.span-id }}
-      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
-    steps:
-      - name: Setup Scripts
-        id: setup
-        uses: github/gh-aw-actions/setup@d3abfe96a194bce3a523ed2093ddedd5704cdf62 # v0.74.4
-        with:
-          destination: ${{ runner.temp }}/gh-aw/actions
-          job-name: ${{ github.job }}
-        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
-          GH_AW_INFO_ENGINE_ID: "copilot"
-      - name: Check team membership for workflow
-        id: check_membership
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          GH_AW_REQUIRED_ROLES: "admin,maintainer,write"
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
-            setupGlobals(core, github, context, exec, io, getOctokit);
-            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs');
-            await main();
-
  safe_outputs:
    needs:
      - activation
      - agent
      - detection
-      - extract_pr_number
    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
@@ -1370,7 +1296,7 @@ jobs:
      GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
      GH_AW_ENGINE_VERSION: "1.0.48"
      GH_AW_WORKFLOW_ID: "check-requirements"
-      GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+      GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
    outputs:
      code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
      code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
@@ -1390,7 +1316,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -1425,7 +1351,7 @@ jobs:
          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_API_URL: ${{ github.api_url }}
-          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"${{ needs.extract_pr_number.outputs.pr_number }}\"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}"
+          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1,378 +1,405 @@
 ---
 on:
-  workflow_run:
-    workflows: ["Check requirements (deterministic)"]
-    types: [completed]
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - "requirements*.txt"
+      - "homeassistant/package_constraints.txt"
+      - "pyproject.toml"
+    forks: ["*"]
+  workflow_dispatch:
+    inputs:
+      pull_request_number:
+        description: "Pull request number to (re-)check"
+        required: true
+        type: number
+  roles: all
 permissions:
  contents: read
-  actions: read
-  issues: read
  pull-requests: read
+  issues: read
 network:
  allowed:
    - python
 tools:
  web-fetch: {}
  github:
-    toolsets: [default, actions]
-    min-integrity: unapproved
+    toolsets: [default]
 safe-outputs:
  add-comment:
    max: 1
-    target: "${{ needs.extract_pr_number.outputs.pr_number }}"
-  needs:
-    - extract_pr_number
-jobs:
-  extract_pr_number:
-    if: github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-    outputs:
-      pr_number: ${{ steps.extract.outputs.pr_number }}
-    steps:
-      - name: Download deterministic-results artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: check-requirements-deterministic
-          path: /tmp/deterministic
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Extract PR number from artifact
-        id: extract
-        run: |
-          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
-          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
-  cancel-in-progress: true
-steps:
-  - name: Download deterministic-results artifact
-    if: github.event.workflow_run.conclusion == 'success'
-    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-    with:
-      name: check-requirements-deterministic
-      path: /tmp/gh-aw/deterministic
-      run-id: ${{ github.event.workflow_run.id }}
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-post-steps:
-  - name: Verify agent produced an add_comment safe-output
-    if: always() && github.event.workflow_run.conclusion == 'success'
-    run: |
-      OUTPUT=/tmp/gh-aw/agent_output.json
-      if [ ! -f "${OUTPUT}" ]; then
-        echo "::error::Agent output file ${OUTPUT} is missing; the agent did not run to completion."
-        exit 1
-      fi
-      if ! grep -q '"add_comment"' "${OUTPUT}"; then
-        echo "::error::Agent did not emit an add_comment safe-output; no review comment was posted to the PR."
-        echo "Agent output:"
-        cat "${OUTPUT}"
-        exit 1
-      fi
 description: >
-  Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed
-  Python package requirements on PRs targeting the core repo, then posts the
-  final review comment. Triggered by completion of the deterministic workflow.
-  Reads the uploaded artifact from disk, replaces placeholders for any check
-  whose status is `needs_agent`, and posts the merged comment using the PR
-  number recorded inside the artifact itself. Each check kind has a dedicated
-  instruction section below; if the artifact contains a check kind that does
-  not have a section here, the agent fails hard rather than guess.
+  Checks changed Python package requirements on PRs targeting the core repo
+  (including PRs opened from forks) and verifies licenses match PyPI metadata, source
+  repositories are publicly accessible, PyPI releases were uploaded via
+  automated CI (Trusted Publisher attestation), the package's release pipeline
+  uses OIDC or equivalent automated credentials (not static tokens), and the PR
+  description contains the required links.
 ---

-# Check requirements (AW)
+# Requirements License and Availability Check

-You are a code review assistant for the Home Assistant project. The
-deterministic stage has already evaluated every check it can on its own
-and produced an artifact containing the PR number, per-package check
-results, and a pre-rendered comment with placeholders. **Your only job is
-to read that artifact, resolve any `needs_agent` checks, and post the
-final comment.**
+You are a code review assistant for the Home Assistant project. Your job is to
+review changes to Python package requirements and verify they meet the project's
+standards.

-## Step 1 — Read the deterministic-stage artifact
+## Context

-The deterministic stage uploaded its results to the runner at
-`/tmp/gh-aw/deterministic/results.json`.
+- Home Assistant uses `requirements_all.txt` (all integration packages),
+  `requirements.txt` (core packages), `requirements_test.txt` (test
+  dependencies), and `requirements_test_all.txt` (all test dependencies) to
+  declare Python dependencies.
+- Each integration lists its packages in `homeassistant/components/<name>/manifest.json`
+  under the `requirements` field.
+- Allowed licenses are maintained in `script/licenses.py` under
+  `OSI_APPROVED_LICENSES_SPDX` (SPDX identifiers) and `OSI_APPROVED_LICENSES`
+  (classifier strings).

-The JSON has this shape:
+## Step 1 — Identify Changed Packages

- `pr_number` — the PR being checked. The `add_comment` safe-output is
-  already targeted at this PR (a pre-job extracts `pr_number` from the
-  artifact and the workflow wires it into the safe-output config via
-  `needs.extract_pr_number.outputs.pr_number`), so **you do not need to
-  set `item_number` yourself** — just emit `add_comment` with the
-  rendered body.
- `needs_agent` — `true` iff any package's check needs resolution.
- `packages[]` — one entry per changed package. Each entry has:
-  - `name`, `old_version` (`null` for a newly added package; otherwise the
-    previous pin), `new_version`, `repo_url`, `publisher_kind`.
-  - `checks` — a dict keyed by **check kind** (string). Each value has a
-    `status` (`pass`, `warn`, `fail`, or `needs_agent`) and `details`.
- `rendered_comment` — the final PR comment body, already rendered. For
-  every check whose status is `needs_agent` it contains two placeholders
-  you must replace:
-  - `{{CHECK_CELL:<pkg-name>:<check-kind>}}` — one cell of the summary
-    table. Replace with exactly one of `✅`, `⚠️`, `❌`.
-  - `{{CHECK_DETAIL:<pkg-name>:<check-kind>}}` — the body of one bullet
-    in the package's `<details>` block. Replace with
-    `<icon> <one-line explanation>` (the bullet's leading
-    `- **<label>**:` is already rendered — replace only the placeholder).
+Use the GitHub tool to fetch the PR diff. Look for lines that were added (`+`)
+or removed (`-`) in **any** of these files:
+- `requirements.txt`
+- `requirements_all.txt`
+- `requirements_test.txt`
+- `requirements_test_all.txt`
+- `homeassistant/package_constraints.txt`
+- `pyproject.toml`

-You **must not** modify any other content in `rendered_comment`. Do not
-re-evaluate checks that already have a deterministic status. Do not add
-or remove packages.
+For each changed line that contains a package pin (e.g. `SomePackage==1.2.3`),
+classify it as:
+- **New package**: the package name appears only in `+` lines, with no
+  corresponding `-` line for the same package name.
+- **Version bump**: the same package name appears in both `+` lines (new
+  version) and `-` lines (old version), with different version numbers.

-## Step 2 — Resolve each `needs_agent` check
+Record the **old version** and **new version** for every version bump — you
+will need these values in Step 4.

-For each `package` in `packages`:

-For each `(check_kind, result)` in `package.checks` where
-`result.status == "needs_agent"`:
+## Step 2 — Check License via PyPI

-1. Look up `## Check kind: <check_kind>` in the **Check instructions**
-   section below.
-2. **If no matching section exists**: emit a single `add_comment` whose
-   body is:
+For each new or bumped package:

-   ```
-   <!-- requirements-check -->
-   ## Check requirements
+1. Fetch `https://pypi.org/pypi/{package_name}/json` (use the exact
+   package name as it appears on the requirements file).
+2. From the JSON response, extract:
+   - `info.license` — free-text license field
+   - `info.license_expression` — SPDX expression (if present)
+   - `info.classifiers` — filter for entries starting with `"License ::"`,
+     then normalize each match the same way as `script/licenses.py` by
+     extracting the final ` :: ` segment (for example,
+     `"License :: OSI Approved :: MIT License"` → `"MIT License"`).
+3. Determine if the license is in the approved list from `script/licenses.py`:
+   - SPDX identifiers: compare against `OSI_APPROVED_LICENSES_SPDX`
+   - Normalized classifier strings: compare against `OSI_APPROVED_LICENSES`
+4. Flag a package as ❌ if the license is unknown, missing, or not in the
+   approved list. Flag as ⚠️ if the license information is ambiguous or cannot
+   be definitively determined.

-   ❌ Internal error: the deterministic artifact contains a check kind
-   (`<check_kind>` on package `<pkg-name>`) that this workflow has no
-   instructions for. Update `.github/workflows/check-requirements.md`
-   to add a matching `## Check kind: <check_kind>` section, or remove
-   the kind from the deterministic stage.
-   ```
+## Step 2b — Verify PyPI Release Was Uploaded by CI

-   Then stop. **Do not improvise** a verdict for an unknown check kind.
-3. Otherwise, follow the instructions in that section. They tell you
-   which icon (✅/⚠️/❌) and one-line explanation to produce.
+For each new or bumped package, verify that the release on PyPI was published
+automatically by a CI pipeline (via OIDC Trusted Publisher), not uploaded
+manually.

-## Step 3 — Post the comment
+1. Fetch the PyPI JSON for the specific version being introduced or bumped:
+   `https://pypi.org/pypi/{package_name}/{version}/json`
+2. Inspect the `urls` array in the response. For each distribution file (wheel
+   or sdist), note the filename.
+3. For each filename, attempt to fetch the PyPI provenance attestation:
+   `https://pypi.org/integrity/{package_name}/{version}/{filename}/provenance`
+   - If the response is HTTP 200 and contains a valid attestation object,
+     inspect `attestation_bundles[*].publisher`. A Trusted Publisher attestation
+     will have a `kind` identifying the CI system (e.g. `"GitHub Actions"`,
+     `"GitLab"`) and a `repository` or `project` field matching the source
+     repository.
+   - If at least one distribution file has a valid Trusted Publisher attestation,
+     mark ✅ CI-uploaded.
+   - If no attestation is found for any file (404 for all), mark ❌ — "Release
+     has no provenance attestation; it may have been uploaded manually".
+   - If an attestation exists but the `publisher` does not identify a recognized
+     CI system or Trusted Publisher, mark ⚠️ — "Attestation present but
+     publisher cannot be verified as automated CI".

-1. Replace every `{{CHECK_CELL:…}}` and `{{CHECK_DETAIL:…}}` placeholder
-   in `rendered_comment` with the resolved value.
-2. Emit the resulting markdown using `add_comment` — set `body` to the
-   merged `rendered_comment` verbatim (the leading
-   `<!-- requirements-check -->` marker must be preserved). The PR
-   target is already set by the workflow; do not pass `item_number`.
+Note: if PyPI returns an error fetching the per-version JSON, fall back to the
+latest JSON (`https://pypi.org/pypi/{package_name}/json`) and look up the
+specific version in the `releases` dict.

-If the artifact's top-level `needs_agent` is `false` (no checks need
-you), emit `rendered_comment` unchanged.
+## Step 3 — Identify Repository URL

-## Check instructions
+For each new or bumped package:

-### Check kind: `repo_public`
+1. From the PyPI JSON at `info.project_urls`, find the source repository URL
+   (keys such as `"Source"`, `"Homepage"`, `"Repository"`, or `"Source Code"`).
+2. Record that repository URL for later checks.
+3. If no suitable repository URL is present, mark ❌ with a note that the
+   source repository URL is missing and cannot be verified.

