test

.gitattributes

@@ -18,8 +18,7 @@ homeassistant/generated/*.py linguist-generated=true
 pylint/plugins/pylint_home_assistant/generated/*.py linguist-generated=true
 machine/* linguist-generated=true
 mypy.ini linguist-generated=true
-requirements.txt linguist-generated=true
-requirements_all.txt linguist-generated=true
-requirements_test_pre_commit.txt linguist-generated=true
+requirements*.txt linguist-generated=true
+requirements_*.lock linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
 .github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/renovate.json

@@ -5,6 +5,7 @@
   "enabledManagers": [
     "pep621",
     "pip_requirements",
+    "pip-compile",
     "pre-commit",
     "dockerfile",
     "custom.regex",
@@ -22,6 +23,10 @@
     ]
   },
 
+  "pip-compile": {
+    "managerFilePatterns": ["/(^|/)requirements[\\w_-]*\\.lock$/"]
+  },
+
   "dockerfile": {
     "managerFilePatterns": ["/^Dockerfile$/"]
   },
@@ -63,6 +68,11 @@
 
   "automerge": false,
 
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on monday"]
+  },
+
   "vulnerabilityAlerts": {
     "enabled": false
   },

.github/workflows/builder.yml

@@ -53,10 +53,10 @@ jobs:
         with:
           type: ${{ env.BUILD_TYPE }}
 
-      - name: Verify version
-        uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
-        with:
-          ignore-dev: true
+      # - name: Verify version
+      #   uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
+      #   with:
+      #     ignore-dev: true
 
       - name: Fail if translations files are checked in
         run: |
@@ -157,6 +157,8 @@ jobs:
               homeassistant/package_constraints.txt
 
             sed -i "s|home-assistant-frontend==.*||" requirements_all.txt
+            # Drop the released pin from the lock file; the nightly wheel is installed separately
+            sed -i "/^home-assistant-frontend==/,/^[^[:space:]#]/ { /^home-assistant-frontend==/d; /^[[:space:]#]/d }" requirements_all.lock
           fi
 
           if [[ "$(ls home_assistant_intents*.whl)" =~ ^home_assistant_intents-(.*)-py3-none-any.whl$ ]]; then
@@ -175,6 +177,8 @@ jobs:
               homeassistant/package_constraints.txt
 
             sed -i "s|home-assistant-intents==.*||" requirements_all.txt requirements.txt
+            # Drop the released pin from the lock file; the nightly wheel is installed separately
+            sed -i "/^home-assistant-intents==/,/^[^[:space:]#]/ { /^home-assistant-intents==/d; /^[[:space:]#]/d }" requirements_all.lock
           fi
 
       - name: Download translations
@@ -282,276 +286,276 @@ jobs:
           push: true
           version: ${{ needs.init.outputs.version }}
 
-  publish_ha:
-    name: Publish version files
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_machine"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
+  # publish_ha:
+  #   name: Publish version files
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   if: github.repository_owner == 'home-assistant'
+  #   needs: ["init", "build_machine"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read
+  #   steps:
+  #     - name: Checkout the repository
+  #       uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+  #       with:
+  #         persist-credentials: false
 
-      - name: Initialize git
-        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
-        with:
-          name: ${{ secrets.GIT_NAME }}
-          email: ${{ secrets.GIT_EMAIL }}
-          token: ${{ secrets.GIT_TOKEN }}
+  #     - name: Initialize git
+  #       uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         name: ${{ secrets.GIT_NAME }}
+  #         email: ${{ secrets.GIT_EMAIL }}
+  #         token: ${{ secrets.GIT_TOKEN }}
 
-      - name: Update version file
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: ${{ needs.init.outputs.channel }}
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+  #     - name: Update version file
+  #       uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         key: "homeassistant[]"
+  #         key-description: "Home Assistant Core"
+  #         version: ${{ needs.init.outputs.version }}
+  #         channel: ${{ needs.init.outputs.channel }}
+  #         exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
 
-      - name: Update version file (stable -> beta)
-        if: needs.init.outputs.channel == 'stable'
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: beta
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+  #     - name: Update version file (stable -> beta)
+  #       if: needs.init.outputs.channel == 'stable'
+  #       uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         key: "homeassistant[]"
+  #         key-description: "Home Assistant Core"
+  #         version: ${{ needs.init.outputs.version }}
+  #         channel: beta
+  #         exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
 
