chore(esphome): parameterize OTA password (preserve current default)

[Tycorc]

Version: 26.3.2.1

What does this implement/fix?

Promotes the hardcoded password: "apolloautomation" literal in MSR-1.yaml and MSR-1_BLE.yaml to a ${ota_password} substitution defined in Core.yaml, with the existing literal kept as the default. No behavior change for anyone who doesn't override.

Why

Every Apollo MSR-1 currently boots with the same fleet-wide OTA password. Consumers who include this YAML via ESPHome packages: cannot override the password from their device file because:

• ESPHome packages extend list-valued keys, so adding a second ota: - platform: esphome block in the consumer file produces a duplicate-platform validation error.
• ota: !remove removes the package's contribution, but YAML disallows two top-level ota: keys, so the consumer can't redeclare in the same document.
• The current upstream YAML doesn't expose the password as a substitution.

The only existing workaround is to fork or vendor a local copy of this file — neither of which keeps the upstream package_import_url flow working.

The newer Apollo product configs (MSR-2, MTR-1, PWR-1, TEMP-1, PLT-1, BTN-1, RLY-1, H-1, H-2, PUMP-1) all have ota: blocks but no hardcoded password literal — only MSR-1 and AIR-1 still ship with one. A sibling PR has been opened against AIR-1 with the same change.

What changes

# Core.yaml
substitutions:
  version:  "26.3.2.1"
  device_description: ${name} made by Apollo Automation - version ${version}.
  # Default OTA password. Override in your device YAML by re-declaring
  # `substitutions: { ota_password: !secret <name>_ota_password }` so each
  # device on your network uses a unique secret instead of the shared default.
  ota_password: "apolloautomation"

# MSR-1.yaml + MSR-1_BLE.yaml
ota:
  - platform: esphome
    password: ${ota_password}

Override pattern (consumer device YAML)

substitutions:
  ota_password: !secret kitchen_msr_1_ota_password

packages:
  ApolloAutomation.MSR-1: github://ApolloAutomation/MSR-1/Integrations/ESPHome/MSR-1.yaml

Backwards compat

100% — devices that don't set ota_password get the same "apolloautomation" literal as before. Existing consumers, CI builds, and OTA flow unchanged.

Types of changes

• Bugfix (fixed change that fixes an issue)
• New feature (thanks!)
• Breaking change (repair/feature that breaks existing functionality)
• Dependency Update - Does not publish
• Other - Does not publish
• Website of github readme file update - Does not publish
• Github workflows - Does not publish

Checklist / Checklijst:

• The code change has been tested and works locally
• The code change has not yet been tested

If user-visible functionality or configuration variables are added/modified:

• Added/updated documentation for the web page

Summary by CodeRabbit

• Configuration
  • Updated OTA password configuration to use variable substitution across ESPHome device files
  • Added default OTA password setting with per-device override capability via substitution pattern

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d7b6871-224f-45ad-90ed-9d435b407e60

📥 Commits

Reviewing files that changed from the base of the PR and between 55b820e and 17acd21.

📒 Files selected for processing (3)

• Integrations/ESPHome/Core.yaml
• Integrations/ESPHome/MSR-1.yaml
• Integrations/ESPHome/MSR-1_BLE.yaml

---

Walkthrough

This pull request externalizes the OTA authentication password from hardcoded literals into a configurable variable. Core.yaml now defines a shared default ota_password, with documentation for device-specific overrides. The device configuration files (MSR-1.yaml and MSR-1_BLE.yaml) are updated to use the variable reference instead of literal password strings.

Changes

OTA Password Configuration

Layer / File(s)	Summary
Externalize OTA password with variable substitution Integrations/ESPHome/Core.yaml, Integrations/ESPHome/MSR-1.yaml, Integrations/ESPHome/MSR-1_BLE.yaml	Core.yaml introduces a default ota_password setting with guidance comments for per-device secret-based overrides. MSR-1.yaml and MSR-1_BLE.yaml update their OTA password fields from hardcoded literals to ${ota_password} variable references.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A password once hardcoded so tight,
Now dances as variables, configurable and light!
Core defines the default, devices substitute with care,
Secrets flow per-device—OTA updates, safe and fair! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: parameterizing OTA password while preserving the current default value.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}