-Verify that the package's source repository is publicly reachable.
+## Step 4 — Check PR Description

-1. Read `package.repo_url`.
-2. Use the `web-fetch` tool to GET that URL.
-3. Decide the verdict:
-   - HTTP 200, returns a public repository page → ✅
-     `<repo_url> is publicly accessible.`
-   - HTTP 4xx/5xx, or the response redirects to a login / sign-in page →
-     ❌ `Source repository at <repo_url> is not publicly accessible.
-     Home Assistant requires all dependencies to have publicly available
-     source code.`
-   - Any other inconclusive result → ⚠️ with a one-line description.
+Read the PR body from the GitHub API using the PR number from the workflow
+context (`pull-request-number`). If that value is absent, use the
+`workflow_dispatch` input `pull_request_number`.
+Extract all URLs present in the PR body.

-If `repo_public` resolves to ❌ for a package, **also** mark that
-package's `release_pipeline` and `async_blocking` cells/details as `—`
-(em dash) and explain `Skipped because the source repository is not
-publicly accessible.` — neither check can be performed without a public
-repo.
+### 4a — New packages: repository link required

-### Check kind: `pr_link`
+For **new packages** (brand-new dependency not previously in any requirements
+file): the PR description must contain a link that points to the package's
+**source repository** as identified in Step 3 (the URL recorded from
+`info.project_urls`). A PyPI page link alone is **not** acceptable — the link
+must point directly to the source repository (e.g. a GitHub or GitLab URL).

-Verify the PR description contains the right link for the change.
+- If a URL in the PR body matches (or is a sub-path of) the source repository
+  URL identified via PyPI, mark ✅.
+- If the PR body contains a source repository URL that does **not** match the
+  repository URL found in the package's PyPI metadata (`info.project_urls`),
+  mark ❌ — "PR description links to `<pr_url>` but PyPI reports the source
+  repository as `<pypi_repo_url>`; please use the correct repository URL."
+- If no source repository URL is present in the PR body at all, mark ❌ —
+  "PR description must link to the source repository at `<repo_url>` (found
+  via PyPI). A PyPI page link is not sufficient."

-1. Fetch the PR body via the GitHub MCP tool, using the `pr_number`
-   field from the artifact.
-2. Extract all URLs from the body.
-3. For a **new package** (`package.old_version` is `null`):
-   - The PR body must contain a URL that points at `package.repo_url`
-     (any sub-path of the same `owner/repo` on the same host is
-     acceptable). A PyPI link is **not** sufficient.
-   - ✅ if such a URL is present.
-   - ❌ otherwise:
-     `PR description must link to the source repository at <repo_url>.
-     A PyPI page link is not sufficient.`
-4. For a **version bump** (`package.old_version` is not `null`):
-   - The PR body must contain a URL on the same host as
-     `package.repo_url` that references **both** `package.old_version`
-     and `package.new_version` (e.g. a GitHub compare URL
-     `compare/vX...vY`, a release / changelog URL containing both
-     versions, etc.).
-   - ✅ if such a URL is present and the versions match the actual bump.
-   - ❌ otherwise:
-     `PR description should link to a changelog or compare URL on
-     <repo_url> that mentions both <old_version> and <new_version>.`
+### 4b — Version bumps: changelog or diff link required

-### Check kind: `release_pipeline`
+For **version bumps**: the PR description must contain a link to a changelog,
+release notes page, or a diff/comparison URL that references the **correct
+versions** being bumped (old → new).

-Inspect the upstream project's release / publish CI pipeline.
+Checks to perform for each bumped package (old version = X, new version = Y):
+1. Extract all URLs from the PR body that contain the repository's domain or
+   path (as identified in Step 3).
+2. Verify that at least one such URL includes both the old version string and
+   new version string in some form — e.g. a GitHub compare URL like
+   `compare/vX...vY`, a releases URL mentioning version Y, or a
+   `CHANGELOG.md` anchor referencing Y.
+3. If no URL matches, check if the PR body contains any changelog/diff link at
+   all for this package.

-For each package needing inspection, determine the source repository
-host from `package.repo_url`, then apply the corresponding checklist.
+Outcome:
+- ✅ — a URL pointing to the correct repo with version references covering the
+  exact bump (X → Y).
+- ⚠️ — a changelog/diff link exists but does not clearly reference the correct
+  versions or the correct repository; explain what was found and what is
+  expected.
+- ❌ — no changelog or diff link found at all in the PR description for this
+  package.

-#### GitHub repositories (`github.com`)
+### 4c — Diff consistency check

-1. List workflows: `GET /repos/{owner}/{repo}/actions/workflows`.
-2. Identify any workflow whose name or filename suggests publishing to
-   PyPI (`release`, `publish`, `pypi`, or `deploy`).
-3. Fetch the workflow file and check:
-   - **Trigger sanity**: triggered by `push` to tags,
-     `release: published`, or `workflow_run` on a release job —
-     **not** solely `workflow_dispatch` with no environment-protection
-     guard.
-   - **OIDC / Trusted Publisher**: look for `id-token: write` and one of
-     `pypa/gh-action-pypi-publish`, `actions/attest-build-provenance`,
-     or `TWINE_PASSWORD` from a static `secrets.PYPI_TOKEN`.
-   - **No manual upload bypass**: no ungated `twine upload` or
-     `pip upload`.
-4. Verdict:
-   - ✅ if OIDC + sane triggers + no bypass.
-   - ⚠️ if static token but version bump, or details unclear.
-   - ❌ if static token on a new package, or only-manual triggers with
-     no environment protection.
+For each **version bump**, verify that the version change recorded in the diff
+(Step 1) is internally consistent:
+- The `-` line must contain the old version and the `+` line must contain the
+  new version for the same package name.
+- Flag ❌ if the diff shows a downgrade (new version < old version) without an
+  explanation, or if the version strings cannot be parsed.

-#### GitLab repositories (`gitlab.com` or self-hosted GitLab)
+## Step 5 — Verify Source Repository is Publicly Accessible

-1. Resolve the project ID via
-   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`.
-2. Fetch `.gitlab-ci.yml` via
-   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
-3. Apply the same conceptual checks: tag-only / protected-branch
-   triggers, GitLab OIDC `id_tokens` or CI/CD protected `PYPI_TOKEN`, no
-   ungated `twine upload`. Same verdict rules as GitHub.
+Before inspecting the release pipeline, confirm that the source repository
+identified in Step 3 is publicly reachable.

-#### Other code hosting providers (Bitbucket, Codeberg, Gitea, Sourcehut, …)
+For each new or bumped package:

-1. Use `web-fetch` to retrieve any visible CI configuration
-   (`.circleci/config.yml`, `Jenkinsfile`, `azure-pipelines.yml`,
-   `bitbucket-pipelines.yml`, `.builds/*.yml`).
-2. Apply the conceptual checks: automated triggers, CI-injected
-   credentials, no manual `twine upload`.
-3. If no CI config can be retrieved: ⚠️ `Release pipeline could not be
-   inspected; hosting provider is not GitHub or GitLab.`
+1. Use the source repository URL recorded in Step 3.
+2. If no repository URL was found in `info.project_urls`, mark ❌ — "No source
+   repository URL found in PyPI metadata; a public source repository is
+   required."
+3. If a repository URL was found, perform a GET request to that URL (using
+   web-fetch). If the response is HTTP 200 and returns a publicly accessible
+   page (not a login redirect or error page), mark ✅.
+4. If the response is non-200, the URL redirects to a login/authentication page,
+   or the repository appears private or unavailable, mark ❌ — "Source
+   repository at `<repo_url>` is not publicly accessible. Home Assistant
+   requires all dependencies to have publicly available source code." **Do not
+   proceed with the release pipeline check (Step 6) for this package.**

-### Check kind: `async_blocking`
+## Step 6 — Check Release Pipeline Sanity

-Verify whether the dependency performs blocking I/O inside async code
-paths. Home Assistant runs on a single asyncio event loop, so a library
-that exposes an `async` surface must not call blocking APIs from inside
-its `async def` functions — that stalls the whole loop. A purely sync
-library is fine: Home Assistant integrations are expected to wrap such
-calls in an executor.
+For each new or bumped package, determine the source repository host from the
+URL identified in Step 3, then inspect whether the project's release/publish CI
+workflow is sane. The checks differ by hosting provider.

-**Two modes — pick by inspecting `package.old_version`:**
+### GitHub repositories (`github.com`)

- `old_version` is `null` → **new package**: review the *entire current
-  source tree*. Nothing about this dependency has been vetted before.
- `old_version` is a string → **version bump**: review only the *diff
-  between `old_version` and `new_version`*. The previous version was
-  already accepted, so blocking calls that were present in
-  `old_version` are not regressions; report only what `new_version`
-  introduces.
+1. Using the GitHub API, list the workflows in the source repository:
+   `GET /repos/{owner}/{repo}/actions/workflows`
+2. Identify any workflow whose name or filename suggests publishing to PyPI
+   (e.g., contains "release", "publish", "pypi", or "deploy").
+3. Fetch the workflow file content and check the following:
+   a. **Trigger sanity**: The publish job should be triggered by `push` to tags,
+      `release: published`, or `workflow_run` on a release job — **not** solely
+      by `workflow_dispatch` with no additional guards. A `workflow_dispatch`
+      trigger alongside other triggers is acceptable. Mark ❌ if the only trigger
+      is manual `workflow_dispatch` with no environment protection rules.
+   b. **OIDC / Trusted Publisher**: The workflow should use OIDC-based publishing.
+      Look for `id-token: write` permission and one of:
+      - `pypa/gh-action-pypi-publish` action
+      - `actions/attest-build-provenance` action
+      - Any step that sets `TWINE_PASSWORD` from `secrets.PYPI_TOKEN` directly
+        (flag ❌ if a long-lived API token is used instead of OIDC).
+      Mark ✅ if OIDC is used, ⚠️ if the publish method cannot be determined,
+      ❌ if a static secret token is the only credential.
+   c. **No manual upload bypass**: Verify there is no step that calls
+      `twine upload` or `pip upload` outside of a properly gated job (e.g., one
+      that requires an environment approval). Flag ⚠️ if such steps exist.
+4. If no publish workflow is found in the repository, mark ⚠️ — "No publish
+   workflow found; it is unclear how this package is released to PyPI."

-#### Step 1 — Decide whether the library exposes an async surface
+### GitLab repositories (`gitlab.com` or self-hosted GitLab)

-Use the `github` MCP tool (for `github.com` repos) or `web-fetch`
-(other hosts) on `package.repo_url`. Always inspect the tag /
-ref matching `new_version` (e.g. `v{new_version}` or `{new_version}`).
+1. Use the GitLab REST API to list CI/CD pipeline configuration files. First
+   resolve the project ID via
+   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`
+   and note the `id` field.
+2. Fetch the repository's `.gitlab-ci.yml` (and any included files) using
+   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`
+   (use web-fetch for public repos).
+3. Identify any job whose name or `stage` suggests publishing to PyPI
+   (e.g., "publish", "deploy", "release", "pypi").
+4. For each such job, check:
+   a. **Trigger sanity**: The job should run only on tag pipelines (`only: tags`
+      or `rules: - if: $CI_COMMIT_TAG`) or on protected branches — **not**
+      solely on manual triggers (`when: manual`) with no additional protection.
+      Mark ❌ if the only trigger is manual with no environment or protected-branch
+      guard.
+   b. **Automated credentials**: The job should use GitLab's OIDC ID token
+      (`id_tokens:` block) and `pypa/gh-action-pypi-publish` equivalent, or
+      reference `secrets.PYPI_TOKEN` / `$PYPI_TOKEN` injected from GitLab CI/CD
+      protected variables (flag ❌ if the token is hard-coded or unprotected).
+      Mark ✅ if OIDC or protected CI variables are used, ⚠️ if the method
+      cannot be determined, ❌ if credentials appear to be insecure.
+   c. **No manual upload bypass**: Flag ⚠️ if any job calls `twine upload`
+      without being behind a protected-variable or environment guard.
+5. If no publish job is found, mark ⚠️ — "No publish job found in .gitlab-ci.yml;
+   it is unclear how this package is released to PyPI."

