chore(ci): align devcontainer and CI workflows to Python 3.12

[katriendg]

Background

requirements.txt is compiled by pip-compile using Python 3.12 (confirmed by the autogenerated header at the top of the file). However, the devcontainer and every CI workflow that installs from requirements.txt targets Python 3.11. This version mismatch has existed silently, but PR #629 (checkov 3.3.6 bump) exposed it: checkov 3.3.6 pulls in numpy 2.5.0 as a transitive dependency, and numpy>=2.5.0 requires Requires-Python >=3.12. The AIO Version Check CI job and other workflows that do pip install --require-hashes -r requirements.txt on Python 3.11 now fail with:

ERROR: No matching distribution found for numpy==2.5.0

Python Version Across the Repo

The upgrade is low-risk because Python 3.12 is already in use at every other layer of the stack. The devcontainer and a handful of CI workflows are the only things lagging:

Layer	Python version	Status
All src/ application Dockerfiles	3.12	✅ already on 3.12
.github/requirements/checkov.txt	compiled on 3.12	✅ already on 3.12
.github/requirements/terraform-tools.txt	compiled on 3.12	✅ already on 3.12
.github/requirements/yamllint.txt	compiled on 3.12	✅ already on 3.12
Root requirements.txt	compiled on 3.12	✅ already on 3.12
ROS2 Dockerfiles	Ubuntu 24.04 base	✅ Ubuntu 24.04 ships Python 3.12
.devcontainer/devcontainer.json	python:3.11-bookworm	❌ needs upgrade
.devcontainer/beads/devcontainer.json	python:3.11-bookworm	❌ needs upgrade
aio-version-checker.yml	python-version: '3.11'	❌ needs upgrade
security-comprehensive.yml	python-version: '3.11'	❌ needs upgrade
security-deployment.yml	python-version: '3.11'	❌ needs upgrade
security-staleness-check.yml	python-version: '3.11'	❌ needs upgrade
variable-compliance-terraform.yml	python-version: '3.11'	❌ needs upgrade
.github/dependabot.yml pip entry	no python-version set	❌ needs explicit pin

No code-level risks: no python_requires anywhere pins to 3.11, no use of removed stdlib APIs (distutils, etc.), and the Python in this repo is CI tooling only — the primary application stack is Rust, Terraform, and Go.

Root Cause

Component	Current version	Should be
requirements.txt pip-compile target	Python 3.12	Python 3.12 ✅
.devcontainer/devcontainer.json	python:3.11-bookworm	python:3.12-bookworm
.devcontainer/beads/devcontainer.json	python:3.11-bookworm	python:3.12-bookworm
aio-version-checker.yml	python-version: '3.11'	'3.12'
security-comprehensive.yml	python-version: '3.11'	'3.12'
security-deployment.yml	python-version: '3.11'	'3.12'
security-staleness-check.yml	python-version: '3.11'	'3.12'
variable-compliance-terraform.yml	python-version: '3.11'	'3.12'
.github/dependabot.yml (pip)	no python-version set	should pin '3.12'

Dependabot has no python-version key set in the pip ecosystem entry, so it resolves against its own runner default (currently 3.12). Adding an explicit pin prevents future drift if the runner default ever changes.

Work Needed

1. Devcontainer

• .devcontainer/devcontainer.json — python:3.11-bookworm → python:3.12-bookworm
• .devcontainer/beads/devcontainer.json — same

2. CI Workflows

• .github/workflows/aio-version-checker.yml — step name + python-version: '3.11' → '3.12'
• .github/workflows/security-comprehensive.yml — python-version: '3.11' → '3.12'
• .github/workflows/security-deployment.yml — python-version: '3.11' → '3.12'
• .github/workflows/security-staleness-check.yml — python-version: '3.11' → '3.12'
• .github/workflows/variable-compliance-terraform.yml — step name + python-version: '3.11' → '3.12'

3. Dependabot Configuration

• .github/dependabot.yml pip entry — add python-version: "3.12" so future Dependabot pip PRs resolve and compile against the same Python version as requirements.txt.

  - package-ecosystem: "pip"
    directories:
      - "/"
      - "/src/500-application/**"
    python-version: "3.12"     # <-- add this
    schedule: ...

4. Unblock PR #629

Once this PR merges to main, trigger a Dependabot rebase of PR #629 (@dependabot rebase) so it picks up the updated workflow Python version and re-runs CI cleanly. The ecdsa grype allow-list fix (GHSA-wj6h-64fc-37mp) already committed to the PR #629 branch remains valid and should be included.

Acceptance Criteria

• All CI jobs on this PR pass with Python 3.12.
• Local devcontainer rebuild uses Python 3.12.
• python --version inside the devcontainer returns 3.12.x.
• After merge, PR chore(deps): bump the pip group across 2 directories with 4 updates #629 CI passes end-to-end when rebased.
• Future Dependabot pip PRs resolve numpy (and any other >=3.12 package) correctly.