-  publish_container:
-    name: Publish to ${{ matrix.registry }}
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      id-token: write # For cosign signing
-    strategy:
-      fail-fast: false
-      matrix:
-        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+  # publish_container:
+  #   name: Publish to ${{ matrix.registry }}
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   if: github.repository_owner == 'home-assistant'
+  #   needs: ["init", "build_base"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     packages: write # To push to GHCR
+  #     id-token: write # For cosign signing
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
+  #   steps:
+  #     - name: Install Cosign
+  #       uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
-      - name: Login to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+  #     - name: Login to DockerHub
+  #       if: matrix.registry == 'docker.io/homeassistant'
+  #       uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+  #       with:
+  #         username: ${{ secrets.DOCKERHUB_USERNAME }}
+  #         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Login to GitHub Container Registry
+  #       uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Verify architecture image signatures
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Verifying ${arch} image signature..."
-            cosign verify \
-              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
-              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
-          done
-          echo "✓ All images verified successfully"
+  #     - name: Verify architecture image signatures
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #       run: |
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         for arch in $ARCHS; do
+  #           echo "Verifying ${arch} image signature..."
+  #           cosign verify \
+  #             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  #             --certificate-identity-regexp https://github.com/home-assistant/core/.* \
+  #             "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
+  #         done
+  #         echo "✓ All images verified successfully"
 
-      # Generate all Docker tags based on version string
-      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
-      # Examples:
-      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
-      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
-      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
-      - name: Generate Docker metadata
-        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
-        with:
-          images: ${{ matrix.registry }}/home-assistant
-          sep-tags: ","
-          tags: |
-            type=raw,value=${{ needs.init.outputs.version }},priority=9999
-            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #     # Generate all Docker tags based on version string
+  #     # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
+  #     # Examples:
+  #     #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
+  #     #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
+  #     #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
+  #     - name: Generate Docker metadata
+  #       id: meta
+  #       uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+  #       with:
+  #         images: ${{ matrix.registry }}/home-assistant
+  #         sep-tags: ","
+  #         tags: |
+  #           type=raw,value=${{ needs.init.outputs.version }},priority=9999
+  #           type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #           type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #           type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v3.7.1
+  #     - name: Set up Docker Buildx
+  #       uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v3.7.1
 
-      - name: Copy architecture images to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          # Use imagetools to copy image blobs directly between registries
-          # This preserves provenance/attestations and seems to be much faster than pull/push
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Copying ${arch} image to DockerHub..."
-            for attempt in 1 2 3; do
-              if docker buildx imagetools create \
-                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
-                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
-                break
-              fi
-              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
-              sleep 10
-              if [ "${attempt}" -eq 3 ]; then
-                echo "Failed after 3 attempts"
-                exit 1
-              fi
-            done
-            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
-          done
+  #     - name: Copy architecture images to DockerHub
+  #       if: matrix.registry == 'docker.io/homeassistant'
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #       run: |
+  #         # Use imagetools to copy image blobs directly between registries
+  #         # This preserves provenance/attestations and seems to be much faster than pull/push
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         for arch in $ARCHS; do
+  #           echo "Copying ${arch} image to DockerHub..."
+  #           for attempt in 1 2 3; do
+  #             if docker buildx imagetools create \
+  #               --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
+  #               "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
+  #               break
+  #             fi
+  #             echo "Attempt ${attempt} failed, retrying in 10 seconds..."
+  #             sleep 10
+  #             if [ "${attempt}" -eq 3 ]; then
+  #               echo "Failed after 3 attempts"
+  #               exit 1
+  #             fi
+  #           done
+  #           cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
+  #         done
 
-      - name: Create and push multi-arch manifests
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          REGISTRY: ${{ matrix.registry }}
-          VERSION: ${{ needs.init.outputs.version }}
-          META_TAGS: ${{ steps.meta.outputs.tags }}
-        run: |
-          # Build list of architecture images dynamically
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          ARCH_IMAGES=()
-          for arch in $ARCHS; do
-            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
-          done
+  #     - name: Create and push multi-arch manifests
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         REGISTRY: ${{ matrix.registry }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #         META_TAGS: ${{ steps.meta.outputs.tags }}
+  #       run: |
+  #         # Build list of architecture images dynamically
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         ARCH_IMAGES=()
+  #         for arch in $ARCHS; do
+  #           ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
+  #         done
 