- Locate the top-level package directory (usually named after the
-  import name, often equal or close to `package.name`).
- Check `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` for
-  async indicators (`Framework :: AsyncIO` trove classifier, `asyncio`
-  / `aiohttp` / `httpx` / `anyio` in dependencies, an async usage
-  example in the README).
- Grep the package source for `async def`. A handful of `async def`
-  entries in the public modules is enough to treat the library as
-  having an async surface.
+### Other code hosting providers

-If the library is **sync-only** (no `async def` in its public modules
-and no async framework dependency) → ✅
-`Sync-only library; Home Assistant integrations must wrap calls in an
-executor.` *This verdict is the same in both modes.*
+For repositories hosted on platforms other than GitHub or GitLab (e.g.,
+Bitbucket, Codeberg, Gitea, Sourcehut):
+1. Use web-fetch to retrieve the repository's root page and look for any
+   publicly visible CI configuration files (e.g., `.circleci/config.yml`,
+   `Jenkinsfile`, `azure-pipelines.yml`, `bitbucket-pipelines.yml`,
+   `.builds/*.yml` for Sourcehut).
+2. Apply the same conceptual checks as above:
+   - Does publishing run on automated triggers (tags/releases), not solely
+     manual ones?
+   - Are credentials injected by the CI system (not hard-coded)?
+   - Is there a `twine upload` or equivalent step that could be run manually?
+3. If no CI configuration can be retrieved, mark ⚠️ — "Release pipeline could
+   not be inspected; hosting provider is not GitHub or GitLab."

-#### Step 2a — Mode: new package (`old_version` is `null`)
+## Step 7 — Post a Review Comment

-Inspect **every `async def` in the public modules** for blocking
-patterns. Walk transitively into helpers the async functions call.
+**Always** post a review comment using `add_comment`, regardless of whether
+packages pass or fail. Use the following structure:

-#### Step 2b — Mode: version bump (`old_version` is a string)
+**Note on deduplication**: The workflow automatically updates any previous
+requirements-check comment on the PR in place (preserving its position in the
+thread). If no previous comment exists, the newly created comment is kept as-is.
+You do not need to search for or update previous comments yourself.

-Fetch the diff between the two tags and review **only changed lines**:
+### Comment structure

- GitHub: `GET /repos/{owner}/{repo}/compare/{old_tag}...{new_tag}` via
-  the `github` MCP tool, or
-  `https://github.com/{owner}/{repo}/compare/{old_tag}...{new_tag}.diff`
-  via `web-fetch`. Try the common tag formats in order until one
-  resolves: `v{version}`, `{version}`, `release-{version}`.
- GitLab: `https://gitlab.com/{namespace}/{project}/-/compare/{old_tag}...{new_tag}.diff`.
- Other hosts: use the project's equivalent compare URL via
-  `web-fetch`.
+Begin every comment with the HTML marker `<!-- requirements-check -->` on its
+own line (this is used by the workflow to find the previous comment and update
+it on the next run).

-If neither tag format resolves on the host, fall back to a full review
-(Step 2a) and mention in the detail that the diff was unavailable.
+### 7a — Overall summary line

-When reviewing the diff, only flag blocking patterns that appear in
-**added lines** *inside or reachable from* an `async def`. A blocking
-call that existed in `old_version` and is unchanged is not a regression
-for this bump.
+Begin the comment with a single summary line, before anything else:

-#### Step 3 — Blocking patterns to look for
+- If everything passed: `All requirements checks passed. ✅`
+- If there are failures or warnings: `⚠️ Some checks require attention — see the details below.`

-In both modes, the patterns to flag inside `async def` bodies are:
+### 7b — Summary table

- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct use,
-  `http.client.`, sync `httpx.Client(` / `httpx.get(` (NOT the
-  `AsyncClient`), `pycurl`.
- `time.sleep(` (must be `await asyncio.sleep(`).
- Sync sockets: bare `socket.socket` reads/writes, `ssl.wrap_socket`,
-  blocking `select.select`.
- File I/O: `open(` / `pathlib.Path.read_*` / `.write_*` for
-  non-trivial sizes (small one-shot reads during import are
-  acceptable; reads/writes on the request path are not — prefer
-  `aiofiles` / executor).
- Sync DB drivers used directly: `sqlite3`, `psycopg2`, `pymysql`,
-  `pymongo` (sync client), `redis.Redis` (sync client).
- `subprocess.run` / `subprocess.call` / `os.system` (must be
-  `asyncio.create_subprocess_*`).
+Render a compact table where every check column contains **only the status
+icon** (✅, ⚠️, or ❌). No explanatory text belongs inside the table cells —
+all detail goes in the per-package sections below.

-A call that is clearly dispatched to an executor
-(`run_in_executor`, `asyncio.to_thread`, `anyio.to_thread.run_sync`)
-does NOT count as blocking.
+Use `—` (em dash) when a check was skipped (e.g. Release Pipeline is skipped
+when the repository is not publicly accessible).

-#### Step 4 — Verdict
+```
+<!-- requirements-check -->
+## Requirements Check

- ✅ — no offending blocking pattern in the surface being reviewed
-  (whole tree for a new package, added lines for a bump). For a bump,
-  phrase the detail as `No new blocking calls introduced in
-  {old_version} → {new_version}.`.
- ⚠️ — blocking calls exist only in sync helpers that the async API
-  does not call, or only on a clearly non-hot path (e.g. one-shot
-  setup before the event loop is running). Cite at least one
-  `<file>:<line>` and explain why it is not on the hot path.
- ❌ — a blocking call is reachable from an `async def` that is part
-  of the public API on the request / polling path (for a bump: the
-  call was introduced or moved onto the hot path by this version).
-  Cite the offending `<file>:<line>` as a clickable link on the repo
-  host so the contributor can jump to it.
+| Package | Type | Old→New | License | Repo Public | CI Upload | Release Pipeline | PR Link | Diff Consistent |
+|---------|------|---------|---------|-------------|-----------|------------------|---------|-----------------|
+| PackageA | bump | 1.2.3→1.3.0 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| PackageB | new  | —→4.5.6 | ❌ | ✅ | ❌ | ⚠️ | ❌ | ✅ |
+| PackageC | bump | 2.0.0→2.1.0 | ✅ | ❌ | — | — | ⚠️ | ✅ |
+```
+
+### 7c — Per-package detail sections
+
+After the table, add one collapsible `<details>` block per package.
+
+- If **all checks passed** for that package, render the block **collapsed**
+  (no `open` attribute) so the comment stays concise.
+- If **any check failed or produced a warning**, render the block **open**
+  (`<details open>`) so the contributor sees the issues immediately.
+
+Each block must include the full detail for every check: the license found, the
+repository URL, whether a provenance attestation was found, the release
+pipeline findings, the PR link found (or missing), and whether the diff is
+consistent. For failed or warned checks, explain exactly what the contributor
+must fix, including the expected source repository URL, expected version range,
+etc.
+
+Template (repeat for each package):
+
+```
+<details open>
+<summary><strong>PackageB 📦 new —→4.5.6</strong></summary>
+
+- **License**: ❌ License is `UNKNOWN` — not in the approved list. Check PyPI metadata and `script/licenses.py`.
+- **Repository Public**: ✅ https://github.com/example/packageb is publicly accessible.
+- **CI Upload**: ❌ No provenance attestation found for any distribution file. The release may have been uploaded manually.
+- **Release Pipeline**: ⚠️ No publish workflow found in the repository; it is unclear how this package is released to PyPI.
+- **PR Link**: ❌ PR description must link to the source repository at https://github.com/example/packageb (a PyPI page link is not sufficient).
+- **Diff Consistent**: ✅
+
+</details>
+```
+
+Collapsed example (all checks passed):
+
+```
+<details>
+<summary><strong>PackageA 📦 bump 1.2.3→1.3.0</strong></summary>
+
+- **License**: ✅ MIT
+- **Repository Public**: ✅ https://github.com/example/packagea
+- **CI Upload**: ✅ Trusted Publisher attestation found (GitHub Actions).
+- **Release Pipeline**: ✅ OIDC via `pypa/gh-action-pypi-publish`; triggered on `release: published`; `environment: release` gate.
+- **PR Link**: ✅ https://github.com/example/packagea/compare/v1.2.3...v1.3.0
+- **Diff Consistent**: ✅
+
+</details>
+```

 ## Notes

- Be constructive and helpful. Reference the inspected workflow / CI
-  file by URL where useful so the contributor can fix the issue.
- The dedup of the requirements-check comment is handled by gh-aw's
-  `add_comment` safe-output via the `<!-- requirements-check -->`
-  marker on the first line of `rendered_comment`.
- If the deterministic workflow concluded with a non-success status,
-  this workflow's `if:` guard on `Download deterministic-results
-  artifact` skipped the download. If you find no file at
-  `/tmp/gh-aw/deterministic/results.json`, emit nothing — the post-step
-  verification is also gated and will not complain.
+- Be constructive and helpful. Provide direct links where possible so the
+  contributor can quickly fix the issue.
+- If PyPI returns an error for a package, mention that it could not be found and
+  suggest the contributor verify the package name.
+- For packages that only appear in `homeassistant/package_constraints.txt` or
+  `pyproject.toml` without being tied to a specific integration, the PR
+  description link requirement still applies.
+- When checking test-only packages (from `requirements_test.txt` or
+  `requirements_test_all.txt`), apply the same license, repository, and PR
+  description checks as for production dependencies.
+- A package that appears in both a production file and a test file should only
+  be reported once; use the production file entry as the canonical one.
+- This workflow is only triggered when a commit actually changes one of the
+  tracked requirements files (for `synchronize` events GitHub compares the
+  before/after SHAs of the push, not the entire PR diff). Members can manually
+  retrigger the workflow via `workflow_dispatch` with the PR number to re-run
+  the check after updating the PR description or fixing issues without changing
+  any requirements files. On a retrigger the existing comment is updated in
+  place so there is always exactly one requirements-check comment in the PR.
@@ -281,7 +281,7 @@ jobs:
          echo "::add-matcher::.github/workflows/matchers/check-executables-have-shebangs.json"
          echo "::add-matcher::.github/workflows/matchers/codespell.json"
      - name: Run prek
-        uses: j178/prek-action@bdca6f102f98e2b4c7029491a53dfd366469e33d # v2.0.4
+        uses: j178/prek-action@6ad80277337ad479fe43bd70701c3f7f8aa74db3 # v2.0.3
        env:
          PREK_SKIP: no-commit-to-branch,mypy,pylint,gen_requirements_all,hassfest,hassfest-metadata,hassfest-mypy-config,zizmor
          RUFF_OUTPUT_FORMAT: github
@@ -302,7 +302,7 @@ jobs:
        with:
          persist-credentials: false
      - name: Run zizmor
-        uses: j178/prek-action@bdca6f102f98e2b4c7029491a53dfd366469e33d # v2.0.4
+        uses: j178/prek-action@6ad80277337ad479fe43bd70701c3f7f8aa74db3 # v2.0.3
        with:
          extra-args: --all-files zizmor

@@ -917,49 +917,12 @@ jobs:
          key: >-
            ${{ runner.os }}-${{ runner.arch }}-${{ steps.python.outputs.python-version }}-${{
            needs.info.outputs.python_cache_key }}
-      - name: Restore pytest test counts cache
-        id: cache-pytest-counts
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: pytest_test_counts.json
-          # Primary key is a sentinel; restore-keys pick the most recent
-          # prefix match since the real (content-addressed) key isn't
-          # known until split_tests.py runs below.
-          key: >-
-            pytest-counts-${{ runner.os }}-${{ runner.arch }}-${{
-            steps.python.outputs.python-version }}-${{
-            needs.info.outputs.python_cache_key }}-restore-sentinel
-          restore-keys: |
-            pytest-counts-${{ runner.os }}-${{ runner.arch }}-${{ steps.python.outputs.python-version }}-${{ needs.info.outputs.python_cache_key }}-
      - name: Run split_tests.py
        env:
          TEST_GROUP_COUNT: ${{ needs.info.outputs.test_group_count }}
        run: |
          . venv/bin/activate
-          python -m script.split_tests \
-            --cache pytest_test_counts.json \
-            ${TEST_GROUP_COUNT} tests
-      - name: Hash pytest test counts cache
-        id: cache-pytest-counts-hash
-        run: |
-          echo "hash=$(sha256sum pytest_test_counts.json | cut -d' ' -f1)" \
-            >> "$GITHUB_OUTPUT"
-      - name: Save pytest test counts cache
-        # Content-addressed key: identical content reuses the same entry.
-        # Skip the save when the restore already matched that hash.
-        if: >-
-          !endsWith(
-            steps.cache-pytest-counts.outputs.cache-matched-key,
-            steps.cache-pytest-counts-hash.outputs.hash
-          )
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: pytest_test_counts.json
-          key: >-
-            pytest-counts-${{ runner.os }}-${{ runner.arch }}-${{
-            steps.python.outputs.python-version }}-${{
-            needs.info.outputs.python_cache_key }}-${{
-            steps.cache-pytest-counts-hash.outputs.hash }}
+          python -m script.split_tests ${TEST_GROUP_COUNT} tests
      - name: Upload pytest_buckets
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
@@ -28,11 +28,11 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: python

