Modernize and consolidate GitHub workflows

.github/workflows/frontend.yaml

@@ -0,0 +1,87 @@
+---
+name: Frontend
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.js"
+      - "**.ts"
+      - "ts/**"
+      - ".eslintrc.cjs"
+      - "package.json"
+      - "rollup.config.js"
+      - "tsconfig.json"
+      - "vitest.config.ts"
+      - ".github/workflows/frontend.yaml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "**.js"
+      - "**.ts"
+      - "ts/**"
+      - ".eslintrc.cjs"
+      - "package.json"
+      - "rollup.config.js"
+      - "tsconfig.json"
+      - "vitest.config.ts"
+      - ".github/workflows/frontend.yaml"
+
+jobs:
+  lint-and-build:
+    # pre-commit.ci skips yarn-lint and yarn-build (Node.js not available), so CI needs this job
+    name: Yarn Lint and Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 2
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/iron
+      - name: Install dependencies
+        run: yarn install
+      - name: Lint
+        run: yarn lint:fix
+      - name: Check for changes from lint
+        id: change_lint
+        run: echo "changed=$(git status --porcelain | wc -l)" >> $GITHUB_OUTPUT
+      - name: Check if clean from lint
+        if: steps.change_lint.outputs.changed != 0
+        uses: actions/github-script@v8
+        with:
+          script: |
+            core.setFailed('Repo is dirty after lint! Run yarn lint:fix locally before pushing changes.')
+      - name: Build
+        run: yarn build
+      - name: Check for changes from build
+        id: change_build
+        run: echo "changed=$(git status --porcelain | wc -l)" >> $GITHUB_OUTPUT
+      - name: Check if clean from build
+        if: steps.change_build.outputs.changed != 0
+        uses: actions/github-script@v8
+        with:
+          script: |
+            core.setFailed('Repo is dirty after build! Run yarn build locally before pushing changes.')
+
+  test:
+    name: Vitest
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/iron
+      - name: Install dependencies
+        run: yarn install
+      - name: Run tests
+        run: yarn test --coverage --coverage.reporter=json
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          flags: typescript
+          files: ./coverage/coverage-final.json

.github/workflows/integration.yaml

@@ -0,0 +1,66 @@
+---
+name: Integration
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.py"
+      - ".github/workflows/integration.yaml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "**.py"
+      - "requirements*.txt"
+      - "pyproject.toml"
+      - ".github/workflows/integration.yaml"
+
+jobs:
+  test:
+    name: Pytest
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install libudev-dev
+      - name: Install dependencies
+        run: uv pip install --system -r requirements_dev.txt
+      - name: Run tests and generate coverage report
+        # CI-only deps installed separately to keep requirements_dev.txt lightweight
+        run: |
+          uv pip install --system pytest-cov pytest-github-actions-annotate-failures
+          pytest ./tests/ --cov=custom_components/lock_code_manager/ --cov-report=xml
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          flags: python
+          files: coverage.xml
+
+  hacs:
+    name: HACS
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: HACS Action
+        uses: hacs/action@main
+        with:
+          category: integration
+
+  hassfest:
+    name: Hassfest
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: home-assistant/actions/hassfest@master

.github/workflows/auto-merge.yaml → .github/workflows/repository.yaml

@@ -1,27 +1,72 @@
 ---
-name: auto-merge
+name: Repository
 
-"on":
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches: [main]
   pull_request:
-    types: [opened, synchronize, reopened, labeled, unlabeled]
+    types:
+      - labeled
+      - opened
+      - reopened
+      - synchronize
+      - unlabeled
+  # pull_request_target is needed for fork PRs - it runs in the base repo context
+  # with elevated permissions required for pull-requests: write
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - reopened
+      - synchronize
+      - unlabeled
+  workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
-
-# Cancel in-progress runs for the same PR (only latest should merge)
-concurrency:
-  group: auto-merge-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
+  contents: read
 
 jobs:
+  update-release-draft:
+    name: Update Release Draft
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    concurrency:
+      # Use head_ref for PRs (branch name) or ref for pushes (refs/heads/main)
+      # This ensures PR updates are serialized while different PRs run concurrently
+      group: release-drafter-${{ github.head_ref || github.ref }}
+      cancel-in-progress: false
+    steps:
+      # Give GitHub API time to index newly merged PRs before querying
+      - name: Wait for PR indexing
+        if: github.event_name == 'push'
+        run: sleep 10
+      - uses: release-drafter/release-drafter@v6
+        with:
+          commitish: main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   auto-merge:
+    name: Auto Merge
     runs-on: ubuntu-latest
-    # Run for dependabot, pre-commit-ci, or PRs with auto-merge label
+    # Only run on pull_request events (not push, pull_request_target, or workflow_dispatch)
+    # and only for dependabot, pre-commit-ci, or PRs with auto-merge label
     if: >-
-      github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'pre-commit-ci[bot]' ||
-      contains(github.event.pull_request.labels.*.name, 'auto-merge')
+      github.event_name == 'pull_request' && (
+        github.event.pull_request.user.login == 'dependabot[bot]' ||
+        github.event.pull_request.user.login == 'pre-commit-ci[bot]' ||
+        contains(github.event.pull_request.labels.*.name, 'auto-merge')
+      )
+    permissions:
+      contents: write
+      pull-requests: write
+    concurrency:
+      # Cancel in-progress runs for the same PR (only latest should merge)
+      group: auto-merge-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
     steps:
       # Fetch Dependabot metadata (only runs for dependabot PRs)
       - name: Fetch Dependabot metadata