code · pull · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -18,11 +18,15 @@ env:
   BASE_IMAGE_VERSION: "2026.01.0"
   ARCHITECTURES: '["amd64", "aarch64"]'
 
+permissions: {}
+
 jobs:
   init:
     name: Initialize build
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.version.outputs.version }}
       channel: ${{ steps.version.outputs.channel }}
@@ -315,6 +319,8 @@ jobs:
     if: github.repository_owner == 'home-assistant'
     needs: ["init", "build_machine"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -67,6 +67,8 @@ env:
   PYTHONASYNCIODEBUG: 1
   HASS_CI: 1
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -75,6 +77,9 @@ jobs:
   info:
     name: Collect information & changes data
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       # In case of issues with the partial run, use the following line instead:
       # test_full_suite: 'true'
@@ -241,6 +246,8 @@ jobs:
   prek:
     name: Run prek checks
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs: [info]
     if: |
       github.event.inputs.pylint-only != 'true'
@@ -266,6 +273,8 @@ jobs:
   lint-hadolint:
     name: Check ${{ matrix.file }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs: [info]
     if: |
       github.event.inputs.pylint-only != 'true'
@@ -294,6 +303,8 @@ jobs:
   base:
     name: Prepare dependencies
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs: [info]
     timeout-minutes: 60
     strategy:
@@ -426,6 +437,8 @@ jobs:
   hassfest:
     name: Check hassfest
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -481,6 +494,8 @@ jobs:
   gen-requirements-all:
     name: Check all requirements
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -516,6 +531,8 @@ jobs:
   gen-copilot-instructions:
     name: Check copilot instructions
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
     if: |
@@ -540,6 +557,8 @@ jobs:
   dependency-review:
     name: Dependency review
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -561,6 +580,8 @@ jobs:
   audit-licenses:
     name: Audit licenses
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -610,6 +631,8 @@ jobs:
   pylint:
     name: Check pylint
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -658,6 +681,8 @@ jobs:
   pylint-tests:
     name: Check pylint on tests
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -707,6 +732,8 @@ jobs:
   mypy:
     name: Check mypy
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -772,6 +799,8 @@ jobs:
   prepare-pytest-full:
     name: Split tests for full run
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     if: |
       needs.info.outputs.lint_only != 'true'
       && needs.info.outputs.test_full_suite == 'true'
@@ -838,6 +867,8 @@ jobs:
   pytest-full:
     name: Run tests Python ${{ matrix.python-version }} (${{ matrix.group }})
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -976,6 +1007,8 @@ jobs:
   pytest-mariadb:
     name: Run ${{ matrix.mariadb-group }} tests Python ${{ matrix.python-version }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     services:
       mariadb:
         image: ${{ matrix.mariadb-group }}
@@ -1129,6 +1162,8 @@ jobs:
   pytest-postgres:
     name: Run ${{ matrix.postgresql-group }} tests Python ${{ matrix.python-version }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     services:
       postgres:
         image: ${{ matrix.postgresql-group }}
@@ -1285,6 +1320,8 @@ jobs:
   coverage-full:
     name: Upload test coverage to Codecov (full suite)
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - pytest-full
@@ -1312,6 +1349,8 @@ jobs:
   pytest-partial:
     name: Run tests Python ${{ matrix.python-version }} (${{ matrix.group }})
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - info
       - base
@@ -1452,6 +1491,8 @@ jobs:
     name: Upload test coverage to Codecov (partial suite)
     if: needs.info.outputs.skip_coverage != 'true'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 10
     needs:
       - info

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "30 18 * * 4"
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -5,10 +5,15 @@ on:
   schedule:
     - cron: "0 * * * *"
 
+permissions: {}
+
 jobs:
   lock:
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with:

diff --git a/.github/workflows/restrict-task-creation.yml b/.github/workflows/restrict-task-creation.yml
@@ -5,9 +5,14 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   check-authorization:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     # Only run if this is a Task issue type (from the issue form)
     if: github.event.issue.type.name == 'Task'
     steps:

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -6,10 +6,15 @@ on:
     - cron: "0 * * * *"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   stale:
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       # The 60 day stale policy for PRs
       # Used for:

diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml
@@ -9,6 +9,8 @@ on:
     paths:
       - "**strings.json"
 
+permissions: {}
+
 env:
   DEFAULT_PYTHON: "3.14.2"
 

diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -19,6 +19,8 @@ on:
 env:
   DEFAULT_PYTHON: "3.14.2"
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name}}
   cancel-in-progress: true
@@ -51,7 +53,7 @@ jobs:
 
       - name: Create requirements_diff file
         run: |
-          if [[ ${{ github.event_name }} =~ (schedule|workflow_dispatch) ]]; then
+          if [[ "${GITHUB_EVENT_NAME}" =~ (schedule|workflow_dispatch) ]]; then
             touch requirements_diff.txt
           else
             curl -s -o requirements_diff.txt https://raw.githubusercontent.com/home-assistant/core/master/requirements.txt
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,8 @@ on: @@
         paths:
           - "**strings.json"
+    permissions: {}
     env:
       DEFAULT_PYTHON: "3.14.2"
@@ Expand Down @@