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          category: "/language:python"
@@ -236,7 +236,7 @@ jobs:
      - name: Detect duplicates using AI
        id: ai_detection
        if: steps.extract.outputs.should_continue == 'true' && steps.fetch_similar.outputs.has_similar == 'true'
-        uses: actions/ai-inference@17ff458cb182449bbb2e43701fcd98f6af8f6570 # v2.1.0
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
          model: openai/gpt-4o
          system-prompt: |
@@ -62,7 +62,7 @@ jobs:
      - name: Detect language using AI
        id: ai_language_detection
        if: steps.detect_language.outputs.should_continue == 'true'
-        uses: actions/ai-inference@17ff458cb182449bbb2e43701fcd98f6af8f6570 # v2.1.0
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
          model: openai/gpt-4o-mini
          system-prompt: |
@@ -1 +1 @@
-3.14.5
+3.14.4
@@ -132,7 +132,7 @@
      "problemMatcher": []
    },
    {
-      "label": "Install all production Requirements",
+      "label": "Install all Requirements",
      "type": "shell",
      "command": "uv pip install -r requirements_all.txt",
      "group": {
@@ -146,9 +146,9 @@
      "problemMatcher": []
    },
    {
-      "label": "Install all (test & production) Requirements",
+      "label": "Install all Test Requirements",
      "type": "shell",
-      "command": "uv pip install -r requirements_all.txt -r requirements_test.txt",
+      "command": "uv pip install -r requirements.txt -r requirements_test_all.txt",
      "group": {
        "kind": "build",
        "isDefault": true
@@ -15,7 +15,6 @@ This repository contains the core of Home Assistant, a Python 3 based home autom

 - When entering a new environment or worktree, run `script/setup` to set up the virtual environment with all development dependencies (pylint, pre-commit hooks, etc.). This is required before committing.
 - .vscode/tasks.json contains useful commands used for development.
- After finishing a code session, run `uv run prek run --all-files` to check for linting and formatting issues.

 ## Python Syntax Notes

@@ -1413,8 +1413,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/pushover/ @engrbm87
 /homeassistant/components/pvoutput/ @frenck
 /tests/components/pvoutput/ @frenck
-/homeassistant/components/pvpc_hourly_pricing/ @azogue @chiro79
-/tests/components/pvpc_hourly_pricing/ @azogue @chiro79
+/homeassistant/components/pvpc_hourly_pricing/ @azogue
+/tests/components/pvpc_hourly_pricing/ @azogue
 /homeassistant/components/pyload/ @tr4nt0r
 /tests/components/pyload/ @tr4nt0r
 /homeassistant/components/qbittorrent/ @geoffreylagaisse @finder39
@@ -1538,8 +1538,8 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/saj/ @fredericvl
 /homeassistant/components/samsung_infrared/ @lmaertin
 /tests/components/samsung_infrared/ @lmaertin
-/homeassistant/components/samsungtv/ @chemelli74
-/tests/components/samsungtv/ @chemelli74
+/homeassistant/components/samsungtv/ @chemelli74 @epenet
+/tests/components/samsungtv/ @chemelli74 @epenet
 /homeassistant/components/sanix/ @tomaszsluszniak
 /tests/components/sanix/ @tomaszsluszniak
 /homeassistant/components/satel_integra/ @Tommatheussen
@@ -134,7 +134,7 @@ class AuthManagerFlowManager(
        """
        flow = cast(LoginFlow, flow)

-        if result["type"] is not FlowResultType.CREATE_ENTRY:
+        if result["type"] != FlowResultType.CREATE_ENTRY:
            return result

        # we got final result
@@ -19,7 +19,6 @@ from .hub import AdsHub

 DEFAULT_NAME = "ADS select"

-# pylint: disable-next=home-assistant-duplicate-const
 CONF_OPTIONS = "options"

 PLATFORM_SCHEMA = SELECT_PLATFORM_SCHEMA.extend(
@@ -81,10 +81,8 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
    ) as err:
        raise ConfigEntryAuthFailed from err
    except AirOSKeyDataMissingError as err:
-        # pylint: disable-next=home-assistant-exception-not-translated
        raise ConfigEntryError("key_data_missing") from err
    except Exception as err:
-        # pylint: disable-next=home-assistant-exception-not-translated
        raise ConfigEntryError("unknown") from err

    airos_class: type[AirOS8 | AirOS6] = (
@@ -11,7 +11,7 @@
      "service": "mdi:dialpad"
    },
    "alarm_toggle_chime": {
-      "service": "mdi:bell-ring"
+      "service": "mdi:abc"
    }
  }
 }
@@ -102,9 +102,6 @@
    "entry_not_loaded": {
      "message": "Entry not loaded: {entry}"
    },
-    "invalid_auth": {
-      "message": "Invalid authentication credentials: {error}"
-    },
    "invalid_device_id": {
      "message": "Invalid device ID specified: {device_id}"
    },
@@ -2,5 +2,4 @@

 DOMAIN = "altruist"

-# pylint: disable-next=home-assistant-duplicate-const
 CONF_HOST = "host"
@@ -16,8 +16,6 @@ from .entity import AnthropicBaseLLMEntity
 if TYPE_CHECKING:
    from . import AnthropicConfigEntry

-PARALLEL_UPDATES = 0
-
 _LOGGER = logging.getLogger(__name__)


@@ -24,7 +24,6 @@ from homeassistant.const import (
    CONF_API_KEY,
    CONF_LLM_HASS_API,
    CONF_NAME,
-    CONF_PROMPT,
 )
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.helpers import config_validation as cv, llm
@@ -44,6 +43,7 @@ from .const import (
    CONF_CHAT_MODEL,
    CONF_CODE_EXECUTION,
    CONF_MAX_TOKENS,
+    CONF_PROMPT,
    CONF_PROMPT_CACHING,
    CONF_RECOMMENDED,
    CONF_THINKING_BUDGET,
@@ -226,7 +226,7 @@ class ConversationSubentryFlowHandler(ConfigSubentryFlow):
    ) -> SubentryFlowResult:
        """Set initial options."""
        # abort if entry is not loaded
-        if self._get_entry().state is not ConfigEntryState.LOADED:
+        if self._get_entry().state != ConfigEntryState.LOADED:
            return self.async_abort(reason="entry_not_loaded")

        hass_apis: list[SelectOptionDict] = [
@@ -10,6 +10,7 @@ DEFAULT_CONVERSATION_NAME = "Claude conversation"
 DEFAULT_AI_TASK_NAME = "Claude AI Task"

 CONF_RECOMMENDED = "recommended"
+CONF_PROMPT = "prompt"
 CONF_CHAT_MODEL = "chat_model"
 CONF_CODE_EXECUTION = "code_execution"
 CONF_MAX_TOKENS = "max_tokens"
@@ -4,16 +4,14 @@ from typing import Literal

 from homeassistant.components import conversation
 from homeassistant.config_entries import ConfigSubentry
-from homeassistant.const import CONF_LLM_HASS_API, CONF_PROMPT, MATCH_ALL
+from homeassistant.const import CONF_LLM_HASS_API, MATCH_ALL
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from . import AnthropicConfigEntry
-from .const import DOMAIN
+from .const import CONF_PROMPT, DOMAIN
 from .entity import AnthropicBaseLLMEntity

-PARALLEL_UPDATES = 0
-

 async def async_setup_entry(
    hass: HomeAssistant,
@@ -5,10 +5,11 @@ from typing import TYPE_CHECKING, Any
 from anthropic import __title__, __version__

 from homeassistant.components.diagnostics import async_redact_data
-from homeassistant.const import CONF_API_KEY, CONF_PROMPT
+from homeassistant.const import CONF_API_KEY
 from homeassistant.helpers import entity_registry as er

 from .const import (
+    CONF_PROMPT,
    CONF_WEB_SEARCH_CITY,
    CONF_WEB_SEARCH_COUNTRY,
    CONF_WEB_SEARCH_REGION,
@@ -38,7 +38,10 @@ rules:
  entity-unavailable: done
  integration-owner: done
  log-when-unavailable: done
-  parallel-updates: done
+  parallel-updates:
+    status: exempt
+    comment: |
+      The API does not limit parallel updates.
  reauthentication-flow: done
  test-coverage: done
  # Gold
@@ -40,11 +40,9 @@ class ModelDeprecatedRepairFlow(RepairsFlow):
        self._current_subentry_id = None
        self._model_list_cache = None

-    async def async_step_init(
-        self, user_input: dict[str, str] | None
-    ) -> RepairsFlowResult:
+    async def async_step_init(self, user_input: dict[str, str]) -> RepairsFlowResult:
        """Handle the steps of a fix flow."""
-        if user_input and user_input.get(CONF_CHAT_MODEL):
+        if user_input.get(CONF_CHAT_MODEL):
            self._async_update_current_subentry(user_input)

        target = await self._async_next_target()
@@ -51,11 +51,13 @@
        "advanced": {
          "data": {
            "chat_model": "[%key:common::generic::model%]",
-            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::prompt_caching%]"
+            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::prompt_caching%]",
+            "temperature": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::temperature%]"
          },
          "data_description": {
            "chat_model": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::chat_model%]",
-            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::prompt_caching%]"
+            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::prompt_caching%]",
+            "temperature": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::temperature%]"
          },
          "title": "[%key:component::anthropic::config_subentries::conversation::step::advanced::title%]"
        },
@@ -118,11 +120,13 @@
        "advanced": {
          "data": {
            "chat_model": "[%key:common::generic::model%]",
-            "prompt_caching": "Caching strategy"
+            "prompt_caching": "Caching strategy",
+            "temperature": "Temperature"
          },
          "data_description": {
            "chat_model": "The model to serve the responses.",
-            "prompt_caching": "Optimize your API cost and response times based on your usage."
+            "prompt_caching": "Optimize your API cost and response times based on your usage.",
+            "temperature": "Control the randomness of the response, trading off between creativity and coherence."
          },
          "title": "Advanced settings"
        },
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/aosmith",
  "integration_type": "hub",
  "iot_class": "cloud_polling",
-  "requirements": ["py-aosmith==1.0.18"]
+  "requirements": ["py-aosmith==1.0.17"]
 }
@@ -89,7 +89,7 @@ class AOSmithWaterHeaterEntity(AOSmithStatusEntity, WaterHeaterEntity):
    def supported_features(self) -> WaterHeaterEntityFeature:
        """Return the list of supported features."""
        supports_vacation_mode = any(
-            supported_mode.mode is AOSmithOperationMode.VACATION
+            supported_mode.mode == AOSmithOperationMode.VACATION
            for supported_mode in self.device.supported_modes
        )

@@ -122,7 +122,7 @@ class AOSmithWaterHeaterEntity(AOSmithStatusEntity, WaterHeaterEntity):
    @property
    def is_away_mode_on(self) -> bool:
        """Return True if away mode is on."""
-        return self.device.status.current_mode is AOSmithOperationMode.VACATION
+        return self.device.status.current_mode == AOSmithOperationMode.VACATION

    async def async_set_operation_mode(self, operation_mode: str) -> None:
        """Set new target operation mode."""
@@ -369,7 +369,7 @@ class AppleTVManager(DeviceListener):

            attrs[ATTR_MODEL] = (
                dev_info.raw_model
-                if dev_info.model is DeviceModel.Unknown and dev_info.raw_model
+                if dev_info.model == DeviceModel.Unknown and dev_info.raw_model
                else model_str(dev_info.model)
            )
            attrs[ATTR_SW_VERSION] = dev_info.version
@@ -63,7 +63,7 @@ class AppleTVKeyboardFocused(AppleTVEntity, BinarySensorEntity, KeyboardListener
        # Listen to keyboard updates
        atv.keyboard.listener = self
        # Set initial state based on current focus state
-        self._update_state(atv.keyboard.text_focus_state is KeyboardFocusState.Focused)
+        self._update_state(atv.keyboard.text_focus_state == KeyboardFocusState.Focused)

