feat: add Python 3.14 to samples testing image (#13596)

* feat: add Python 3.14 to samples testing image

* address review feedback

* formatting

* wip

* remove gpg;add sigstore;remove python 2.7 which doesn't support sigstore

* fix typo

* chore: add Py3.14 to noxfile-template

---------

Co-authored-by: Victor Chudnovsky <vchudnov@google.com>

Author: parthea

.kokoro/docker/Dockerfile

@@ -110,33 +110,68 @@ RUN curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - \
   && rm -rf /var/lib/apt/lists/* \
   && rm -f /var/cache/apt/archives/*.deb
 
-COPY fetch_gpg_keys.sh /tmp
-# Install the desired versions of Python.
-RUN set -ex \
-  && export GNUPGHOME="$(mktemp -d)" \
-  && echo "disable-ipv6" >> "${GNUPGHOME}/dirmngr.conf" \
-  && /tmp/fetch_gpg_keys.sh \
-  && for PYTHON_VERSION in 2.7.18 3.7.17 3.8.20 3.9.20 3.10.15 3.11.10 3.12.7 3.13.0; do \
-  wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
-  && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
-  && gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \
-  && rm -r python-${PYTHON_VERSION}.tar.xz.asc \
-  && mkdir -p /usr/src/python-${PYTHON_VERSION} \
-  && tar -xJC /usr/src/python-${PYTHON_VERSION} --strip-components=1 -f python-${PYTHON_VERSION}.tar.xz \
-  && rm python-${PYTHON_VERSION}.tar.xz \
-  && cd /usr/src/python-${PYTHON_VERSION} \
-  && ./configure \
-  --enable-shared \
-  # This works only on Python 2.7 and throws a warning on every other
-  # version, but seems otherwise harmless.
-  --enable-unicode=ucs4 \
-  --with-system-ffi \
-  --without-ensurepip \
-  && make -j$(nproc) \
-  && make install \
-  && ldconfig \
+# From https://www.python.org/downloads/metadata/sigstore/
+# Starting with Python 3.14, Sigstore is the only method of signing and verification of release artifacts. 
+RUN LATEST_VERSION="2.6.1" && \
+    wget "https://github.com/sigstore/cosign/releases/download/v${LATEST_VERSION}/cosign_${LATEST_VERSION}_amd64.deb" && \
+    dpkg -i cosign_${LATEST_VERSION}_amd64.deb && \
+    rm cosign_${LATEST_VERSION}_amd64.deb
+
+ARG PYTHON_VERSIONS="3.7.17 3.8.20 3.9.23 3.10.18 3.11.13 3.12.11 3.13.8 3.14.0"
+
+SHELL ["/bin/bash", "-c"]
+
+RUN set -eux; \
+    # Define the required associative arrays completely.
+    declare -A PYTHON_IDENTITIES; \
+    PYTHON_IDENTITIES=(\
+        [3.7]="nad@python.org" \
+        [3.8]="lukasz@langa.pl" \
+        [3.9]="lukasz@langa.pl" \
+        [3.10]="pablogsal@python.org" \
+        [3.11]="pablogsal@python.org" \
+        [3.12]="thomas@python.org" \
+        [3.13]="thomas@python.org" \
+        [3.14]="hugo@python.org" \
+    ); \
+    declare -A PYTHON_ISSUERS; \
+    PYTHON_ISSUERS=(\
+        [3.7]="https://github.com/login/oauth" \
+        [3.8]="https://github.com/login/oauth" \
+        [3.9]="https://github.com/login/oauth" \
+        [3.10]="https://accounts.google.com" \
+        [3.11]="https://accounts.google.com" \
+        [3.12]="https://accounts.google.com" \
+        [3.13]="https://accounts.google.com" \
+        [3.14]="https://github.com/login/oauth" \
+    ); \
+    \
+    for VERSION in $PYTHON_VERSIONS; do \
+        # 1. Define VERSION_GROUP (e.g., 3.14 from 3.14.0)
+        VERSION_GROUP="$(echo "${VERSION}" | cut -d . -f 1,2)"; \
+        \
+        # 2. Look up IDENTITY and ISSUER using the defined VERSION_GROUP
+        IDENTITY="${PYTHON_IDENTITIES[$VERSION_GROUP]}"; \
+        ISSUER="${PYTHON_ISSUERS[$VERSION_GROUP]}"; \
+        \
+      wget --quiet -O python-${VERSION}.tar.xz "https://www.python.org/ftp/python/${VERSION}/Python-$VERSION.tar.xz" \
+      && wget --quiet -O python-${VERSION}.tar.xz.sigstore "https://www.python.org/ftp/python/${VERSION}/Python-$VERSION.tar.xz.sigstore" \
+      # Verify the Python tarball signature with cosign.
+      && cosign verify-blob python-${VERSION}.tar.xz \
+        --certificate-oidc-issuer "${ISSUER}" \
+        --certificate-identity "${IDENTITY}" \
+        --bundle python-${VERSION}.tar.xz.sigstore \
+      && mkdir -p /usr/src/python-${VERSION} \
+      && tar -xJC /usr/src/python-${VERSION} --strip-components=1 -f python-${VERSION}.tar.xz \
+      && rm python-${VERSION}.tar.xz \
+      && cd /usr/src/python-${VERSION} \
+      && ./configure \
+          --enable-shared \
+          --with-system-ffi \
+      && make -j$(nproc) \
+      && make install \
+      && ldconfig \
   ; done \
-  && rm -rf "${GNUPGHOME}" \
   && rm -rf /usr/src/python* \
   && rm -rf ~/.cache/
 
