Add support for Python 3.14

[hugovk]

After this is released, https://github.com/GitHubSecurityLab/seclab-taskflows can be updated for 3.14 as well.

[Copilot]

Pull request overview

Adds Python 3.14 support across packaging metadata and CI, along with dependency and GitHub Actions updates needed to keep the project compatible.

Changes:

• Advertise Python 3.14 support via Trove classifier updates.
• Update CI matrix to run tests on Python 3.14 (alongside 3.11).
• Bump Pydantic-related dependencies and update several GitHub Actions major versions.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pyproject.toml	Adds Python 3.14 classifier; updates pinned dependency versions (notably Pydantic stack).
.github/workflows/ci.yml	Tests on Python 3.14; updates checkout action major version.
.github/workflows/smoketest.yaml	Updates actions/setup-python major version.
.github/workflows/release.yml	Updates checkout/setup-python/attestation action major versions.
.github/workflows/codeql.yml	Updates checkout action major version.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pydantic, pydantic-settings, and especially pydantic_core are tightly coupled; pinning pydantic_core independently can make the dependency set unsatisfiable if it doesn’t match the exact pydantic requirement. Consider removing the explicit pydantic_core pin (let pydantic pull the compatible version) or update it to the version required by pydantic==2.13.3 to avoid pip resolver failures.

Suggested change

"pydantic_core==2.46.3",

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

.github/workflows/smoketest.yaml:41

• Smoke test workflow references actions/setup-python@v6 / actions/checkout@v6 via moving tags. Given this workflow runs on PR-triggered comments and checks out arbitrary SHAs, pin these actions to commit SHAs for better supply-chain safety and reproducibility.

      - name: Setup Python
        if: steps.branch-deploy.outputs.continue == 'true'
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Checkout the repo
        if: steps.branch-deploy.outputs.continue == 'true'
        uses: actions/checkout@v6
        with:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Release workflow now uses moving tags (actions/checkout@v6, actions/setup-python@v6). Since this job publishes artifacts/images, please pin these actions to immutable commit SHAs to reduce supply-chain risk and ensure reproducible releases (similar to the pinned SHAs used in the PyPI publish workflows).

[Copilot]

actions/attest-build-provenance is invoked from a release workflow but is referenced via a moving major tag (@v4). Consider pinning it to a specific commit SHA (as done in .github/workflows/publish-to-pypi.yaml:44) to avoid unexpected behavior changes in the release pipeline.

Suggested change

	uses: actions/attest-build-provenance@v4
	uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be

[Copilot]

CodeQL workflow switches actions/checkout to a moving major tag (@v6). Consider pinning to a commit SHA for reproducibility/supply-chain hardening (the repo already pins checkout in the PyPI publish workflows).

Suggested change

	uses: actions/checkout@v6
	uses: actions/checkout@FULL_LENGTH_COMMIT_SHA # Pin to the same commit SHA used for actions/checkout in the PyPI publish workflows

[Copilot]

CI matrix now advertises support for Python >=3.10 (see pyproject.toml requires-python = ">=3.10"), but the workflow only tests 3.11 and 3.14. Either add 3.10 to the matrix to prevent regressions in the documented minimum version, or bump requires-python to ">=3.11" if 3.10 is no longer supported.

Suggested change

	python-version: ['3.11', '3.14'] # the one we have in the Codespace + the latest one supported by Python 3.
	python-version: ['3.10', '3.11', '3.14'] # the minimum supported version, the one we have in the Codespace, and the latest one supported by Python 3.

[Copilot]

.github/workflows/publish-to-pypi.yaml and publish-to-testpypi.yaml still build with Python 3.13, while CI moved the “latest” test version to 3.14. If the goal is to validate/build on 3.14 end-to-end, consider updating the packaging/publish workflows to 3.14 as well (or document why publishing remains on 3.13).

[Copilot]

This workflow switches to actions/checkout@v6 (a moving major tag). For supply-chain hardening and reproducibility, pin GitHub Actions to a specific commit SHA (this repo already does so in .github/workflows/publish-to-pypi.yaml:28). At minimum, keep checkout on the same major used elsewhere unless there’s a required v6 feature.

Suggested change

	uses: actions/checkout@v6
	uses: actions/checkout@v5