    @callback
    def async_device_disconnected(self) -> None:
@@ -78,7 +78,7 @@ class AppleTVKeyboardFocused(AppleTVEntity, BinarySensorEntity, KeyboardListener

        This is a callback function from pyatv.interface.KeyboardListener.
        """
-        self._update_state(new_state is KeyboardFocusState.Focused)
+        self._update_state(new_state == KeyboardFocusState.Focused)

    def _update_state(self, new_state: bool) -> None:
        """Update and report."""
@@ -354,7 +354,7 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
            "name": self.atv.name,
            "type": (
                dev_info.raw_model
-                if dev_info.model is DeviceModel.Unknown and dev_info.raw_model
+                if dev_info.model == DeviceModel.Unknown and dev_info.raw_model
                else model_str(dev_info.model)
            ),
        }
@@ -441,12 +441,12 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
            return await self.async_step_password()

        # Figure out, depending on protocol, what kind of pairing is needed
-        if service.pairing is PairingRequirement.Unsupported:
+        if service.pairing == PairingRequirement.Unsupported:
            _LOGGER.debug("%s does not support pairing", self.protocol)
            return await self.async_pair_next_protocol()
-        if service.pairing is PairingRequirement.Disabled:
+        if service.pairing == PairingRequirement.Disabled:
            return await self.async_step_protocol_disabled()
-        if service.pairing is PairingRequirement.NotNeeded:
+        if service.pairing == PairingRequirement.NotNeeded:
            _LOGGER.debug("%s does not require pairing", self.protocol)
            self.credentials[self.protocol.value] = None
            return await self.async_pair_next_protocol()
@@ -457,7 +457,7 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
        pair_args: dict[str, Any] = {}
        if self.protocol in {Protocol.AirPlay, Protocol.Companion, Protocol.DMAP}:
            pair_args["name"] = "Home Assistant"
-        if self.protocol is Protocol.DMAP:
+        if self.protocol == Protocol.DMAP:
            pair_args["zeroconf"] = await zeroconf.async_get_instance(self.hass)

        # Initiate the pairing process
@@ -139,7 +139,7 @@ class AppleTvMediaPlayer(
        all_features = atv.features.all_features()
        for feature_name, support_flag in SUPPORT_FEATURE_MAPPING.items():
            feature_info = all_features.get(feature_name)
-            if feature_info and feature_info.state is not FeatureState.Unsupported:
+            if feature_info and feature_info.state != FeatureState.Unsupported:
                self._attr_supported_features |= support_flag

        # No need to schedule state update here as that will happen when the first
@@ -188,14 +188,14 @@ class AppleTvMediaPlayer(
            return MediaPlayerState.OFF
        if (
            self._is_feature_available(FeatureName.PowerState)
-            and self.atv.power.power_state is PowerState.Off
+            and self.atv.power.power_state == PowerState.Off
        ):
            return MediaPlayerState.OFF
        if self._playing:
            state = self._playing.device_state
            if state in (DeviceState.Idle, DeviceState.Loading):
                return MediaPlayerState.IDLE
-            if state is DeviceState.Playing:
+            if state == DeviceState.Playing:
                return MediaPlayerState.PLAYING
            if state in (DeviceState.Paused, DeviceState.Seeking, DeviceState.Stopped):
                return MediaPlayerState.PAUSED
@@ -446,7 +446,7 @@ class AppleTvMediaPlayer(
    def shuffle(self) -> bool | None:
        """Boolean if shuffle is enabled."""
        if self._playing and self._is_feature_available(FeatureName.Shuffle):
-            return self._playing.shuffle is not ShuffleState.Off
+            return self._playing.shuffle != ShuffleState.Off
        return None

    def _is_feature_available(self, feature: FeatureName) -> bool:
@@ -506,7 +506,7 @@ class AppleTvMediaPlayer(
            and (self._is_feature_available(FeatureName.TurnOff))
            and (
                not self._is_feature_available(FeatureName.PowerState)
-                or self.atv.power.power_state is PowerState.On
+                or self.atv.power.power_state == PowerState.On
            )
        ):
            await self.atv.power.turn_off()
@@ -59,7 +59,7 @@ def _check_keyboard_focus(atv: AppleTVInterface) -> None:
            translation_domain=DOMAIN,
            translation_key="keyboard_not_available",
        ) from err
-    if focus_state is not KeyboardFocusState.Focused:
+    if focus_state != KeyboardFocusState.Focused:
        raise ServiceValidationError(
            translation_domain=DOMAIN,
            translation_key="keyboard_not_focused",
@@ -16,9 +16,6 @@ from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from .coordinator import ArcamFmjConfigEntry
 from .entity import ArcamFmjEntity

-# Read-only, coordinator-driven entities; no per-entity I/O to bound.
-PARALLEL_UPDATES = 0
-

@dataclass(frozen=True, kw_only=True)
 class ArcamFmjBinarySensorEntityDescription(BinarySensorEntityDescription):
@@ -1,11 +1,9 @@
 """Config flow to configure the Arcam FMJ component."""

-import socket
 from typing import Any
 from urllib.parse import urlparse

-from arcam.fmj import ConnectionFailed
-from arcam.fmj.client import Client
+from arcam.fmj.client import Client, ConnectionFailed
 from arcam.fmj.utils import get_uniqueid_from_host, get_uniqueid_from_udn
 import voluptuous as vol

@@ -31,19 +29,26 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
        await self.async_set_unique_id(uuid)
        self._abort_if_unique_id_configured({CONF_HOST: host, CONF_PORT: port})

-    async def _async_try_connect(self, host: str, port: int) -> None:
-        """Verify the device is reachable."""
+    async def _async_check_and_create(self, host: str, port: int) -> ConfigFlowResult:
        client = Client(host, port)
        try:
            await client.start()
+        except ConnectionFailed:
+            return self.async_abort(reason="cannot_connect")
        finally:
            await client.stop()

+        return self.async_create_entry(
+            title=f"{DEFAULT_NAME} ({host})",
+            data={CONF_HOST: host, CONF_PORT: port},
+        )
+
    async def async_step_user(
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
        """Handle a discovered device."""
        errors: dict[str, str] = {}
+
        if user_input is not None:
            uuid = await get_uniqueid_from_host(
                async_get_clientsession(self.hass), user_input[CONF_HOST]
@@ -53,36 +58,18 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
                    user_input[CONF_HOST], user_input[CONF_PORT], uuid
                )

-            try:
-                await self._async_try_connect(
-                    user_input[CONF_HOST], user_input[CONF_PORT]
-                )
-            except socket.gaierror:
-                errors["base"] = "invalid_host"
-            except TimeoutError:
-                errors["base"] = "timeout_connect"
-            except ConnectionRefusedError:
-                errors["base"] = "connection_refused"
-            except ConnectionFailed, OSError:
-                errors["base"] = "cannot_connect"
-            else:
-                return self.async_create_entry(
-                    title=f"{DEFAULT_NAME} ({user_input[CONF_HOST]})",
-                    data={
-                        CONF_HOST: user_input[CONF_HOST],
-                        CONF_PORT: user_input[CONF_PORT],
-                    },
-                )
+            return await self._async_check_and_create(
+                user_input[CONF_HOST], user_input[CONF_PORT]
+            )

        fields = {
            vol.Required(CONF_HOST): str,
            vol.Required(CONF_PORT, default=DEFAULT_PORT): int,
        }
-        schema = vol.Schema(fields)
-        if user_input is not None:
-            schema = self.add_suggested_values_to_schema(schema, user_input)

-        return self.async_show_form(step_id="user", data_schema=schema, errors=errors)
+        return self.async_show_form(
+            step_id="user", data_schema=vol.Schema(fields), errors=errors
+        )

    async def async_step_confirm(
        self, user_input: dict[str, Any] | None = None
@@ -92,10 +79,7 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
        self.context["title_placeholders"] = placeholders

        if user_input is not None:
-            return self.async_create_entry(
-                title=f"{DEFAULT_NAME} ({self.host})",
-                data={CONF_HOST: self.host, CONF_PORT: self.port},
-            )
+            return await self._async_check_and_create(self.host, self.port)

        return self.async_show_form(
            step_id="confirm", description_placeholders=placeholders
@@ -113,11 +97,6 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):

        await self._async_set_unique_id_and_update(host, port, uuid)

-        try:
-            await self._async_try_connect(host, port)
-        except ConnectionFailed, OSError:
-            return self.async_abort(reason="cannot_connect")
-
        self.host = host
-        self.port = port
+        self.port = DEFAULT_PORT
        return await self.async_step_confirm()
@@ -25,10 +25,6 @@ from .entity import ArcamFmjEntity, convert_exception

 _LOGGER = logging.getLogger(__name__)

-# arcam-fmj serializes commands on a single TCP writer at the library
-# layer; serialize at HA's layer to match the device's contract.
-PARALLEL_UPDATES = 1
-

 async def async_setup_entry(
    hass: HomeAssistant,
@@ -263,9 +259,9 @@ class ArcamFmj(ArcamFmjEntity, MediaPlayerEntity):
    def media_channel(self) -> str | None:
        """Channel currently playing."""
        source = self._state.get_source()
-        if source is SourceCodes.DAB:
+        if source == SourceCodes.DAB:
            value = self._state.get_dab_station()
-        elif source is SourceCodes.FM:
+        elif source == SourceCodes.FM:
            value = self._state.get_rds_information()
        else:
            value = None
@@ -274,7 +270,7 @@ class ArcamFmj(ArcamFmjEntity, MediaPlayerEntity):
    @property
    def media_artist(self) -> str | None:
        """Artist of current playing media, music track only."""
-        if self._state.get_source() is SourceCodes.DAB:
+        if self._state.get_source() == SourceCodes.DAB:
            value = self._state.get_dls_pdt()
        else:
            value = None
@@ -22,9 +22,6 @@ from .entity import ArcamFmjEntity

 _LOGGER = logging.getLogger(__name__)

-# Read-only, coordinator-driven entities; no per-entity I/O to bound.
-PARALLEL_UPDATES = 0
-

 def _enum_options(value: type[IntOrTypeEnum]) -> list[str]:
    return [
@@ -5,12 +5,6 @@
      "already_in_progress": "[%key:common::config_flow::abort::already_in_progress%]",
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]"
    },
-    "error": {
-      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
-      "connection_refused": "Host refused connection",
-      "invalid_host": "[%key:common::config_flow::error::invalid_host%]",
-      "timeout_connect": "[%key:common::config_flow::error::timeout_connect%]"
-    },
    "flow_title": "{host}",
    "step": {
      "confirm": {
@@ -1355,7 +1355,7 @@ class PipelineRun:
    ) -> bool:
        """Return true if all targeted entities were in the same area as the device."""
        if (
-            intent_response.response_type is not intent.IntentResponseType.ACTION_DONE
+            intent_response.response_type != intent.IntentResponseType.ACTION_DONE
            or not intent_response.matched_states
        ):
            return False
@@ -19,8 +19,6 @@ DEVICES = "devices"
 MANUFACTURER = "ABB"

 ATTR_DEVICE_NAME = "device_name"
-# pylint: disable-next=home-assistant-duplicate-const
 ATTR_DEVICE_ID = "device_id"
-# pylint: disable-next=home-assistant-duplicate-const
 ATTR_MODEL = "model"
 ATTR_FIRMWARE = "firmware"
@@ -82,7 +82,7 @@ rules:
    comment: |
      This integration does not have any entities that should disabled by default.
  entity-translations: done
-  exception-translations: todo
+  exception-translations: done
  icon-translations: done
  reconfiguration-flow: todo
  repair-issues:
@@ -251,12 +251,12 @@ class AuthProvidersView(HomeAssistantView):

 def _prepare_result_json(result: AuthFlowResult) -> dict[str, Any]:
    """Convert result to JSON serializable dict."""
-    if result["type"] is data_entry_flow.FlowResultType.CREATE_ENTRY:
+    if result["type"] == data_entry_flow.FlowResultType.CREATE_ENTRY:
        return {
            key: val for key, val in result.items() if key not in ("result", "data")
        }

