ethyca · johnewart · Nov 21, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/.github/workflows/backend_checks.yml b/.github/workflows/backend_checks.yml
@@ -15,7 +15,7 @@ permissions:
 
 env:
   IMAGE: ethyca/fides:local
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
   # Docker auth with read-only permissions.
   DOCKER_USER: ${{ secrets.DOCKER_USER }}
   DOCKER_RO_TOKEN: ${{ secrets.DOCKER_RO_TOKEN }}
@@ -59,7 +59,6 @@ jobs:
   Collect-Tests:
     needs: Check-Backend-Changes
     if: needs.Check-Backend-Changes.outputs.has_backend_changes == 'true'
-
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -88,10 +87,6 @@ jobs:
   Build:
     needs: [Check-Backend-Changes, Collect-Tests]
     if: needs.Check-Backend-Changes.outputs.has_backend_changes == 'true'
-    strategy:
-      matrix:
-        # NOTE: These are the currently supported/tested Python Versions
-        python_version: ["3.9.21", "3.10.16"]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -106,20 +101,19 @@ jobs:
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: .
-          build-args: PYTHON_VERSION=${{ matrix.python_version }}
+          build-args: PYTHON_VERSION=${{ env.DEFAULT_PYTHON_VERSION }}
           target: prod
-          outputs: type=docker,dest=/tmp/python-${{ matrix.python_version }}.tar
+          outputs: type=docker,dest=/tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
           push: false
           tags: ${{ env.IMAGE }}
-          cache-from: type=gha,scope=${{ matrix.python_version }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.python_version }}
-
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Upload container
         uses: actions/upload-artifact@v4
         with:
-          name: python-${{ matrix.python_version }}
-          path: /tmp/python-${{ matrix.python_version }}.tar
+          name: python-${{ env.DEFAULT_PYTHON_VERSION }}
+          path: /tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
           retention-days: 1
 
   ##################
@@ -325,7 +319,7 @@ jobs:
           path: .nox/
           key: ${{ runner.os }}-nox-${{ github.job }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
-            ${{ runner.os }}-nox-${{ github.job }}-
+            ${{ runner.os }}-nox-${{ github.job }}-qq
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
@@ -351,7 +345,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python_version: ["3.9.21", "3.10.16"]
         test_selection:
           - "ctl-not-external"
           - "ops-unit-api"
@@ -365,14 +358,21 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:
+      - name: Pull Docker images in background
+        run: |
+          docker pull postgres:16 > /dev/null 2>&1 &
+          docker pull redis:8.0-alpine > /dev/null 2>&1 &
+          echo "Docker pull initiated in background."
+        shell: bash
+
       - name: Download container
         uses: actions/download-artifact@v4
         with:
-          name: python-${{ matrix.python_version }}
+          name: python-${{ env.DEFAULT_PYTHON_VERSION }}
           path: /tmp/
 
       - name: Load image
-        run: docker load --input /tmp/python-${{ matrix.python_version }}.tar
+        run: docker load --input /tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -390,9 +390,9 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .nox/
-          key: ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-${{ matrix.test_selection }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
+          key: ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.test_selection }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
-            ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-${{ matrix.test_selection }}
+            ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.test_selection }}
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
@@ -425,19 +425,17 @@ jobs:
     if: needs.Check-Backend-Changes.outputs.has_backend_changes == 'true' && (contains(github.event.pull_request.labels.*.name, 'run unsafe ci checks') || github.event_name == 'push' || github.event_name == 'merge_group')
     strategy:
       max-parallel: 1 # This prevents collisions in shared external resources
-      matrix:
-        python_version: ["3.9.21", "3.10.16"]
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
       - name: Download container
         uses: actions/download-artifact@v4
         with:
-          name: python-${{ matrix.python_version }}
+          name: python-${{ env.DEFAULT_PYTHON_VERSION }}
           path: /tmp/
 
