deps(docker): bump python from 3.12-slim to 3.14-slim in the docker-all group

[dependabot]

Bumps the docker-all group with 1 update: python.

Updates python from 3.12-slim to 3.14-slim

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[greptile-apps]

Greptile Summary

This PR updates the Docker base image from python:3.12-slim to python:3.14-slim, skipping the 3.13 minor version, with the digest pinned to a new SHA256 hash for reproducibility.

• The python:3.14-slim image is confirmed available on Docker Hub (currently tracking 3.14.5-slim-trixie).
• The Dockerfile itself is otherwise unchanged; the embedded plugin-scanner script uses only standard-library features (os, sys, from __future__ import annotations) that are unaffected by the 3.12→3.14 upgrade.
• The docker-requirements.txt wheel hashes are not changed in this PR, so any packages with C-extension wheels pinned to CPython 3.12 ABI may fail to install at build time against the 3.14 interpreter.

Confidence Score: 3/5

The base image update is clean, but the docker-requirements.txt hashes were generated against Python 3.12 and may not resolve correctly under Python 3.14, causing the image build to fail.

The only file changed is the FROM line, which correctly pins the new image by SHA256. However, the project installs dependencies with --require-hashes, and any packages that shipped version-specific wheels for CPython 3.12 will not match under a 3.14 interpreter. This is a real build-time breakage risk that should be validated before merging.

docker-requirements.txt (not in the diff) — its recorded hashes need to be regenerated against Python 3.14 to confirm the build still succeeds.

Important Files Changed

Filename	Overview
Dockerfile	Base image bumped from python:3.12-slim to python:3.14-slim with a new pinned SHA256 digest; the rest of the Dockerfile is unchanged.

_{Reviews (1): Last reviewed commit: "deps(docker): bump python in the docker-..." | Re-trigger Greptile}

[greptile-apps]

Pinned hashes in docker-requirements.txt may not match Python 3.14 wheels

docker-requirements.txt is installed with --require-hashes, meaning every wheel (or sdist) must match a recorded hash. Wheels built for CPython 3.12 (tags like cp312-cp312-*) will not be offered by pip for a 3.14 interpreter, so pip will fall back to a source distribution or a different wheel — both of which will fail the hash check. The build will error at the pip install step rather than at runtime, but it means the image as written may not actually build until docker-requirements.txt is regenerated against 3.14.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	1

Issue Details (click to expand)

CRITICAL

File	Line	Issue
docker-requirements.txt	N/A (not in diff)	Hashed pip dependencies are pinned to Python 3.12 ABI; upgrading to python:3.14-slim will cause installation failures at Docker build time due to wheel hash mismatches.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Issue
docker-requirements.txt	The --require-hashes constraint in docker-requirements.txt will cause pip install to fail during docker build because C-extension wheel hashes (e.g., aiohttp, cryptography) are Python version-specific. The wheel filenames include the CPython version (cp312 for 3.12), but Python 3.14 uses cp314 identifiers.

The docker-requirements.txt hashes must be regenerated against Python 3.14 before this PR can be merged. Use:

uv pip compile pyproject.toml --extra cisco --generate-hashes -o docker-requirements.txt

| .github/workflows/ci.yml | CI tests Python 3.10-3.13 but not 3.14. Consider adding 3.14 to the test matrix to ensure forward compatibility. |

| pyproject.toml | Already specifies requires-python = ">=3.10" which supports Python 3.14. |

Files Reviewed (1 file)

• Dockerfile - 1 issue (docker-requirements.txt compatibility)

---

_{Reviewed by laguna-m.1-20260312:free · 2,796,725 tokens}