-    if result["type"] is not data_entry_flow.FlowResultType.FORM:
+    if result["type"] != data_entry_flow.FlowResultType.FORM:
        return result  # type: ignore[return-value]

    data = dict(result)
@@ -289,11 +289,11 @@ class LoginFlowBaseView(HomeAssistantView):
        result: AuthFlowResult,
    ) -> web.Response:
        """Convert the flow result to a response."""
-        if result["type"] is not data_entry_flow.FlowResultType.CREATE_ENTRY:
+        if result["type"] != data_entry_flow.FlowResultType.CREATE_ENTRY:
            # @log_invalid_auth does not work here since it returns HTTP 200.
            # We need to manually log failed login attempts.
            if (
-                result["type"] is data_entry_flow.FlowResultType.FORM
+                result["type"] == data_entry_flow.FlowResultType.FORM
                and (errors := result.get("errors"))
                and errors.get("base")
                in (
@@ -142,9 +142,9 @@ def websocket_depose_mfa(

 def _prepare_result_json(result: data_entry_flow.FlowResult) -> dict[str, Any]:
    """Convert result to JSON serializable dict."""
-    if result["type"] is data_entry_flow.FlowResultType.CREATE_ENTRY:
+    if result["type"] == data_entry_flow.FlowResultType.CREATE_ENTRY:
        return dict(result)
-    if result["type"] is not data_entry_flow.FlowResultType.FORM:
+    if result["type"] != data_entry_flow.FlowResultType.FORM:
        return result  # type: ignore[return-value]

    data = dict(result)
@@ -67,7 +67,7 @@ rules:
    comment: |
      Only one entity type (device_tracker) is created, making this not applicable.
  entity-translations: done
-  exception-translations: todo
+  exception-translations: done
  icon-translations: done
  reconfiguration-flow:
    status: todo
@@ -205,9 +205,9 @@ class AveaLight(LightEntity):

    def turn_off(self, **kwargs: Any) -> None:
        """Instruct the light to turn off."""
+        if self._attr_brightness:
+            self._last_brightness = self._attr_brightness
        self._light.set_brightness(0)
-        self._attr_is_on = False
-        self._attr_brightness = 0

    def update(self) -> None:
        """Fetch new state data for this light."""
@@ -14,5 +14,5 @@
  "integration_type": "device",
  "iot_class": "local_polling",
  "loggers": ["avea"],
-  "requirements": ["avea==1.8.0"]
+  "requirements": ["avea==1.6.1"]
 }
@@ -51,7 +51,6 @@ async def async_setup_entry(hass: HomeAssistant, entry: S3ConfigEntry) -> bool:
                translation_key="invalid_bucket_name",
            ) from err
    except ValueError as err:
-        # pylint: disable-next=home-assistant-exception-translation-key-missing
        raise ConfigEntryError(
            translation_domain=DOMAIN,
            translation_key="invalid_endpoint_url",
@@ -11,7 +11,6 @@ CONF_ACCESS_KEY_ID = "access_key_id"
 CONF_SECRET_ACCESS_KEY = "secret_access_key"
 CONF_ENDPOINT_URL = "endpoint_url"
 CONF_BUCKET = "bucket"
-# pylint: disable-next=home-assistant-duplicate-const
 CONF_PREFIX = "prefix"

 AWS_DOMAIN = "amazonaws.com"
@@ -72,7 +72,7 @@ rules:
  entity-device-class: done
  entity-disabled-by-default: done
  entity-translations: done
-  exception-translations: todo
+  exception-translations: done
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -75,13 +75,11 @@ def handle_backup_errors[_R, **P](
                err.message,
                exc_info=True,
            )
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Error during backup operation in {func.__name__}:"
                f" Status {err.status_code}, message: {err.message}"
            ) from err
        except ServiceRequestError as err:
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Timeout during backup operation in {func.__name__}"
            ) from err
@@ -92,7 +90,6 @@ def handle_backup_errors[_R, **P](
                err,
                exc_info=True,
            )
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Error during backup operation in {func.__name__}: {err}"
            ) from err
@@ -121,7 +118,6 @@ class AzureStorageBackupAgent(BackupAgent):
        """Download a backup file."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")
        download_stream = await self._client.download_blob(blob.name)
        return download_stream.chunks()
@@ -159,7 +155,6 @@ class AzureStorageBackupAgent(BackupAgent):
        """Delete a backup file."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")
        await self._client.delete_blob(blob.name)

@@ -186,7 +181,6 @@ class AzureStorageBackupAgent(BackupAgent):
        """Return a backup."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
-            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")

        return AgentBackup.from_dict(json.loads(blob.metadata["backup_metadata"]))
@@ -89,7 +89,6 @@ async def async_setup_entry(hass: HomeAssistant, entry: BackblazeConfigEntry) ->
            translation_key="cannot_connect",
        ) from err
    except exception.MissingAccountData as err:
-        # pylint: disable-next=home-assistant-exception-translation-key-missing
        raise ConfigEntryAuthFailed(
            translation_domain=DOMAIN,
            translation_key="invalid_auth",
@@ -20,12 +20,12 @@ from homeassistant.components.backup import (
    OnProgressCallback,
    suggested_filename,
 )
-from homeassistant.const import CONF_PREFIX
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.util.async_iterator import AsyncIteratorReader

 from . import BackblazeConfigEntry
 from .const import (
+    CONF_PREFIX,
    DATA_BACKUP_AGENT_LISTENERS,
    DOMAIN,
    METADATA_FILE_SUFFIX,
@@ -8,7 +8,6 @@ from b2sdk.v2 import exception
 import voluptuous as vol

 from homeassistant.config_entries import ConfigEntry, ConfigFlow, ConfigFlowResult
-from homeassistant.const import CONF_PREFIX
 from homeassistant.helpers import config_validation as cv
 from homeassistant.helpers.selector import (
    TextSelector,
@@ -23,6 +22,7 @@ from .const import (
    CONF_APPLICATION_KEY,
    CONF_BUCKET,
    CONF_KEY_ID,
+    CONF_PREFIX,
    DOMAIN,
 )

@@ -10,6 +10,7 @@ DOMAIN: Final = "backblaze_b2"
 CONF_KEY_ID = "key_id"
 CONF_APPLICATION_KEY = "application_key"
 CONF_BUCKET = "bucket"
+CONF_PREFIX = "prefix"

 DATA_BACKUP_AGENT_LISTENERS: HassKey[list[Callable[[], None]]] = HassKey(
    f"{DOMAIN}.backup_agent_listeners"
@@ -96,7 +96,7 @@ rules:
  entity-translations:
    status: exempt
    comment: This integration does not have entities.
-  exception-translations: todo
+  exception-translations: done
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -67,9 +67,6 @@
    "cannot_connect": {
      "message": "Cannot connect to endpoint"
    },
-    "invalid_auth": {
-      "message": "Authentication failed using the provided key ID and application key."
-    },
    "invalid_bucket_name": {
      "message": "Bucket does not exist or is not writable by the provided credentials."
    },
@@ -169,7 +169,6 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.save_recent_clips(output_dir=file_path)
        except OSError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
                str(err),
                translation_domain=DOMAIN,
@@ -191,7 +190,6 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.video_to_file(filename)
        except OSError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
                str(err),
                translation_domain=DOMAIN,
@@ -16,7 +16,6 @@ CONF_DETAILS = "details"
 CONF_PASSIVE = "passive"


-# pylint: disable-next=home-assistant-duplicate-const
 CONF_SOURCE: Final = "source"
 CONF_SOURCE_DOMAIN: Final = "source_domain"
 CONF_SOURCE_MODEL: Final = "source_model"
@@ -19,8 +19,8 @@
    "bleak-retry-connector==4.6.0",
    "bluetooth-adapters==2.1.0",
    "bluetooth-auto-recovery==1.5.3",
-    "bluetooth-data-tools==1.29.11",
-    "dbus-fast==5.0.3",
-    "habluetooth==6.2.0"
+    "bluetooth-data-tools==1.28.4",
+    "dbus-fast==4.0.4",
+    "habluetooth==6.1.0"
  ]
 }
@@ -273,7 +273,7 @@ async def ws_subscribe_scanner_details(

    def _async_registration_changed(registration: HaScannerRegistration) -> None:
        added_event = HaScannerRegistrationEvent.ADDED
-        event_type = "add" if registration.event is added_event else "remove"
+        event_type = "add" if registration.event == added_event else "remove"
        _async_event_message({event_type: [registration.scanner.details]})

    manager = _get_manager(hass)
@@ -6,7 +6,6 @@ from typing import Final
 ATTR_CID: Final = "cid"
 ATTR_MAC: Final = "macAddr"
 ATTR_MANUFACTURER: Final = "Sony"
-# pylint: disable-next=home-assistant-duplicate-const
 ATTR_MODEL: Final = "model"

 CONF_NICKNAME: Final = "nickname"
@@ -183,8 +183,8 @@ class BSBLANClimate(BSBLanCircuitEntity, ClimateEntity):
        try:
            await self.coordinator.client.thermostat(**data, circuit=self._circuit)
        except BSBLANError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise HomeAssistantError(
+                "An error occurred while updating the BSBLAN device",
                translation_domain=DOMAIN,
                translation_key="set_data_error",
            ) from err
@@ -8,7 +8,7 @@
  "iot_class": "local_polling",
  "loggers": ["bsblan"],
  "quality_scale": "silver",
-  "requirements": ["python-bsblan==6.0.1"],
+  "requirements": ["python-bsblan==5.2.1"],
  "zeroconf": [
    {
      "name": "bsb-lan*",
@@ -8,7 +8,6 @@ from bsblan import BSBLANError, DaySchedule, DHWSchedule, TimeSlot
 import voluptuous as vol

 from homeassistant.config_entries import ConfigEntryState
-from homeassistant.const import ATTR_DEVICE_ID
 from homeassistant.core import HomeAssistant, ServiceCall, callback
 from homeassistant.exceptions import HomeAssistantError, ServiceValidationError
 from homeassistant.helpers import config_validation as cv, device_registry as dr
@@ -21,6 +20,7 @@ if TYPE_CHECKING:

 LOGGER = logging.getLogger(__name__)

+ATTR_DEVICE_ID = "device_id"
 ATTR_MONDAY_SLOTS = "monday_slots"
 ATTR_TUESDAY_SLOTS = "tuesday_slots"
 ATTR_WEDNESDAY_SLOTS = "wednesday_slots"
@@ -158,10 +158,7 @@ def process_service_info(
            )

    # If payload is encrypted and the bindkey is not verified then we need to reauth
-    if (
-        data.encryption_scheme is not EncryptionScheme.NONE
-        and not data.bindkey_verified
-    ):
+    if data.encryption_scheme != EncryptionScheme.NONE and not data.bindkey_verified:
        entry.async_start_reauth(hass, data={"device": data})

    return update
@@ -59,7 +59,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):
        self._discovery_info = discovery_info
        self._discovered_device = device

-        if device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
+        if device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
            return await self.async_step_get_encryption_key()
        return await self.async_step_bluetooth_confirm()

@@ -125,7 +125,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):
            self._discovery_info = discovery.discovery_info
            self._discovered_device = discovery.device

-            if discovery.device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
+            if discovery.device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
                return await self.async_step_get_encryption_key()

            return self._async_get_or_create_entry()
@@ -164,7 +164,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):

        self._discovery_info = device.last_service_info

-        if device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
+        if device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
            return await self.async_step_get_encryption_key()

        # Otherwise there wasn't actually encryption so abort
@@ -17,8 +17,6 @@ from homeassistant.const import (
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady

-from .const import TIMEOUT
-
 type CalDavConfigEntry = ConfigEntry[caldav.DAVClient]