       - name: Load image
-        run: docker load --input /tmp/python-${{ matrix.python_version }}.tar
+        run: docker load --input /tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -455,9 +453,9 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .nox/
-          key: ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
+          key: ${{ runner.os }}-nox-${{ github.job }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
-            ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}
+            ${{ runner.os }}-nox-${{ github.job }}-
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
@@ -495,19 +493,17 @@ jobs:
     if: needs.Check-Backend-Changes.outputs.has_backend_changes == 'true' && (contains(github.event.pull_request.labels.*.name, 'run unsafe ci checks') || github.event_name == 'push' || github.event_name == 'merge_group')
     strategy:
       max-parallel: 1 # This prevents collisions in shared external resources
-      matrix:
-        python_version: ["3.9.21", "3.10.16"]
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:
       - name: Download container
         uses: actions/download-artifact@v4
         with:
-          name: python-${{ matrix.python_version }}
+          name: python-${{ env.DEFAULT_PYTHON_VERSION }}
           path: /tmp/
 
       - name: Load image
-        run: docker load --input /tmp/python-${{ matrix.python_version }}.tar
+        run: docker load --input /tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -525,9 +521,9 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .nox/
-          key: ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
+          key: ${{ runner.os }}-nox-${{ github.job }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
-            ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-
+            ${{ runner.os }}-nox-${{ github.job }}-
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
@@ -613,17 +609,15 @@ jobs:
       id-token: write
     strategy:
       max-parallel: 1 # This prevents collisions in shared external resources
-      matrix:
-        python_version: ["3.9.21", "3.10.16"]
     steps:
       - name: Download container
         uses: actions/download-artifact@v4
         with:
-          name: python-${{ matrix.python_version }}
+          name: python-${{ env.DEFAULT_PYTHON_VERSION }}
           path: /tmp/
 
       - name: Load image
-        run: docker load --input /tmp/python-${{ matrix.python_version }}.tar
+        run: docker load --input /tmp/python-${{ env.DEFAULT_PYTHON_VERSION }}.tar
 
       - name: Checkout
         uses: actions/checkout@v4
@@ -641,9 +635,9 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .nox/
-          key: ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
+          key: ${{ runner.os }}-nox-${{ github.job }}-${{ hashFiles('noxfile.py') }}-${{ hashFiles('noxfiles/**.py') }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: |
-            ${{ runner.os }}-nox-${{ github.job }}-${{ matrix.python_version }}-
+            ${{ runner.os }}-nox-${{ github.job }}-
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3

diff --git a/.github/workflows/cli_checks.yml b/.github/workflows/cli_checks.yml
@@ -14,7 +14,7 @@ on:
       - "release-**"
 
 env:
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
 
 jobs:
   Check-CLI-Changes:

diff --git a/.github/workflows/cypress_e2e.yml b/.github/workflows/cypress_e2e.yml
@@ -14,7 +14,7 @@ env:
   # Docker auth with read-only permissions.
   DOCKER_USER: ${{ secrets.DOCKER_USER }}
   DOCKER_RO_TOKEN: ${{ secrets.DOCKER_RO_TOKEN }}
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
 
 jobs:
   Check-E2E-Changes:

diff --git a/.github/workflows/publish_docker.yaml b/.github/workflows/publish_docker.yaml
@@ -11,7 +11,7 @@ env:
   # Docker auth with read-write (publish) permissions. Set as env in workflow root as auth is required in multiple jobs.
   DOCKER_USER: ${{ secrets.DOCKER_USER }}
   DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
 
 jobs:
   ParseTags:

diff --git a/.github/workflows/publish_docs.yaml b/.github/workflows/publish_docs.yaml
@@ -10,7 +10,7 @@ on:
 env:
   TAG: ${{ github.event.release.tag_name }}
   PROD_PUBLISH: true
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
 
 jobs:
   publish_docs:

diff --git a/.github/workflows/publish_package.yaml b/.github/workflows/publish_package.yaml
@@ -13,10 +13,10 @@ jobs:
         with:
           fetch-depth: 0 # This is required to properly tag packages
 
-      - name: Setup Python 3.9
+      - name: Setup Python 3.13.11
         uses: actions/setup-python@v5
         with:
-        with:
+          python-version: 3.13.11
-        with:
+          python-version: 3.13.11
-          python-version: 3.9
+          python-version: 3.11.11
 