@@ -158,6 +193,7 @@ RUN wget --no-check-certificate -O /tmp/get-pip-3-7.py 'https://bootstrap.pypa.i
   && [ "$(pip list |tac|tac| awk -F '[ ()]+' '$1 == "pip" { print $2; exit }')" = "$PYTHON_PIP_VERSION" ]
 
 # Ensure Pip for all python3 versions
+RUN python3.14 /tmp/get-pip.py
 RUN python3.13 /tmp/get-pip.py
 RUN python3.12 /tmp/get-pip.py
 RUN python3.11 /tmp/get-pip.py
@@ -175,6 +211,7 @@ RUN python3.10 -m pip
 RUN python3.11 -m pip
 RUN python3.12 -m pip
 RUN python3.13 -m pip
+RUN python3.14 -m pip
 
 # Install "setuptools" for Python 3.12+ (see https://docs.python.org/3/whatsnew/3.12.html#distutils)
 RUN python3.12 -m pip install --no-cache-dir setuptools

.kokoro/docker/fetch_gpg_keys.sh

@@ -0,0 +1,59 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Format: //devtools/kokoro/config/proto/build.proto
+
+timeout_mins: 300
+
+# Configure the docker image for kokoro-trampoline.
+env_vars: {
+    key: "TRAMPOLINE_IMAGE"
+    value: "gcr.io/cloud-devrel-kokoro-resources/python-samples-testing-docker"
+}
+
+# Download trampoline resources.
+gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/trampoline"
+
+# Use the trampoline script to run in docker.
+build_file: "python-docs-samples/.kokoro/trampoline_v2.sh"
+
+# Download secrets from Cloud Storage.
+gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/python-docs-samples"
+
+# Access btlr binaries used in the tests
+gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/btlr"
+
+# Copy results for Resultstore
+action {
+  define_artifacts {
+    regex: "**/*sponge_log.xml"
+  }
+}
+
+# Specify which tests to run
+env_vars: {
+    key: "RUN_TESTS_SESSION"
+    value: "py-3.14"
+}
+
+env_vars: {
+    key: "BUILD_SPECIFIC_GCLOUD_PROJECT"
+    value: "python-docs-samples-tests-314"
+}
+
+# Number of test workers.
+env_vars: {
+    key: "NUM_TEST_WORKERS"
+    value: "10"
+}

.kokoro/python3.14/common.cfg

@@ -0,0 +1,21 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Format: //devtools/kokoro/config/proto/build.proto
+
+# Tell the trampoline which build file to use.
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: ".kokoro/tests/run_tests_diff_head.sh"
+}

.kokoro/python3.14/continuous.cfg

@@ -0,0 +1,27 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Format: //devtools/kokoro/config/proto/build.proto
+
+# Tell the trampoline which build file to use.
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: ".kokoro/tests/run_tests.sh"
+}
+
+# Tell Trampoline to upload the Docker image after successfull build.
+env_vars: {
+    key: "TRAMPOLINE_IMAGE_UPLOAD"
+    value: "true"
+}

.kokoro/python3.14/periodic.cfg

@@ -0,0 +1,21 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Format: //devtools/kokoro/config/proto/build.proto
+
+# Tell the trampoline which build file to use.
+env_vars: {
+    key: "TRAMPOLINE_BUILD_FILE"
+    value: ".kokoro/tests/run_tests_diff_main.sh"
+}

.kokoro/python3.14/presubmit.cfg

@@ -58,7 +58,7 @@ if [[ $* == *--only-diff-head* ]]; then
     fi
 fi
 
-# Because Kokoro runs presubmit builds simalteneously, we often see
+# Because Kokoro runs presubmit builds simultaneously, we often see
 # quota related errors. I think we can avoid this by changing the
 # order of tests to execute (e.g. reverse order for py-3.8
 # build). Currently there's no easy way to do that with btlr, so we

.kokoro/tests/run_tests.sh

@@ -79,7 +79,7 @@ def get_pytest_env_vars():
 
 # DO NOT EDIT - automatically generated.
 # All versions used to tested samples.
-ALL_VERSIONS = ["2.7", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
+ALL_VERSIONS = ["2.7", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
 # Any default versions that should be ignored.
 IGNORED_VERSIONS = ["3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]

appengine/standard/noxfile-template.py

@@ -24,7 +24,7 @@
 
 TEST_CONFIG_OVERRIDE = {
     # You can opt out from the test for specific Python versions.
-    "ignored_versions": ["3.6", "3.7", "3.8", "3.9", "3.10", "3.11"],
+    "ignored_versions": ["3.6", "3.7", "3.8", "3.10", "3.11", "3.12", "3.13"],
     # Old samples are opted out of enforcing Python type hints
     # All new samples should feature them
     "enforce_type_hints": False,

appengine/standard/noxfile_config.py

@@ -88,7 +88,7 @@ def get_pytest_env_vars() -> dict[str, str]:
 
 
 # All versions used to tested samples.
-ALL_VERSIONS = ["2.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
+ALL_VERSIONS = ["2.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
 # Any default versions that should be ignored.
 IGNORED_VERSIONS = TEST_CONFIG["ignored_versions"]