chore(tooling): improve linting, CI caching, and maintenance automation (#1892)

## Summary

Improves code quality tooling and CI efficiency.

**Code quality:**
- Enable additional ruff rules: ASYNC, S (security), T (print
detection), C4 (comprehensions)
- Add actionlint pre-commit hook to validate GitHub workflow files

**CI efficiency:**
- Add UV caching to lint and test workflows
- Fix shellcheck warnings in release workflow

**Maintenance:**
- Change dependabot from daily to weekly updates
- Remove unused tox dependency

Author: tetienne

.github/dependabot.yml

@@ -3,14 +3,14 @@ updates:
   - package-ecosystem: "uv"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
       time: "08:00"
     open-pull-requests-limit: 10
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
       time: "08:00"
     open-pull-requests-limit: 10
 

.github/workflows/lint.yaml

@@ -20,6 +20,9 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ matrix.python-version }}
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6

.github/workflows/release.yml

@@ -30,10 +30,10 @@ jobs:
       - name: Retrieve version from tag name
         id: retrieve-version
         run: |
-            tag=${{ github.event.release.tag_name }}
-            version_number=${tag#?}
-            echo version: $version_number
-            echo "version=$version_number" >> $GITHUB_OUTPUT
+            tag="${{ github.event.release.tag_name }}"
+            version_number="${tag#?}"
+            echo "version: $version_number"
+            echo "version=$version_number" >> "$GITHUB_OUTPUT"
 
       - name: Bump project version in pyproject.toml and commit changes to current branch and tag
         run: |

.github/workflows/test.yml

@@ -20,6 +20,9 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ matrix.python-version }}
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6

.pre-commit-config.yaml

@@ -22,6 +22,10 @@ repos:
     -   id: no-commit-to-branch
         stages: [pre-commit]
         args: [--branch, main]
+-   repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+    -   id: actionlint
 -   repo: local
     hooks:
       - id: mypy

pyoverkiz/const.py

@@ -17,7 +17,8 @@
 
 SOMFY_API = "https://accounts.somfy.com"
 SOMFY_CLIENT_ID = "0d8e920c-1478-11e7-a377-02dd59bd3041_1ewvaqmclfogo4kcsoo0c8k4kso884owg08sg8c40sk4go4ksg"
-SOMFY_CLIENT_SECRET = "12k73w1n540g8o4cokg0cw84cog840k84cwggscwg884004kgk"
+# OAuth client secrets are public by design (embedded in mobile apps)
+SOMFY_CLIENT_SECRET = "12k73w1n540g8o4cokg0cw84cog840k84cwggscwg884004kgk"  # noqa: S105
 
 LOCAL_API_PATH = "/enduser-mobile-web/1/enduserAPI/"
 

pyoverkiz/enums/command.py

@@ -1,5 +1,8 @@
 """Command-related enums and parameters used by device commands."""
 
+# ruff: noqa: S105
+# Enum values contain "PASS" in API names (e.g. PassAPC), not passwords
+
 import sys
 from enum import unique
 

pyoverkiz/enums/general.py

@@ -1,5 +1,8 @@
 """General-purpose enums like product types, data types and event names."""
 
+# ruff: noqa: S105
+# Enum values contain "TOKEN" in API event names, not passwords
+
 import logging
 import sys
 from enum import IntEnum, unique

pyoverkiz/enums/state.py

@@ -1,5 +1,8 @@
 """State and attribute enums describing Overkiz device states and attributes."""
 
+# ruff: noqa: S105
+# Enum values contain "PASS" or "TOKEN" in API names, not passwords
+
 import sys
 from enum import unique
 

pyoverkiz/enums/ui.py

@@ -1,5 +1,8 @@
 """UI enums for classes and widgets used to interpret device UI metadata."""
 
+# ruff: noqa: S105
+# Enum values contain "PASS" in API names (e.g. PassAPC), not passwords
+
 import logging
 import sys
 from enum import unique