 _LOGGER = logging.getLogger(__name__)
@@ -34,7 +32,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: CalDavConfigEntry) -> bo
        username=entry.data[CONF_USERNAME],
        password=entry.data[CONF_PASSWORD],
        ssl_verify_cert=entry.data[CONF_VERIFY_SSL],
-        timeout=TIMEOUT,
+        timeout=30,
    )
    try:
        await hass.async_add_executor_job(client.principal)
@@ -45,8 +43,6 @@ async def async_setup_entry(hass: HomeAssistant, entry: CalDavConfigEntry) -> bo
        # on some other unexpected server response.
        _LOGGER.warning("Unexpected CalDAV server response: %s", err)
        return False
-    except requests.Timeout as err:
-        raise ConfigEntryNotReady("Timeout connecting to CalDAV server") from err
    except requests.ConnectionError as err:
        raise ConfigEntryNotReady("Connection error from CalDAV server") from err
    except DAVError as err:
@@ -38,7 +38,6 @@ from homeassistant.helpers.update_coordinator import CoordinatorEntity

 from . import CalDavConfigEntry
 from .api import async_get_calendars
-from .const import TIMEOUT
 from .coordinator import CalDavUpdateCoordinator

 _LOGGER = logging.getLogger(__name__)
@@ -92,12 +91,7 @@ async def async_setup_platform(
    days = config[CONF_DAYS]

    client = caldav.DAVClient(
-        url,
-        None,
-        username,
-        password,
-        ssl_verify_cert=config[CONF_VERIFY_SSL],
-        timeout=TIMEOUT,
+        url, None, username, password, ssl_verify_cert=config[CONF_VERIFY_SSL]
    )

    calendars = await async_get_calendars(hass, client, SUPPORTED_COMPONENT)
@@ -237,7 +231,7 @@ class WebDavCalendarEntity(CoordinatorEntity[CalDavUpdateCoordinator], CalendarE
            await self.hass.async_add_executor_job(
                partial(self.coordinator.calendar.add_event, **item_data),
            )
-        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+        except (requests.ConnectionError, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    @callback
@@ -13,7 +13,7 @@ from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_PASSWORD, CONF_URL, CONF_USERNAME, CONF_VERIFY_SSL
 from homeassistant.helpers import config_validation as cv

-from .const import DOMAIN, TIMEOUT
+from .const import DOMAIN

 _LOGGER = logging.getLogger(__name__)

@@ -65,7 +65,6 @@ class CalDavConfigFlow(ConfigFlow, domain=DOMAIN):
            username=user_input[CONF_USERNAME],
            password=user_input[CONF_PASSWORD],
            ssl_verify_cert=user_input[CONF_VERIFY_SSL],
-            timeout=TIMEOUT,
        )
        try:
            await self.hass.async_add_executor_job(client.principal)
@@ -76,9 +75,6 @@ class CalDavConfigFlow(ConfigFlow, domain=DOMAIN):
            # AuthorizationError can be raised if the url is incorrect or
            # on some other unexpected server response.
            return "cannot_connect"
-        except requests.Timeout as err:
-            _LOGGER.warning("Timeout connecting to CalDAV server: %s", err)
-            return "cannot_connect"
        except requests.ConnectionError as err:
            _LOGGER.warning("Connection Error connecting to CalDAV server: %s", err)
            return "cannot_connect"
@@ -3,4 +3,3 @@
 from typing import Final

 DOMAIN: Final = "caldav"
-TIMEOUT: Final = 30
@@ -138,7 +138,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
            # refreshing async otherwise it would take too much time
            self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
-        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+        except (requests.ConnectionError, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    async def async_update_todo_item(self, item: TodoItem) -> None:
@@ -150,7 +150,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
        except NotFoundError as err:
            raise HomeAssistantError(f"Could not find To-do item {uid}") from err
-        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+        except (requests.ConnectionError, DAVError) as err:
            raise HomeAssistantError(f"CalDAV lookup error: {err}") from err
        vtodo = todo.icalendar_component  # type: ignore[attr-defined]
        vtodo["SUMMARY"] = item.summary or ""
@@ -174,7 +174,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
            # refreshing async otherwise it would take too much time
            self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
-        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+        except (requests.ConnectionError, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    async def async_delete_todo_items(self, uids: list[str]) -> None:
@@ -188,14 +188,14 @@ class WebDavTodoListEntity(TodoListEntity):
            items = await asyncio.gather(*tasks)
        except NotFoundError as err:
            raise HomeAssistantError("Could not find To-do item") from err
-        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+        except (requests.ConnectionError, DAVError) as err:
            raise HomeAssistantError(f"CalDAV lookup error: {err}") from err

        # Run serially as some CalDAV servers do not support concurrent modifications
        for item in items:
            try:
                await self.hass.async_add_executor_job(item.delete)
-            except (requests.ConnectionError, requests.Timeout, DAVError) as err:
+            except (requests.ConnectionError, DAVError) as err:
                raise HomeAssistantError(f"CalDAV delete error: {err}") from err
        # refreshing async otherwise it would take too much time
        self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
@@ -13,7 +13,6 @@ if TYPE_CHECKING:
 DOMAIN = "calendar"
 DATA_COMPONENT: HassKey[EntityComponent[CalendarEntity]] = HassKey(DOMAIN)

-# pylint: disable-next=home-assistant-duplicate-const
 CONF_EVENT = "event"


@@ -7,7 +7,6 @@ from homeassistant.const import CONF_ADDRESS, Platform
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryNotReady

-from .const import DOMAIN
 from .coordinator import CasperGlowConfigEntry, CasperGlowCoordinator

 PLATFORMS: list[Platform] = [
@@ -25,9 +24,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: CasperGlowConfigEntry) -
    ble_device = bluetooth.async_ble_device_from_address(hass, address.upper(), True)
    if not ble_device:
        raise ConfigEntryNotReady(
-            translation_domain=DOMAIN,
-            translation_key="device_not_found",
-            translation_placeholders={"address": address},
+            f"Could not find Casper Glow device with address {address}"
        )

    glow = CasperGlow(ble_device)
@@ -54,9 +54,6 @@
  "exceptions": {
    "communication_error": {
      "message": "An error occurred while communicating with the Casper Glow: {error}"
-    },
-    "device_not_found": {
-      "message": "Could not find Casper Glow device with address {address}"
    }
  }
 }
@@ -1,11 +1,12 @@
 """Config flow for the Cert Expiry platform."""

 from collections.abc import Mapping
+import logging
 from typing import Any

 import voluptuous as vol

-from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
+from homeassistant.config_entries import SOURCE_IMPORT, ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_HOST, CONF_PORT

 from .const import DEFAULT_PORT, DOMAIN
@@ -18,6 +19,8 @@ from .errors import (
 )
 from .helper import get_cert_expiry_timestamp

+_LOGGER = logging.getLogger(__name__)
+

 class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
    """Handle a config flow."""
@@ -72,6 +75,9 @@ class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
                    title=title,
                    data={CONF_HOST: host, CONF_PORT: port},
                )
+            if self.source == SOURCE_IMPORT:
+                _LOGGER.error("Config import failed for %s", user_input[CONF_HOST])
+                return self.async_abort(reason="import_failed")
        else:
            user_input = {}
            user_input[CONF_HOST] = ""
@@ -89,42 +95,3 @@ class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
            ),
            errors=self._errors,
        )
-
-    async def async_step_reconfigure(
-        self,
-        user_input: Mapping[str, Any] | None = None,
-    ) -> ConfigFlowResult:
-        """Handle reconfiguration of an existing entry."""
-        self._errors = {}
-        reconfigure_entry = self._get_reconfigure_entry()
-
-        if user_input is not None:
-            host = user_input[CONF_HOST]
-            port = user_input.get(CONF_PORT, DEFAULT_PORT)
-
-            if (
-                host != reconfigure_entry.data[CONF_HOST]
-                or port != reconfigure_entry.data[CONF_PORT]
-            ):
-                self._async_abort_entries_match({CONF_HOST: host, CONF_PORT: port})
-
-            if await self._test_connection(user_input):
-                return self.async_update_reload_and_abort(
-                    reconfigure_entry,
-                    data_updates={CONF_HOST: host, CONF_PORT: port},
-                    unique_id=f"{host}:{port}",
-                )
-
-        return self.async_show_form(
-            step_id="reconfigure",
-            data_schema=self.add_suggested_values_to_schema(
-                vol.Schema(
-                    {
-                        vol.Required(CONF_HOST): str,
-                        vol.Required(CONF_PORT, default=DEFAULT_PORT): int,
-                    }
-                ),
-                user_input or reconfigure_entry.data,
-            ),
-            errors=self._errors,
-        )
@@ -2,7 +2,7 @@
  "config": {
    "abort": {
      "already_configured": "[%key:common::config_flow::abort::already_configured_service%]",
-      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]"
+      "import_failed": "Import from config failed"
    },
    "error": {
      "connection_refused": "Connection refused when connecting to host",
@@ -11,13 +11,6 @@
      "resolve_failed": "This host cannot be resolved"
    },
    "step": {
-      "reconfigure": {
-        "data": {
-          "host": "[%key:common::config_flow::data::host%]",
-          "port": "[%key:common::config_flow::data::port%]"
-        },
-        "title": "Reconfigure the certificate to test"
-      },
      "user": {
        "data": {
          "host": "[%key:common::config_flow::data::host%]",
@@ -17,8 +17,6 @@ from homeassistant.components.sensor import (
 )
 from homeassistant.const import (
    APPLICATION_NAME,
-    ATTR_LATITUDE,
-    ATTR_LONGITUDE,
    CONF_LATITUDE,
    CONF_LONGITUDE,
    CONF_NAME,
@@ -47,6 +45,8 @@ HA_USER_AGENT = (
 )

 ATTR_UID = "uid"
+ATTR_LATITUDE = "latitude"
+ATTR_LONGITUDE = "longitude"
 ATTR_EMPTY_SLOTS = "empty_slots"
 ATTR_FREE_EBIKES = "free_ebikes"
 ATTR_TIMESTAMP = "timestamp"
@@ -29,7 +29,6 @@ BASE_API_URL = "https://rest.clicksend.com/v3"

 HEADERS = {"Content-Type": CONTENT_TYPE_JSON}

-# pylint: disable-next=home-assistant-duplicate-const
 CONF_LANGUAGE = "language"
 CONF_VOICE = "voice"

@@ -32,28 +32,28 @@ set_temperature:
          max: 250
          step: 0.1
          mode: box
-    temperature_range:
-      fields:
-        target_temp_high:
-          filter:
-            supported_features:
-              - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
-          selector:
-            number:
-              min: 0
-              max: 250
-              step: 0.1
-              mode: box
-        target_temp_low:
-          filter:
-            supported_features:
-              - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
-          selector:
-            number:
-              min: 0
-              max: 250
-              step: 0.1
-              mode: box
+    target_temp_high:
+      filter:
+        supported_features:
+          - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
+      advanced: true
+      selector:
+        number:
+          min: 0
+          max: 250
+          step: 0.1
+          mode: box
+    target_temp_low:
+      filter:
+        supported_features:
+          - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
+      advanced: true
+      selector:
+        number:
+          min: 0
+          max: 250
+          step: 0.1
+          mode: box
    hvac_mode:
      selector:
        state:
@@ -373,12 +373,7 @@
          "name": "Target temperature"
        }
      },
-      "name": "Set thermostat target temperature",
-      "sections": {
-        "temperature_range": {
-          "name": "Temperature range"
-        }
-      }
+      "name": "Set thermostat target temperature"
    },
    "toggle": {
      "description": "Toggles a thermostat on/off.",
@@ -11,7 +11,6 @@ CONF_ACCESS_KEY_ID = "access_key_id"
 CONF_SECRET_ACCESS_KEY = "secret_access_key"
 CONF_ENDPOINT_URL = "endpoint_url"
 CONF_BUCKET = "bucket"
-# pylint: disable-next=home-assistant-duplicate-const
 CONF_PREFIX = "prefix"

 # R2 is S3-compatible. Endpoint should be like:
@@ -94,7 +94,7 @@ rules:
  entity-translations:
    status: exempt
    comment: This integration does not have entities.
-  exception-translations: todo
+  exception-translations: done
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -6,5 +6,4 @@ ATTR_URL = "color_extract_url"
 DOMAIN = "color_extractor"
 DEFAULT_NAME = "Color extractor"

-# pylint: disable-next=home-assistant-duplicate-const
 SERVICE_TURN_ON = "turn_on"
@@ -110,7 +110,7 @@ class ComelitAlarmEntity(
    @property
    def available(self) -> bool:
        """Return True if alarm is available."""
-        if self._area.human_status is AlarmAreaState.UNKNOWN:
+        if self._area.human_status == AlarmAreaState.UNKNOWN:
            return False
        return super().available

