drop Python 3.8 support

.github/workflows/nodejs-test.yml

@@ -8,15 +8,15 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     strategy:
       matrix:
         node-version: ['18', '20']
-
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - name: Use Node.js ${{ matrix.node-version }}

.github/workflows/publish.yml

@@ -7,6 +7,12 @@ on:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -16,7 +22,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -39,7 +45,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -61,12 +67,14 @@ jobs:
   update-brew:
     needs: publish-package
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - name: Set up Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: publish brew
         run: |
           sleep 5m
@@ -87,6 +95,8 @@ jobs:
   bump-version:
     runs-on: ubuntu-latest
     needs: update-brew
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:

.github/workflows/security.yml

@@ -7,6 +7,10 @@ on:
   push:
     branches:
       - master
+
+permissions:
+  contents: read
+
 jobs:
   detect-secrets:
     runs-on: ubuntu-latest

.github/workflows/test.yml

@@ -8,14 +8,20 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8' # needed for 'pyupgrade'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
 
   ci:
@@ -28,7 +34,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |
@@ -54,7 +60,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ['3.9', '3.10', '3.11', '3.12', '3.13']
+        python: ['3.10', '3.11', '3.12', '3.13']
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0

.github/workflows/update-bundle-report.yml

@@ -6,6 +6,12 @@ on:
     - cron:  '0 0 1 * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.9"
+
 jobs:
   update:
     runs-on: ubuntu-latest
@@ -15,7 +21,7 @@ jobs:
       - name: Setup python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
-          python-version: '3.8'
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
 
       - name: Install dependencies
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.1
+    rev: v1.7.6
     hooks:
       - id: actionlint-docker
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.6.2
+    rev: v0.8.6
     hooks:
       - id: ruff
         files: ^(cloudsplaining/|setup.py)

.python-version

@@ -1 +1 @@
-3.8
+3.9

.readthedocs.yml

@@ -5,9 +5,9 @@
 version: 2
 
 build:
-  os: ubuntu-22.04
+  os: ubuntu-24.04
   tools:
-    python: "3.8"
+    python: "3.9"
 
 mkdocs:
   configuration: mkdocs.yml

cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.7.1"
+__version__ = "0.8.0"

cloudsplaining/output/policy_finding.py

@@ -8,9 +8,8 @@
 from __future__ import annotations
 
 import logging
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
-from cloudsplaining.scan.policy_document import PolicyDocument
 from cloudsplaining.shared.constants import (
     ACTIONS_THAT_RETURN_CREDENTIALS,
     ISSUE_SEVERITY,
@@ -23,6 +22,9 @@
     is_name_excluded,
 )
 
+if TYPE_CHECKING:
+    from cloudsplaining.scan.policy_document import PolicyDocument
+
 logger = logging.getLogger(__name__)
 
 

cloudsplaining/scan/group_details.py

@@ -3,11 +3,9 @@
 from __future__ import annotations
 
 import json
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from cloudsplaining.scan.inline_policy import InlinePolicy
-from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
-from cloudsplaining.scan.statement_detail import StatementDetail
 from cloudsplaining.shared import utils
 from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.exclusions import DEFAULT_EXCLUSIONS, Exclusions
@@ -18,6 +16,10 @@
     is_aws_managed,
 )
 
+if TYPE_CHECKING:
+    from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
+    from cloudsplaining.scan.statement_detail import StatementDetail
+
 
 class GroupDetailList:
     """Processes all entries under the GroupDetailList"""

cloudsplaining/scan/resource_policy_document.py

@@ -27,7 +27,7 @@
     "saml:aud": "saml-endpoint",
 }
 RELEVANT_CONDITION_OPERATORS_PATTERN = re.compile(
-    "((ForAllValues|ForAnyValue):)?(ARN(Equals|Like)|String(Equals|Like)(IgnoreCase)?|IpAddress)(IfExists)?",
+    r"((ForAllValues|ForAnyValue):)?(ARN(Equals|Like)|String(Equals|Like)(IgnoreCase)?|IpAddress)(IfExists)?",
     re.IGNORECASE,
 )
 

cloudsplaining/scan/role_details.py

@@ -4,12 +4,10 @@
 
 import json
 import logging
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from cloudsplaining.scan.assume_role_policy_document import AssumeRolePolicyDocument
 from cloudsplaining.scan.inline_policy import InlinePolicy
-from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
-from cloudsplaining.scan.statement_detail import StatementDetail
 from cloudsplaining.shared import utils
 from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.exclusions import (
@@ -24,6 +22,10 @@
     is_aws_managed,
 )
 
+if TYPE_CHECKING:
+    from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
+    from cloudsplaining.scan.statement_detail import StatementDetail
+
 logger = logging.getLogger(__name__)
 
 

cloudsplaining/scan/user_details.py

@@ -3,12 +3,9 @@
 from __future__ import annotations
 
 import json
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
-from cloudsplaining.scan.group_details import GroupDetail, GroupDetailList
 from cloudsplaining.scan.inline_policy import InlinePolicy
-from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
-from cloudsplaining.scan.statement_detail import StatementDetail
 from cloudsplaining.shared import utils
 from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.exclusions import DEFAULT_EXCLUSIONS, Exclusions
@@ -19,6 +16,11 @@
     is_aws_managed,
 )
 
+if TYPE_CHECKING:
+    from cloudsplaining.scan.group_details import GroupDetail, GroupDetailList
+    from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
+    from cloudsplaining.scan.statement_detail import StatementDetail
+
 
 class UserDetailList:
     """Processes all entries under the UserDetailList"""

pyproject.toml

@@ -14,7 +14,7 @@ ignore_missing_imports = true
 
 [tool.ruff]
 line-length = 120
-target-version = "py38"
+target-version = "py39"
 
 [tool.ruff.lint]
 preview = true
@@ -38,12 +38,15 @@ select = [
     "S",
     "SIM",
     "T10",
+    "TC",
     "UP",
     "W",
     "YTT",
 ]
 ignore = ["E501"] # ruff fromat takes care of it
 
+fixable = ["I001"]
+
 [tool.pytest.ini_options]
 testpaths = [
     "test",

requirements-dev.txt

@@ -1,9 +1,9 @@
 # CI
-pre-commit==3.5.0 # 3.6+ requires Python 3.9
+pre-commit==4.0.1
 # Unit testing
 pytest==8.3.4
-coverage==7.6.1
+coverage==7.6.10
 # type check
-mypy==1.14.1
+mypy[faster-cache]==1.14.1
 boto3-stubs-lite[iam,s3,sts]==1.35.70
 types-PyYAML==6.0.12.20241230

requirements.txt

@@ -12,6 +12,6 @@ pyyaml==6.0.2
 # We render Markdown glossary files as HTML in the Cloudsplaining report
 markdown==3.7
 # AWS IAM Logic
-policy-sentry==0.13.2
+policy-sentry==0.14.0
 # Schema validation
 schema==0.7.7

setup.py

@@ -19,7 +19,7 @@
     "click_option_group",
     "jinja2",
     "markdown",
-    "policy_sentry>=0.13.0,<0.14",
+    "policy_sentry>=0.14.0,<0.15",
     "pyyaml",
     "schema",
 ]
@@ -57,7 +57,6 @@ def get_description() -> str:
     project_urls=PROJECT_URLS,
     classifiers=[
         "Programming Language :: Python :: 3 :: Only",
-        "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",