diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 51ea4085e0..376825bad6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,7 +58,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -86,6 +86,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 991e053d5a..6d89060b0d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -11,7 +11,7 @@ ci:
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.15.0
+    rev: v0.15.1
     hooks:
       # Run the linter.
       - id: ruff
diff --git a/esphome/components/http_request/http_request_arduino.cpp b/esphome/components/http_request/http_request_arduino.cpp
index aee1f651bf..e5b919e380 100644
--- a/esphome/components/http_request/http_request_arduino.cpp
+++ b/esphome/components/http_request/http_request_arduino.cpp
@@ -9,9 +9,20 @@
 #include "esphome/core/defines.h"
 #include "esphome/core/log.h"
 
+// Include BearSSL error constants for TLS failure diagnostics
+#ifdef USE_ESP8266
+#include <bearssl/bearssl_ssl.h>
+#endif
+
 namespace esphome::http_request {
 
 static const char *const TAG = "http_request.arduino";
+#ifdef USE_ESP8266
+static constexpr int RX_BUFFER_SIZE = 512;
+static constexpr int TX_BUFFER_SIZE = 512;
+// ESP8266 Arduino core (WiFiClientSecureBearSSL.cpp) returns -1000 on OOM
+static constexpr int ESP8266_SSL_ERR_OOM = -1000;
+#endif
 
 std::shared_ptr<HttpContainer> HttpRequestArduino::perform(const std::string &url, const std::string &method,
                                                            const std::string &body,
@@ -47,7 +58,7 @@ std::shared_ptr<HttpContainer> HttpRequestArduino::perform(const std::string &ur
     ESP_LOGV(TAG, "ESP8266 HTTPS connection with WiFiClientSecure");
     stream_ptr = std::make_unique<WiFiClientSecure>();
     WiFiClientSecure *secure_client = static_cast<WiFiClientSecure *>(stream_ptr.get());
-    secure_client->setBufferSizes(512, 512);
+    secure_client->setBufferSizes(RX_BUFFER_SIZE, TX_BUFFER_SIZE);
     secure_client->setInsecure();
   } else {
     stream_ptr = std::make_unique<WiFiClient>();
@@ -107,13 +118,42 @@ std::shared_ptr<HttpContainer> HttpRequestArduino::perform(const std::string &ur
   container->status_code = container->client_.sendRequest(method.c_str(), body.c_str());
   App.feed_wdt();
   if (container->status_code < 0) {
+#if defined(USE_ESP8266) && defined(USE_HTTP_REQUEST_ESP8266_HTTPS)
+    if (secure) {
+      WiFiClientSecure *secure_client = static_cast<WiFiClientSecure *>(stream_ptr.get());
+      int last_error = secure_client->getLastSSLError();
+
+      if (last_error != 0) {
+        const LogString *error_msg;
+        switch (last_error) {
+          case ESP8266_SSL_ERR_OOM:
+            error_msg = LOG_STR("Unable to allocate buffer memory");
+            break;
+          case BR_ERR_TOO_LARGE:
+            error_msg = LOG_STR("Incoming TLS record does not fit in receive buffer (BR_ERR_TOO_LARGE)");
+            break;
+          default:
+            error_msg = LOG_STR("Unknown SSL error");
+            break;
+        }
+        ESP_LOGW(TAG, "SSL failure: %s (Code: %d)", LOG_STR_ARG(error_msg), last_error);
+        if (last_error == ESP8266_SSL_ERR_OOM) {
+          ESP_LOGW(TAG, "Heap free: %u bytes, configured buffer sizes: %u bytes", ESP.getFreeHeap(),
+                   static_cast<unsigned int>(RX_BUFFER_SIZE + TX_BUFFER_SIZE));
+        }
+      } else {
+        ESP_LOGW(TAG, "Connection failure with no error code");
+      }
+    }
+#endif
+
     ESP_LOGW(TAG, "HTTP Request failed; URL: %s; Error: %s", url.c_str(),
              HTTPClient::errorToString(container->status_code).c_str());
+
     this->status_momentary_error("failed", 1000);
     container->end();
     return nullptr;
   }
-
   if (!is_success(container->status_code)) {
     ESP_LOGE(TAG, "HTTP Request failed; URL: %s; Code: %d", url.c_str(), container->status_code);
     this->status_momentary_error("failed", 1000);
diff --git a/esphome/components/json/json_util.h b/esphome/components/json/json_util.h
index f224f9552b..9d63881d83 100644
--- a/esphome/components/json/json_util.h
+++ b/esphome/components/json/json_util.h
@@ -122,7 +122,10 @@ template<size_t STACK_SIZE = 512> class SerializationBuffer {
 // Build an allocator for the JSON Library using the RAMAllocator class
 // This is only compiled when PSRAM is enabled
 struct SpiRamAllocator : ArduinoJson::Allocator {
-  void *allocate(size_t size) override { return allocator_.allocate(size); }
+  void *allocate(size_t size) override {
+    RAMAllocator<uint8_t> allocator;
+    return allocator.allocate(size);
+  }
 
