drop Python 3.8 support

.github/workflows/ci.yml

@@ -12,14 +12,17 @@ on:
 permissions:
   contents: read
 
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
 
   sanity:
@@ -28,7 +31,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - run: |
           pip install --upgrade pip
           pip install -r requirements.txt
@@ -48,7 +51,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -73,7 +76,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ['3.9', '3.10', '3.11', '3.12', '3.13']
+        python: ['3.10', '3.11', '3.12', '3.13']
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0

.github/workflows/publish.yml

@@ -7,6 +7,12 @@ on:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -16,7 +22,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -41,7 +47,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -68,12 +74,14 @@ jobs:
   update-brew:
     needs: publish-package
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: publish brew
         run: |
           sleep 5m
@@ -94,6 +102,8 @@ jobs:
   bump-version:
     needs: update-brew
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/python-dependency-updater.yml

@@ -6,6 +6,12 @@ on:
     - cron: '0 0 1 * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   python-dependency-updater:
     runs-on: ubuntu-latest
@@ -15,7 +21,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Run Pyup.io Dependency updater
         run: |

.github/workflows/update.yml

@@ -9,6 +9,9 @@ on:
 permissions:
   contents: read
 
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   update-actions:
     runs-on: ubuntu-latest
@@ -20,7 +23,7 @@ jobs:
       - name: Setup python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: install dependencies
         run: |
           pip install -r requirements.txt
@@ -58,7 +61,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: Install dependencies
         run: |
           pip install -r requirements.txt

.pre-commit-config.yaml

@@ -1,18 +1,19 @@
 repos:
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.1
+    rev: v1.7.4
     hooks:
       - id: actionlint-docker
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.0
+    rev: v1.96.2
     hooks:
       - id: terraform_fmt
 #      - id: terraform_docs
 #        args: ['--sort-by-required', '--no-providers']
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.6.2
+    rev: v0.8.1
     hooks:
       - id: ruff
+        args: [--fix]
         files: ^(examples/|policy_sentry/|utils/|setup.py)
       - id: ruff-format
   - repo: https://github.com/Lucas-C/pre-commit-hooks-safety

.readthedocs.yml

@@ -4,15 +4,19 @@
 # Required
 version: 2
 
+build:
+  os: ubuntu-24.04
+  tools:
+    python: 3.9
+
 mkdocs:
   configuration: mkdocs.yml
   fail_on_warning: false
 
 # Optionally build your docs in additional formats such as PDF and ePub
 formats: all
 
-# Optionally set the version of Python and requirements required to build your docs
+# Optionally set requirements required to build your docs
 python:
-  version: 3.8
   install:
     - requirements: docs/requirements.txt

Dockerfile

@@ -1,4 +1,4 @@
-ARG FROM_TAG=3.8-slim-buster
+ARG FROM_TAG=3.9-slim
 FROM python:${FROM_TAG}
 MAINTAINER Kinnaird McQuade "[email protected]"
 

policy_sentry/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.13.3"
+__version__ = "0.14.0"

policy_sentry/command/write_policy.py

@@ -7,8 +7,7 @@
 import json
 import logging
 import sys
-from pathlib import Path
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 import click
 import yaml
@@ -18,6 +17,9 @@
 from policy_sentry.util.file import read_yaml_file
 from policy_sentry.writing.sid_group import SidGroup
 
+if TYPE_CHECKING:
+    from pathlib import Path
+
 logger = logging.getLogger(__name__)
 
 

policy_sentry/shared/awsdocs.py

@@ -181,7 +181,7 @@ def create_database(destination_directory: str | Path, access_level_overrides_fi
             continue
 
         title = re.sub(
-            ".*Actions, resources, and condition Keys for *",
+            r".*Actions, resources, and condition Keys for *",
             "",
             topic_title.text,
             flags=re.IGNORECASE,

policy_sentry/util/file.py

@@ -5,11 +5,14 @@
 from __future__ import annotations
 
 import logging
-from pathlib import Path
-from typing import Any, cast
+from typing import TYPE_CHECKING, Any, cast
 
 import yaml
 
+if TYPE_CHECKING:
+    from pathlib import Path
+
+
 logger = logging.getLogger(__name__)
 
 

pyproject.toml

@@ -12,7 +12,7 @@ ignore_missing_imports = true
 
 [tool.ruff]
 line-length = 120
-target-version = "py38"
+target-version = "py39"
 
 [tool.ruff.lint]
 preview = true
@@ -36,12 +36,15 @@ select = [
     "S",
     "SIM",
     "T10",
+    "TC",
     "UP",
     "W",
     "YTT",
 ]
 ignore = ["E501"] # ruff fromat takes care of it
 
+fixable = ["I001"]
+
 [tool.pytest.ini_options]
 testpaths = [
     "test",

requirements-dev.txt

@@ -1,47 +1,12 @@
 # CI
-pre-commit==3.5.0 # 3.6+ requires Python 3.9
+pre-commit==4.0.1
 # Unit Testing
-pytest==8.3.2
-coverage==7.6.1
+pytest==8.3.4
+coverage==7.6.8
 # Integration tests and tasks
 invoke==2.2.0
 # Type hints
-mypy==1.11.2
-types-pyyaml==6.0.12.20240808
-types-requests==2.32.0.20240712
-types-beautifulsoup4==4.12.0.20240511
-# Other? Maybe this is from the docs? Not sure.
-# appdirs==1.4.4
-# astroid==2.5.6
-# attrs==20.3.0
-# dparse==0.5.1
-# future==0.18.2
-# gitdb==4.0.5
-# GitPython==3.1.14
-# iniconfig==1.1.1
-# isort==5.8.0
-# Jinja2==2.11.3
-# joblib==1.0.1
-# lazy-object-proxy==1.6.0
-# livereload==2.6.3
-# markdown==3.3.4
-# MarkupSafe==1.1.1
-# mccabe==0.6.1
-# mypy-extensions==0.4.3
-# nltk==3.5
-# packaging==20.9
-# pathspec==0.8.1
-# pbr==5.5.1
-# pluggy==0.13.1
-# py==1.10.0
-# pyparsing==2.4.7
-# regex==2021.3.17
-# requests==2.25.1
-# six==1.15.0
-# stevedore==3.3.0
-# toml==0.10.2
-# tornado==6.1
-# tqdm==4.59.0
-# typed-ast==1.4.2
-# typing-extensions==3.7.4.3
-# wrapt==1.12.1
+mypy[faster-cache]==1.13.0
+types-pyyaml==6.0.12.20240917
+types-requests==2.32.0.20241016
+types-beautifulsoup4==4.12.0.20241020

requirements.txt

@@ -7,4 +7,4 @@ requests==2.32.3
 PyYAML==6.0.2
 schema==0.7.7
 # IAM DB
-orjson==3.10.7
+orjson==3.10.12

setup.py

@@ -78,7 +78,6 @@ def get_description() -> str:
         "License :: OSI Approved :: MIT License",
         "Operating System :: OS Independent",
         "Programming Language :: Python :: 3 :: Only",
-        "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
@@ -89,7 +88,7 @@ def get_description() -> str:
     entry_points={"console_scripts": "policy_sentry=policy_sentry.bin.cli:main"},
     zip_safe=True,
     keywords="aws iam roles policy policies privileges security",
-    python_requires=">=3.8",
+    python_requires=">=3.9",
     cmdclass={
         "build_py": PreBuildCommand,
     },