       - name: Use Node.js 20
         uses: actions/setup-node@v4

diff --git a/.github/workflows/static_checks.yml b/.github/workflows/static_checks.yml
@@ -3,15 +3,15 @@ name: Backend Static Code Checks
 on:
   pull_request:
   merge_group:
-    types: [checks_requested]
+    types: [ checks_requested ]
   push:
     branches:
       - "main"
       - "release-**"
 
 env:
   IMAGE: ethyca/fides:local
-  DEFAULT_PYTHON_VERSION: "3.10.16"
+  DEFAULT_PYTHON_VERSION: "3.13.11"
   # Docker auth with read-only permissions.
   DOCKER_USER: ${{ secrets.DOCKER_USER }}
   DOCKER_RO_TOKEN: ${{ secrets.DOCKER_RO_TOKEN }}
@@ -88,9 +88,13 @@ jobs:
       - name: Install Dev Requirements
         run: pip install -r dev-requirements.txt
 
+      # The workflow will proceed even if this fails because it should be non-blocking
       - name: Run Static Check
         run: nox -s ${{ matrix.session_name }}
+        continue-on-error: true
 
+
+
   # Summary job for branch protection
   Static-Checks-Summary:
     runs-on: ubuntu-latest

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # If you update this, also update `DEFAULT_PYTHON_VERSION` in the GitHub workflow files
-ARG PYTHON_VERSION="3.10.16"
+ARG PYTHON_VERSION="3.13.11"
 #########################
 ## Compile Python Deps ##
 #########################

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -1,21 +1,22 @@
 black==24.3.0
-debugpy==1.6.3
+debugpy~=1.8.0
 Faker==14.1.0
-freezegun==1.0.0
+freezegun==1.5.5
 GitPython==3.1.41
 isort==5.12.0
 moto[s3]==5.1.0
 mypy==1.10.0
 nox==2022.8.7
 pre-commit==2.20.0
-pylint==3.2.5
+pylint~=3.3.2
 pytest-asyncio==0.19.0
+pytest-celery==1.2.1
 pytest-cov==4.0.0
 pytest-env==0.7.0
+pytest-loguru==0.4.0
 pytest-mock==3.14.0
 pytest-rerunfailures==14.0
-pytest-xdist==3.6.1
-pytest==7.2.2
+pytest==8.4.2
 pyyaml==6.0.1
 requests-mock==1.10.0
 setuptools>=64.0.2

diff --git a/docs/fides/Dockerfile b/docs/fides/Dockerfile
@@ -1,10 +1,11 @@
-FROM python:3.10.16-slim-bookworm AS build
+FROM python:3.13-slim-bookworm AS build
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     g++ \
     gnupg \
     gcc \
+    git \
     python3-wheel \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
@@ -30,7 +31,12 @@ COPY . .
 RUN pip install -U pip && pip install . && pip install -r docs/fides/requirements.txt
 
 
-FROM python:3.10.16-slim-bookworm AS docs
+FROM python:3.12-slim-bookworm AS docs
+
+# Add the fidesuser user
+RUN addgroup --system --gid 1001 fidesgroup
+RUN adduser --system --uid 1001 --home /home/fidesuser fidesuser
+
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     git \
@@ -39,8 +45,8 @@ RUN apt-get update && \
 
 WORKDIR /docs
 
-COPY --from=build /opt/venv /opt/venv
-COPY --from=build /docs/fides .
+COPY --from=build --chown=fidesuser:fidesgroup /opt/venv /opt/venv
+COPY --from=build --chown=fidesuser:fidesgroup /docs/fides .
 
 ENV PATH="/opt/venv/bin:$PATH"
 

diff --git a/noxfile.py b/noxfile.py
@@ -25,7 +25,7 @@
 # pylint: enable=unused-wildcard-import, wildcard-import, wrong-import-position
 
 REQUIRED_DOCKER_VERSION = "20.10.17"
-REQUIRED_PYTHON_VERSIONS = ["3.9", "3.10"]
+REQUIRED_PYTHON_VERSIONS = ["3.13"]
 
 nox.options.sessions = ["open_docs"]