chore: Extend linting (#13)

Author: borisalekseev

.github/workflows/docs.yaml

@@ -11,8 +11,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         with:
           python-version: "3.12"
       - run: uv sync --group docs

.github/workflows/lint.yaml

@@ -5,16 +5,36 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint & type-check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         with:
           python-version: "3.13"
       - run: uv sync --group dev
       - run: uv run ruff check src tests
       - run: uv run ruff format --check src tests
       - run: uv run mypy
+
+  security:
+    name: Security checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
+        with:
+          python-version: "3.13"
+      - run: uv sync --group dev
+      - run: uv run bandit -c pyproject.toml -r src
+      - run: uv run semgrep scan --config auto --error src
+      - run: uv run zizmor --min-severity high .

.github/workflows/release.yaml

@@ -11,29 +11,31 @@ jobs:
     name: Release & Publish
     runs-on: ubuntu-latest
     concurrency: release
+    environment: release
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           fetch-depth: 0
 
       - name: Python Semantic Release
         id: release
-        uses: python-semantic-release/python-semantic-release@v9
+        uses: python-semantic-release/python-semantic-release@0dc72ac9058a62054a45f6344c83a423d7f906a8  # v9
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         if: steps.release.outputs.released == 'true'
         with:
           python-version: "3.11"
+          enable-cache: false
 
       - name: Build
         if: steps.release.outputs.released == 'true'
         run: uv build
 
       - name: Publish to PyPI
         if: steps.release.outputs.released == 'true'
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}

.github/workflows/tests.yaml

@@ -5,6 +5,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Python ${{ matrix.python-version }}
@@ -32,21 +35,23 @@ jobs:
           --security-opt no-new-privileges:true
 
       hivemq:
-        image: hivemq/hivemq-ce:latest
+        image: hivemq/hivemq-ce@sha256:7ae39e84654a41ced6e946dd84f131d508bc2b862ec96265b7f23d241db214da  # latest
         ports:
           - 1886:1883
         options: >-
           --security-opt no-new-privileges:true
 
       nanomq:
-        image: emqx/nanomq:latest
+        image: emqx/nanomq@sha256:cf010e7b78981b051cdb833921207991daaf46dccce1ab12dd8d7ec433147161  # latest
         ports:
           - 1887:1883
         options: >-
           --security-opt no-new-privileges:true
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
 
       - name: Setup mosquitto config
         run: |
@@ -73,13 +78,15 @@ jobs:
             nc -zv localhost $port || echo "Port $port not responding"
           done
 
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         with:
           python-version: ${{ matrix.python-version }}
       - run: uv sync --group dev
       - run: uv run pytest -vv --cov=src/zmqtt --cov-report=xml
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad  # v5
         with:
           files: coverage.xml
 
@@ -92,7 +99,9 @@ jobs:
         python-version: ["3.10", "3.14"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
 
       - name: Install and start mosquitto
         run: |
@@ -101,12 +110,12 @@ jobs:
           $(brew --prefix)/sbin/mosquitto -c /tmp/mosquitto.conf -d
           sleep 2
 
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         with:
           python-version: ${{ matrix.python-version }}
       - run: uv sync --group dev
       - run: uv run pytest -vv --cov=src/zmqtt --cov-report=xml --ignore=tests/test_brokers/test_artemis.py --ignore=tests/test_brokers/test_hivemq.py --ignore=tests/test_brokers/test_nanomq.py
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad  # v5
         with:
           files: coverage.xml
 
@@ -119,7 +128,9 @@ jobs:
         python-version: ["3.10", "3.14"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
 
       - name: Install and start mosquitto
         shell: pwsh
@@ -129,12 +140,12 @@ jobs:
           Start-Process -FilePath "C:\Program Files\mosquitto\mosquitto.exe" -ArgumentList "-c $env:TEMP\mosquitto.conf" -WindowStyle Hidden
           Start-Sleep -Seconds 3
 
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7
         with:
           python-version: ${{ matrix.python-version }}
       - run: uv sync --group dev
       - run: uv run pytest -vv --cov=src/zmqtt --cov-report=xml --ignore=tests/test_brokers/test_artemis.py --ignore=tests/test_brokers/test_hivemq.py --ignore=tests/test_brokers/test_nanomq.py
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad  # v5
         with:
           files: coverage.xml
 
@@ -144,6 +155,6 @@ jobs:
     needs: [tests, tests-macos, tests-windows]
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # release/v1
         with:
           jobs: ${{ toJSON(needs) }}

CHANGELOG.md

@@ -5,17 +5,11 @@
 
 ### Chores
 
-- Add 3.10 python compat
-  ([`6a08554`](https://github.com/faststream-community/zMQTT/commit/6a08554fdef91e3a8a1edb3d43cf0aa1c6d1fb51))
-
 - Add python 3.10 support ([#10](https://github.com/faststream-community/zMQTT/pull/10),
   [`5bfb461`](https://github.com/faststream-community/zMQTT/commit/5bfb461b67bdd4791a3744003062e3f924d7390a))
 
