.

[ghost]

Breaking change

Proposed change

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• I understand the code I am submitting and can explain how it works.
• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.
• Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies a diff between library versions and ideally a link to the changelog/release notes is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hi @9turnbull

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 79cdd1624a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid duplicate PyPI upload on release publish

This workflow uploads distributions to PyPI on every release.published, but .github/workflows/builder.yml is already triggered by the same event and already uploads the core package in build_python (with skip-existing: true). That creates two independent publish attempts for the same version; this new one does not set skip-existing, so whichever run uploads second will fail with an existing-file error and make release automation flaky/red.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Pin action versions to satisfy workflow security checks

The workflow uses floating action tags (for example actions/checkout@v4), but this repository runs a dedicated zizmor job in CI (.github/workflows/ci.yaml, --all-files) and existing workflows pin actions to immutable SHAs or explicitly suppress exceptions. Introducing unpinned uses entries here will raise unpinned-uses findings and block CI on this change.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow intended to build and publish a Python package to PyPI when a GitHub Release is published.

Changes:

• Introduce .github/workflows/python-publish.yml with jobs to build distributions and publish them to PyPI on release: published.

[Copilot]

Avoid running a second PyPI publishing workflow on releases since .github/workflows/builder.yml already builds and uploads the PyPI package on release: published, so this will likely duplicate publishing and can cause conflicting/failed releases.

[Copilot]

Minimize default token permissions by setting top-level permissions: {} and granting only what each job needs (as done in other workflows here), since contents: read at workflow scope grants broader access than necessary.

Suggested change

	permissions:
	contents: read
	jobs:
	release-build:
	runs-on: ubuntu-latest
	permissions: {}
	jobs:
	release-build:
	runs-on: ubuntu-latest
	permissions:
	contents: read

[Copilot]

Pin all uses: actions to full commit SHAs (and disable credential persistence on checkout) to match the repo’s supply-chain hardening approach, since using floating tags like @v4/@v5 increases the risk of a compromised upstream release affecting the workflow.

[Copilot]

Use the repository’s .python-version (via python-version-file) instead of 3.x so release artifacts are built with the same Python version as the rest of the project’s CI and packaging pipeline.

Suggested change

	python-version: "3.x"
	python-version-file: ".python-version"

[Copilot]

Build the release artifacts using the same pre-build steps as the existing release pipeline (notably downloading/extracting integration translations) because translations are intentionally not checked into the repo and a plain python -m build here will produce an incomplete PyPI package.

Suggested change

	# NOTE: put your own distribution build steps here.
	python -m pip install build
	python -m pip install build
	python -m script.translations develop_download

[Copilot]

Pin pypa/gh-action-pypi-publish to a specific commit SHA (and align options like skip-existing with the existing publishing workflow) to avoid unexpected behavior changes from upstream action updates during a release.

Suggested change

	uses: pypa/gh-action-pypi-publish@release/v1
	uses: pypa/gh-action-pypi-publish@<FULL_40_CHARACTER_COMMIT_SHA>

[justanotherariel]

No description, no PR title.

[frenck]

Closing this one, it seems to be a mistake.

Let's us know if it isn't 👍

../Frenck