@@ -124,7 +124,7 @@ class ComelitAlarmEntity(
            self._area.human_status,
            self._area.armed,
        )
-        if self._area.human_status is AlarmAreaState.ARMED:
+        if self._area.human_status == AlarmAreaState.ARMED:
            if self._area.armed == ALARM_AREA_ARMED_STATUS[AWAY]:
                return AlarmControlPanelState.ARMED_AWAY
            if self._area.armed == ALARM_AREA_ARMED_STATUS[NIGHT]:
@@ -43,7 +43,7 @@ BINARY_SENSOR_TYPES: Final[tuple[ComelitBinarySensorEntityDescription, ...]] = (
        device_class=BinarySensorDeviceClass.PROBLEM,
        is_on_fn=lambda obj: cast(ComelitVedoAreaObject, obj).anomaly,
        available_fn=lambda obj: (
-            cast(ComelitVedoAreaObject, obj).human_status is not AlarmAreaState.UNKNOWN
+            cast(ComelitVedoAreaObject, obj).human_status != AlarmAreaState.UNKNOWN
        ),
    ),
    ComelitBinarySensorEntityDescription(
@@ -67,7 +67,7 @@ BINARY_SENSOR_TYPES: Final[tuple[ComelitBinarySensorEntityDescription, ...]] = (
        object_type=ALARM_ZONE,
        device_class=BinarySensorDeviceClass.PROBLEM,
        is_on_fn=lambda obj: (
-            cast(ComelitVedoZoneObject, obj).human_status is AlarmZoneState.FAULTY
+            cast(ComelitVedoZoneObject, obj).human_status == AlarmZoneState.FAULTY
        ),
        available_fn=lambda obj: (
            cast(ComelitVedoZoneObject, obj).human_status
@@ -68,6 +68,7 @@ async def validate_input(hass: HomeAssistant, data: dict[str, Any]) -> dict[str,
        raise InvalidAuth(
            translation_domain=DOMAIN,
            translation_key="cannot_authenticate",
+            translation_placeholders={"error": repr(err)},
        ) from err
    finally:
        await api.logout()
@@ -166,12 +166,12 @@ class ComelitVedoSensorEntity(
    @property
    def available(self) -> bool:
        """Sensor availability."""
-        return self._zone_object.human_status is not AlarmZoneState.UNAVAILABLE
+        return self._zone_object.human_status != AlarmZoneState.UNAVAILABLE

    @property
    def native_value(self) -> StateType:
        """Sensor value."""
-        if (status := self._zone_object.human_status) is AlarmZoneState.UNKNOWN:
+        if (status := self._zone_object.human_status) == AlarmZoneState.UNKNOWN:
            return None

        return cast(str, status.value)
@@ -7,6 +7,12 @@
      "message": "Timeout trying to execute command: {command}"
    }
  },
+  "issues": {
+    "platform_yaml_not_supported": {
+      "description": "Platform YAML setup is not supported.\nChange from configuring it using the `{platform}:` key to using the `command_line:` key directly in configuration.yaml and restart Home Assistant to resolve the issue.\nTo see the detailed documentation, select Learn more.",
+      "title": "Platform YAML is not supported in Command Line"
+    }
+  },
  "services": {
    "reload": {
      "description": "Reloads command line configuration from the YAML-configuration.",
@@ -4,9 +4,7 @@ import asyncio

 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import TemplateError
-from homeassistant.helpers.entity_platform import (
-    async_create_platform_config_not_supported_issue,
-)
+from homeassistant.helpers.issue_registry import IssueSeverity, async_create_issue
 from homeassistant.helpers.template import Template

 from .const import DOMAIN, LOGGER
@@ -100,11 +98,13 @@ def create_platform_yaml_not_supported_issue(
    hass: HomeAssistant, platform_domain: str
 ) -> None:
    """Create an issue when platform yaml is used."""
-    async_create_platform_config_not_supported_issue(
+    async_create_issue(
        hass,
        DOMAIN,
-        platform_domain,
-        yaml_config_under_integration_supported=True,
+        f"{platform_domain}_platform_yaml_not_supported",
+        is_fixable=False,
+        severity=IssueSeverity.ERROR,
+        translation_key="platform_yaml_not_supported",
+        translation_placeholders={"platform": platform_domain},
        learn_more_url="https://www.home-assistant.io/integrations/command_line/",
-        logger=LOGGER,
    )
@@ -91,11 +91,6 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
    """Set up the Compensation sensor."""
    hass.data[DATA_COMPENSATION] = {}

-    # Exit early if no compensations are configured using the compensation: key in configuration.yaml.
-    # This allows us to create an issue if platform: compensation is present in the sensor: section.
-    if DOMAIN not in config:
-        return True
-
    for compensation, conf in config[DOMAIN].items():
        _LOGGER.debug("Setup %s.%s", DOMAIN, compensation)

@@ -8,7 +8,6 @@ import numpy as np
 from homeassistant.components.sensor import (
    ATTR_STATE_CLASS,
    CONF_STATE_CLASS,
-    DOMAIN as SENSOR_DOMAIN,
    SensorEntity,
 )
 from homeassistant.const import (
@@ -32,10 +31,7 @@ from homeassistant.core import (
    State,
    callback,
 )
-from homeassistant.helpers.entity_platform import (
-    AddEntitiesCallback,
-    async_create_platform_config_not_supported_issue,
-)
+from homeassistant.helpers.entity_platform import AddEntitiesCallback
 from homeassistant.helpers.event import async_track_state_change_event
 from homeassistant.helpers.typing import ConfigType, DiscoveryInfoType

@@ -45,7 +41,6 @@ from .const import (
    CONF_PRECISION,
    DATA_COMPENSATION,
    DEFAULT_NAME,
-    DOMAIN,
 )

 _LOGGER = logging.getLogger(__name__)
@@ -63,14 +58,6 @@ async def async_setup_platform(
 ) -> None:
    """Set up the Compensation sensor."""
    if discovery_info is None:
-        async_create_platform_config_not_supported_issue(
-            hass,
-            DOMAIN,
-            SENSOR_DOMAIN,
-            yaml_config_under_integration_supported=True,
-            learn_more_url="https://www.home-assistant.io/integrations/compensation/",
-            logger=_LOGGER,
-        )
        return

    compensation: str = discovery_info[CONF_COMPENSATION]
@@ -148,7 +148,7 @@ def _prepare_config_flow_result_json(
    prepare_result_json: Callable[[data_entry_flow.FlowResult], dict[str, Any]],
 ) -> dict[str, Any]:
    """Convert result to JSON."""
-    if result["type"] is not data_entry_flow.FlowResultType.CREATE_ENTRY:
+    if result["type"] != data_entry_flow.FlowResultType.CREATE_ENTRY:
        return prepare_result_json(result)

    data = {key: val for key, val in result.items() if key not in ("data", "context")}
@@ -19,7 +19,6 @@ ATTR_AGENT_ID = "agent_id"
 ATTR_CONVERSATION_ID = "conversation_id"

 SERVICE_PROCESS = "process"
-# pylint: disable-next=home-assistant-duplicate-const
 SERVICE_RELOAD = "reload"

 DATA_COMPONENT: HassKey[EntityComponent[ConversationEntity]] = HassKey(DOMAIN)
@@ -646,7 +646,7 @@ class DefaultAgent(ConversationEntity):
        cache_value = self._intent_cache.get(cache_key)
        if cache_value is not None:
            if (cache_value.result is not None) and (
-                cache_value.stage is IntentMatchingStage.EXPOSED_ENTITIES_ONLY
+                cache_value.stage == IntentMatchingStage.EXPOSED_ENTITIES_ONLY
            ):
                _LOGGER.debug("Got cached result for exposed entities")
                return cache_value.result
@@ -686,7 +686,7 @@ class DefaultAgent(ConversationEntity):
        skip_unexposed_entities_match = False
        if cache_value is not None:
            if (cache_value.result is not None) and (
-                cache_value.stage is IntentMatchingStage.UNEXPOSED_ENTITIES
+                cache_value.stage == IntentMatchingStage.UNEXPOSED_ENTITIES
            ):
                _LOGGER.debug("Got cached result for all entities")
                return cache_value.result
@@ -731,7 +731,7 @@ class DefaultAgent(ConversationEntity):
        skip_unknown_names = False
        if cache_value is not None:
            if (cache_value.result is not None) and (
-                cache_value.stage is IntentMatchingStage.UNKNOWN_NAMES
+                cache_value.stage == IntentMatchingStage.UNKNOWN_NAMES
            ):
                _LOGGER.debug("Got cached result for unknown names")
                return cache_value.result
@@ -1447,7 +1447,7 @@ class DefaultAgent(ConversationEntity):

        response = await self._async_process_intent_result(result, user_input, chat_log)
        if (
-            response.response_type is intent.IntentResponseType.ERROR
+            response.response_type == intent.IntentResponseType.ERROR
            and response.error_code
            not in (
                intent.IntentResponseErrorCode.FAILED_TO_HANDLE,
@@ -1546,7 +1546,7 @@ def _get_match_error_response(
        # device_class only
        return ErrorKey.NO_DEVICE_CLASS, {"device_class": device_class}

-    if (reason is intent.MatchFailedReason.DOMAIN) and constraints.domains:
+    if (reason == intent.MatchFailedReason.DOMAIN) and constraints.domains:
        domain = next(iter(constraints.domains))  # first domain
        if constraints.area_name:
            # domain in area
@@ -1565,7 +1565,7 @@ def _get_match_error_response(
        # domain only
        return ErrorKey.NO_DOMAIN, {"domain": domain}

-    if reason is intent.MatchFailedReason.DUPLICATE_NAME:
+    if reason == intent.MatchFailedReason.DUPLICATE_NAME:
        if constraints.floor_name:
            # duplicate on floor
            return ErrorKey.DUPLICATE_ENTITIES_IN_FLOOR, {
@@ -1582,26 +1582,26 @@ def _get_match_error_response(

        return ErrorKey.DUPLICATE_ENTITIES, {"entity": result.no_match_name}

-    if reason is intent.MatchFailedReason.INVALID_AREA:
+    if reason == intent.MatchFailedReason.INVALID_AREA:
        # Invalid area name
        return ErrorKey.NO_AREA, {"area": result.no_match_name}

-    if reason is intent.MatchFailedReason.INVALID_FLOOR:
+    if reason == intent.MatchFailedReason.INVALID_FLOOR:
        # Invalid floor name
        return ErrorKey.NO_FLOOR, {"floor": result.no_match_name}

-    if reason is intent.MatchFailedReason.FEATURE:
+    if reason == intent.MatchFailedReason.FEATURE:
        # Feature not supported by entity
        return ErrorKey.FEATURE_NOT_SUPPORTED, {}

-    if reason is intent.MatchFailedReason.STATE:
+    if reason == intent.MatchFailedReason.STATE:
        # Entity is not in correct state
        assert constraints.states
        state = next(iter(constraints.states))

        return ErrorKey.ENTITY_WRONG_STATE, {"state": state}

-    if reason is intent.MatchFailedReason.ASSISTANT:
+    if reason == intent.MatchFailedReason.ASSISTANT:
        # Not exposed
        if constraints.name:
            if constraints.area_name:
@@ -61,7 +61,7 @@ class CurrencylayerSensor(SensorEntity):
    """Implementing the Currencylayer sensor."""

    _attr_attribution = "Data provided by currencylayer.com"
-    _attr_icon = "mdi:currency-usd"
+    _attr_icon = "mdi:currency"

    def __init__(self, rest: CurrencylayerData, base: str, quote: str) -> None:
        """Initialize the sensor."""
@@ -26,12 +26,12 @@ from homeassistant.components.climate import (
    HVACAction,
    HVACMode,
 )
-from homeassistant.const import ATTR_LOCKED, ATTR_TEMPERATURE, UnitOfTemperature
+from homeassistant.const import ATTR_TEMPERATURE, UnitOfTemperature
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from . import DeconzConfigEntry
-from .const import ATTR_OFFSET, ATTR_VALVE
+from .const import ATTR_LOCKED, ATTR_OFFSET, ATTR_VALVE
 from .entity import DeconzDevice
 from .hub import DeconzHub

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .14.5
 .14.4