 ### Documentation
 
-- Clarify subscribe routing and fix MQTT5 auth wording
-  ([`343280a`](https://github.com/faststream-community/zMQTT/commit/343280a40a75c588b002e9c4931df1d59b2684bb))
-
 - Clarify subscribe routing and fix MQTT5 auth wording
   ([#9](https://github.com/faststream-community/zMQTT/pull/9),
   [`34adbef`](https://github.com/faststream-community/zMQTT/commit/34adbef398dd35bbe3133b111435d42949e943fd))
@@ -25,9 +19,6 @@
 
 ### Features
 
-- Rename to zmqtt
-  ([`4098df6`](https://github.com/faststream-community/zMQTT/commit/4098df6a175f00f1c5deb3b903c10c9ec7373f8b))
-
 - Rename to zmqtt ([#8](https://github.com/faststream-community/zMQTT/pull/8),
   [`301b037`](https://github.com/faststream-community/zMQTT/commit/301b0378710de925c284767fdb8e53fa91c9cbc5))
 
@@ -39,10 +30,5 @@
 - Add release pipeline
   ([`071b85d`](https://github.com/faststream-community/zMQTT/commit/071b85d167c6b26a8dd0c85bc08f4ea65f86958c))
 
-chore: Add release pipeline
-
-- Add release pipeline
-  ([`77ae34f`](https://github.com/faststream-community/zMQTT/commit/77ae34f6da88f108d8547b61892a1af064cd09bb))
-
 - Tests infra
   ([`8f3b14c`](https://github.com/faststream-community/zMQTT/commit/8f3b14cdc9eb2bd4d8c4f74404bc26232d6dc525))

pyproject.toml

@@ -3,23 +3,49 @@ name = "zmqtt"
 version = "0.0.1-alpha.3"
 description = "Pure asyncio MQTT 3.1.1/5.0 client library"
 readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
 authors = [
     { name = "borisalekseev", email = "i.borisalekseev@gmail.com" }
 ]
 requires-python = ">=3.10"
 dependencies = []
+keywords = ["mqtt", "mqtt5", "iot", "python-mqtt", "zmqtt"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Framework :: AsyncIO",
+    "Typing :: Typed",
+]
+
+[project.urls]
+Homepage = "https://github.com/faststream-community/zMQTT"
+Repository = "https://github.com/faststream-community/zMQTT"
+Documentation = "https://faststream-community.github.io/zMQTT/"
+Issues = "https://github.com/faststream-community/zMQTT/issues"
 
 [build-system]
-requires = ["uv_build>=0.9.7,<0.10.0"]
+requires = ["uv_build>=0.9.7,<0.11.0"]
 build-backend = "uv_build"
 
 [dependency-groups]
 dev = [
+    "bandit>=1.9.4",
     "mypy>=1.19.1",
     "pytest>=9.0.2",
     "pytest-asyncio>=1.3.0",
     "pytest-cov>=7.0.0",
     "ruff>=0.15.5",
+    "semgrep>=1.156.0",
+    "zizmor>=1.23.1",
     {include-group = "docs"},
 ]
 docs = [
@@ -37,6 +63,17 @@ python_version = "3.10"
 src = ["src"]
 include = ["src/**.py", "tests/**.py"]
 target-version = "py310"
+line-length = 120
+
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = ["D", "COM812"]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/**" = ["S101", "D", "PLR2004", "SLF001", "FBT001"]
+"src/zmqtt/protocol.py" = ["SLF001"]
+"src/zmqtt/packets/codec.py" = ["PLR", "C901"]
+"src/zmqtt/client.py" = ["PLR0913", "SLF001", "FBT"]
 
 [tool.pytest.ini_options]
 asyncio_mode = "auto"

src/zmqtt/__init__.py

@@ -1,7 +1,7 @@
 from zmqtt.client import (
     MQTTClient,
-    MQTTClientV311,
     MQTTClientV5,
+    MQTTClientV311,
     ReconnectConfig,
     Subscription,
     create_client,
@@ -10,12 +10,12 @@
 
 __all__ = [
     "MQTTClient",
-    "MQTTClientV311",
     "MQTTClientV5",
-    "ReconnectConfig",
-    "Subscription",
-    "create_client",
+    "MQTTClientV311",
     "Message",
     "QoS",
+    "ReconnectConfig",
     "RetainHandling",
+    "Subscription",
+    "create_client",
 ]

src/zmqtt/_compat.py

@@ -5,7 +5,6 @@
 import sys
 from collections.abc import AsyncGenerator
 
-
 if sys.version_info >= (3, 11):
 
     @contextlib.asynccontextmanager