-          # Build list of all tags for single manifest creation
-          # Note: Using sep-tags=',' in metadata-action for easier parsing
-          TAG_ARGS=()
-          IFS=',' read -ra TAGS <<< "${META_TAGS}"
-          for tag in "${TAGS[@]}"; do
-            TAG_ARGS+=("--tag" "${tag}")
-          done
+  #         # Build list of all tags for single manifest creation
+  #         # Note: Using sep-tags=',' in metadata-action for easier parsing
+  #         TAG_ARGS=()
+  #         IFS=',' read -ra TAGS <<< "${META_TAGS}"
+  #         for tag in "${TAGS[@]}"; do
+  #           TAG_ARGS+=("--tag" "${tag}")
+  #         done
 
-          # Create manifest with ALL tags in a single operation (much faster!)
-          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
-          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
+  #         # Create manifest with ALL tags in a single operation (much faster!)
+  #         echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
+  #         docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
 
-          # Sign each tag separately (signing requires individual tag names)
-          echo "Signing all tags..."
-          for tag in "${TAGS[@]}"; do
-            echo "Signing ${tag}"
-            cosign sign --yes "${tag}"
-          done
+  #         # Sign each tag separately (signing requires individual tag names)
+  #         echo "Signing all tags..."
+  #         for tag in "${TAGS[@]}"; do
+  #           echo "Signing ${tag}"
+  #           cosign sign --yes "${tag}"
+  #         done
 
-          echo "All manifests created and signed successfully"
+  #         echo "All manifests created and signed successfully"
 
-  build_python:
-    name: Build PyPi package
-    environment: ${{ needs.init.outputs.channel }}
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      id-token: write # For PyPI trusted publishing
-    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
+  # build_python:
+  #   name: Build PyPi package
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   needs: ["init", "build_base"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     id-token: write # For PyPI trusted publishing
+  #   if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
+  #   steps:
+  #     - name: Checkout the repository
+  #       uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+  #       with:
+  #         persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version-file: ".python-version"
+  #     - name: Set up Python
+  #       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+  #       with:
+  #         python-version-file: ".python-version"
 
-      - name: Download translations
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: translations
+  #     - name: Download translations
+  #       uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+  #       with:
+  #         name: translations
 
-      - name: Extract translations
-        run: |
-          tar xvf translations.tar.gz
-          rm translations.tar.gz
+  #     - name: Extract translations
+  #       run: |
+  #         tar xvf translations.tar.gz
+  #         rm translations.tar.gz
 
-      - name: Build package
-        shell: bash
-        run: |
-          # Remove dist, build, and homeassistant.egg-info
-          # when build locally for testing!
-          pip install build
-          python -m build
+  #     - name: Build package
+  #       shell: bash
+  #       run: |
+  #         # Remove dist, build, and homeassistant.egg-info
+  #         # when build locally for testing!
+  #         pip install build
+  #         python -m build
 
-      - name: Upload package to PyPI
-        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
-        with:
-          skip-existing: true
+  #     - name: Upload package to PyPI
+  #       uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+  #       with:
+  #         skip-existing: true
 
-  hassfest-image:
-    name: Build and test hassfest image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      attestations: write # For build provenance attestation
-      id-token: write # For build provenance attestation
-    needs: ["init"]
-    if: github.repository_owner == 'home-assistant'
-    env:
-      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
-      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
+  # hassfest-image:
+  #   name: Build and test hassfest image
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     packages: write # To push to GHCR
+  #     attestations: write # For build provenance attestation
+  #     id-token: write # For build provenance attestation
+  #   needs: ["init"]
+  #   if: github.repository_owner == 'home-assistant'
+  #   env:
+  #     HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
+  #     HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+  #       with:
+  #         persist-credentials: false
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Login to GitHub Container Registry
+  #       uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build Docker image
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          load: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }}
+  #     - name: Build Docker image
+  #       uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+  #       with:
+  #         context: . # So action will not pull the repository again
+  #         file: ./script/hassfest/docker/Dockerfile
+  #         load: true
+  #         tags: ${{ env.HASSFEST_IMAGE_TAG }}
 
-      - name: Run hassfest against core
-        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
+  #     - name: Run hassfest against core
+  #       run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
 
-      - name: Push Docker image
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        id: push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          push: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
+  #     - name: Push Docker image
+  #       if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+  #       id: push
+  #       uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+  #       with:
+  #         context: . # So action will not pull the repository again
+  #         file: ./script/hassfest/docker/Dockerfile
+  #         push: true
+  #         tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
 
-      - name: Generate artifact attestation
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
-        with:
-          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+  #     - name: Generate artifact attestation
+  #       if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+  #       uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+  #       with:
+  #         subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
+  #         subject-digest: ${{ steps.push.outputs.digest }}
+  #         push-to-registry: true