   void deallocate(void *ptr) override {
     // ArduinoJson's Allocator interface doesn't provide the size parameter in deallocate.
@@ -135,11 +138,9 @@ struct SpiRamAllocator : ArduinoJson::Allocator {
   }
 
   void *reallocate(void *ptr, size_t new_size) override {
-    return allocator_.reallocate(static_cast<uint8_t *>(ptr), new_size);
+    RAMAllocator<uint8_t> allocator;
+    return allocator.reallocate(static_cast<uint8_t *>(ptr), new_size);
   }
-
- protected:
-  RAMAllocator<uint8_t> allocator_{RAMAllocator<uint8_t>::NONE};
 };
 #endif
 
diff --git a/esphome/core/entity_base.h b/esphome/core/entity_base.h
index f4ec656f9b..cbc07cc44c 100644
--- a/esphome/core/entity_base.h
+++ b/esphome/core/entity_base.h
@@ -235,7 +235,8 @@ class EntityBase_UnitOfMeasurement {  // NOLINT(readability-identifier-naming)
 #define LOG_ENTITY_ICON(tag, prefix, obj) log_entity_icon(tag, prefix, obj)
 void log_entity_icon(const char *tag, const char *prefix, const EntityBase &obj);
 #else
-#define LOG_ENTITY_ICON(tag, prefix, obj)
+#define LOG_ENTITY_ICON(tag, prefix, obj) ((void) 0)
+inline void log_entity_icon(const char *, const char *, const EntityBase &) {}
 #endif
 /// Log entity device class if set (for use in dump_config)
 #define LOG_ENTITY_DEVICE_CLASS(tag, prefix, obj) log_entity_device_class(tag, prefix, obj)
diff --git a/esphome/core/helpers.h b/esphome/core/helpers.h
index c8cce8b89a..fd5a402bf9 100644
--- a/esphome/core/helpers.h
+++ b/esphome/core/helpers.h
@@ -1752,13 +1752,10 @@ template<class T> class RAMAllocator {
     ALLOW_FAILURE = 1 << 2,   // Does nothing. Kept for compatibility.
   };
 
-  RAMAllocator() = default;
-  RAMAllocator(uint8_t flags) {
-    // default is both external and internal
-    flags &= ALLOC_INTERNAL | ALLOC_EXTERNAL;
-    if (flags != 0)
-      this->flags_ = flags;
-  }
+  constexpr RAMAllocator() = default;
+  constexpr RAMAllocator(uint8_t flags)
+      : flags_((flags & (ALLOC_INTERNAL | ALLOC_EXTERNAL)) != 0 ? (flags & (ALLOC_INTERNAL | ALLOC_EXTERNAL))
+                                                                : (ALLOC_INTERNAL | ALLOC_EXTERNAL)) {}
   template<class U> constexpr RAMAllocator(const RAMAllocator<U> &other) : flags_{other.flags_} {}
 
   T *allocate(size_t n) { return this->allocate(n, sizeof(T)); }
diff --git a/requirements_test.txt b/requirements_test.txt
index 2cf6f6456e..9e99855f6f 100644
--- a/requirements_test.txt
+++ b/requirements_test.txt
@@ -1,6 +1,6 @@
 pylint==4.0.4
 flake8==7.3.0  # also change in .pre-commit-config.yaml when updating
-ruff==0.15.0  # also change in .pre-commit-config.yaml when updating
+ruff==0.15.1  # also change in .pre-commit-config.yaml when updating
 pyupgrade==3.21.2  # also change in .pre-commit-config.yaml when updating
 pre-commit