.github/workflows/ci.yaml

@@ -104,15 +104,11 @@ jobs:
       - name: Generate partial Python venv restore key
         id: generate_python_cache_key
         env:
-          HASH_REQUIREMENTS_TEST: ${{ hashFiles('requirements_test.txt', 'requirements_test_pre_commit.txt') }}
-          HASH_REQUIREMENTS: ${{ hashFiles('requirements.txt') }}
-          HASH_REQUIREMENTS_ALL: ${{ hashFiles('requirements_all.txt') }}
-          HASH_PACKAGE_CONSTRAINTS: ${{ hashFiles('homeassistant/package_constraints.txt') }}
-          HASH_GEN_REQUIREMENTS: ${{ hashFiles('script/gen_requirements_all.py') }}
+          HASH_FILES: ${{ hashFiles('requirements_ci.lock', 'script/gen_requirements_all.py') }}
         run: |
           # Include HA_SHORT_VERSION to force the immediate creation
           # of a new uv cache entry after a version bump.
-          echo "key=venv-${CACHE_VERSION}-${HA_SHORT_VERSION}-${HASH_REQUIREMENTS_TEST}-${HASH_REQUIREMENTS}-${HASH_REQUIREMENTS_ALL}-${HASH_PACKAGE_CONSTRAINTS}-${HASH_GEN_REQUIREMENTS}" >> $GITHUB_OUTPUT
+          echo "key=venv-${CACHE_VERSION}-${HA_SHORT_VERSION}-${HASH_FILES}" >> $GITHUB_OUTPUT
       - name: Filter for core changes
         uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: core
@@ -365,7 +361,7 @@ jobs:
           RUNNER_OS: ${{ runner.os }}
           RUNNER_ARCH: ${{ runner.arch }}
           PYTHON_VERSION: ${{ steps.python.outputs.python-version }}
-          HASH_FILES: ${{ hashFiles('requirements.txt', 'requirements_all.txt', 'requirements_test.txt', 'homeassistant/package_constraints.txt') }}
+          HASH_FILES: ${{ hashFiles('requirements_ci.lock') }}
         run: |
           partial_key="${RUNNER_OS}-${RUNNER_ARCH}-${PYTHON_VERSION}-uv-"
           echo "partial_key=${partial_key}" >> $GITHUB_OUTPUT
@@ -414,8 +410,7 @@ jobs:
           python -m venv venv
           . venv/bin/activate
           python --version
-          uv pip install -r requirements.txt
-          uv pip install -r requirements_all.txt -r requirements_test.txt
+          uv pip install -r requirements_ci.lock
           uv pip install -e . --config-settings editable_mode=compat
       - name: Dump pip freeze
         run: |

Dockerfile

@@ -29,24 +29,18 @@ COPY rootfs /
 COPY --from=ghcr.io/alexxit/go2rtc:1.9.14@sha256:675c318b23c06fd862a61d262240c9a63436b4050d177ffc68a32710d9e05bae /usr/local/bin/go2rtc /bin/go2rtc
 
 ## Setup Home Assistant Core dependencies
-COPY --parents requirements.txt homeassistant/package_constraints.txt homeassistant/
+COPY --parents requirements_all.lock home_assistant_frontend-* home_assistant_intents-* homeassistant/
 RUN \
     # Verify go2rtc can be executed
     go2rtc --version \
-    # Install uv at the version pinned in the requirements file
-    && pip3 install --no-cache-dir "uv==$(awk -F'==' '/^uv==/{print $2}' homeassistant/requirements.txt)" \
-    && uv pip install \
-        --no-build \
-        -r homeassistant/requirements.txt
-
-COPY requirements_all.txt home_assistant_frontend-* home_assistant_intents-* homeassistant/
-RUN \
-    if ls homeassistant/home_assistant_*.whl 1> /dev/null 2>&1; then \
+    # Install uv at the version pinned in the lock file
+    && pip3 install --no-cache-dir "uv==$(awk -F'[= ;]+' '/^uv==/{print $2}' homeassistant/requirements_all.lock)" \
+    && if ls homeassistant/home_assistant_*.whl 1> /dev/null 2>&1; then \
         uv pip install homeassistant/home_assistant_*.whl; \
     fi \
     && uv pip install \
         --no-build \
-        -r homeassistant/requirements_all.txt
+        -r homeassistant/requirements_all.lock
 
 ## Setup Home Assistant Core
 COPY --parents LICENSE* README* homeassistant/ pyproject.toml homeassistant/

pyproject.toml

@@ -94,6 +94,14 @@ dependencies = [
 [project.scripts]
 hass = "homeassistant.__main__:main"
 
+[tool.uv]
+# Constrain the universal `uv pip compile` resolution (used for the .lock files)
+# to the platforms Home Assistant actually targets: Linux and macOS.
+environments = [
+    "sys_platform == 'linux'",
+    "sys_platform == 'darwin'",
+]
+
 [tool.setuptools]
 include-package-data = true
 

script/gen_requirements_all.py

@@ -1,13 +1,16 @@
 #!/usr/bin/env python3
 """Generate updated constraint and requirements files."""
 
+from collections.abc import Sequence
 import difflib
 import importlib
 from operator import itemgetter
 from pathlib import Path
 import pkgutil
 import re
+import subprocess
 import sys
+import tempfile
 import tomllib
 from typing import Any
 
@@ -261,6 +264,11 @@ IGNORE_PRE_COMMIT_HOOK_ID = (
 
 PACKAGE_REGEX = re.compile(r"^(?:--.+\s)?([-_\.\w\d]+).*==.+$")
 
+PIP_COMPILE_LOCK_FILES = {
+    "requirements_all.lock": ("requirements_all.txt",),
+    "requirements_ci.lock": ("requirements_all.txt", "requirements_test.txt"),
+}
+
 
 def explore_module(package: str, explore_children: bool) -> list[str]:
     """Explore the modules."""
@@ -542,18 +550,56 @@ def gather_constraints() -> str:
     )
 
 
-def diff_file(filename: str, content: str) -> list[str]:
-    """Diff a file."""
+def diff_content(
+    content_a: Sequence[str], filename_a: str, content_b: Sequence[str], filename_b: str
+) -> list[str]:
+    """Diff two strings as if they were files."""
     return list(
         difflib.context_diff(
-            [f"{line}\n" for line in Path(filename).read_text().split("\n")],
-            [f"{line}\n" for line in content.split("\n")],
-            filename,
-            "generated",
+            content_a,
+            content_b,
+            filename_a,
+            filename_b,
         )
     )
 
 
+def diff_file(filename: str, content: str) -> list[str]:
+    """Diff a file."""
+    return diff_content(
+        [f"{line}\n" for line in Path(filename).read_text().split("\n")],
+        filename,
+        [f"{line}\n" for line in content.split("\n")],
+        "generated",
+    )
+
+
+def generate_lock_file(output_path: str, source_files: tuple[str, ...]) -> None:
+    """Resolve requirements_all.txt into a pinned lock file.
+
+    This shells out to `uv pip compile`, which performs a full networked
+    dependency resolution, so callers should only invoke it when
+    requirements/dependencies have changed.
+
+    uv records its invocation in the lock file header, which lets Renovate's
+    pip-compile manager parse and re-run it to refresh the lock file when it
+    bumps a dependency.
+    """
+    subprocess.run(
+        [
+            "uv",
+            "pip",
+            "compile",
+            "--quiet",
+            "--universal",
+            "--output-file",
+            output_path,
+            *source_files,
+        ],
+        check=True,
+    )
+
+
 def main(validate: bool, ci: bool) -> int:
     """Run the script."""
     if not Path("requirements_all.txt").is_file():
@@ -596,6 +642,29 @@ def main(validate: bool, ci: bool) -> int:
             if diff:
                 errors.append("".join(diff))
 
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            for lock_file, source_files in PIP_COMPILE_LOCK_FILES.items():
+                tmp_lock = str(Path(tmp_dir) / lock_file)
+                # The header contains the generated command, which we need to ignore when comparing the existing lock file with the generated one due the tempoary folder used for generation.
+                lock_content = [
+                    f"{line}\n"
+                    for line in Path(lock_file).read_text(encoding="utf-8").split("\n")
+                ][2:]
+
+                generate_lock_file(tmp_lock, source_files)
+                generated_lock_content = [
+                    f"{line}\n"
+                    for line in Path(tmp_lock).read_text(encoding="utf-8").split("\n")
+                ][2:]
+                lock_diff = diff_content(
+                    lock_content,
+                    lock_file,
+                    generated_lock_content,
+                    "generated",
+                )
+                if lock_diff:
+                    errors.append("".join(lock_diff))
+
         if errors:
             print("ERROR - FOUND THE FOLLOWING DIFFERENCES")
             print()
@@ -610,6 +679,9 @@ def main(validate: bool, ci: bool) -> int:
     for filename, content in files:
         Path(filename).write_text(content)
 
+    for lock_file, source_files in PIP_COMPILE_LOCK_FILES.items():
+        generate_lock_file(lock_file, source_files)
+
     return 0