chore: update python toolchains

CHANGELOG.md

@@ -60,12 +60,12 @@ END_UNRELEASED_TEMPLATE
 * (gazelle) Types for exposed members of `python.ParserOutput` are now all public.
 * (gazelle) Removed the requirement for `__init__.py`, `__main__.py`, or `__test__.py` files to be
   present in a directory to generate a `BUILD.bazel` file.
-* (toolchain) Updated the following toolchains to build 20250702 to patch CVE-2025-47273:
+* (toolchain) Updated the following toolchains to build 20250708 to patch CVE-2025-47273:
     * 3.9.23
     * 3.10.18
     * 3.11.13
     * 3.12.11
-    * 3.14.0b3
+    * 3.14.0b4
 * (toolchain) Python 3.13 now references 3.13.5
 * (gazelle) Switched back to smacker/go-tree-sitter, fixing
   [#2630](https://github.com/bazel-contrib/rules_python/issues/2630)
@@ -105,7 +105,7 @@ END_UNRELEASED_TEMPLATE
     * 3.11.13
     * 3.12.11
     * 3.13.5
-    * 3.14.0b3
+    * 3.14.0b4
 * (gazelle): New annotation `gazelle:include_pytest_conftest`. When not set (the
   default) or `true`, gazelle will inject any `conftest.py` file found in the same
   directory as a {obj}`py_test` target to that {obj}`py_test` target's `deps`.

python/private/print_toolchain_checksums.bzl

@@ -28,6 +28,7 @@ def print_toolchains_checksums(name):
     template = """\
 cat > "$@" <<'EOF'
 #!/bin/bash
+set -euo pipefail
 
 set -o errexit -o nounset -o pipefail
 
@@ -54,35 +55,31 @@ EOF
 
 def _commands_for_version(*, python_version, metadata):
     lines = []
-    lines += [
-        "cat <<EOB",  # end of block
-        "    \"{python_version}\": {{".format(python_version = python_version),
-        "        \"url\": \"{url}\",".format(url = metadata["url"]),
-        "        \"sha256\": {",
-    ]
-
-    for platform in metadata["sha256"].keys():
-        for release_url in get_release_info(platform, python_version)[1]:
-            # Do lines one by one so that the progress is seen better and use cat for ease of quotation
-            lines += [
-                "EOB",
-                "cat <<EOB",
-                "            \"{platform}\": \"$$({get_sha256})\",".format(
-                    platform = platform,
-                    get_sha256 = "curl --silent --show-error --location --fail {release_url_sha256}".format(
-                        release_url = release_url,
-                        release_url_sha256 = release_url + ".sha256",
-                    ),
-                ),
-            ]
-
+    first_platform = metadata["sha256"].keys()[0]
+    root, _, _ = get_release_info(first_platform, python_version)[1][0].rpartition("/")
+    sha_url = "{}/{}".format(root, "SHA256SUMS")
     prefix = metadata["strip_prefix"]
     prefix = render.indent(
         render.dict(prefix) if type(prefix) == type({}) else repr(prefix),
         indent = " " * 8,
     ).lstrip()
 
     lines += [
+        "sha256s=$$(curl --silent --show-error --location --fail {})".format(sha_url),
+        "cat <<EOB",
+        "    \"{python_version}\": {{".format(python_version = python_version),
+        "        \"url\": \"{url}\",".format(url = metadata["url"]),
+        "        \"sha256\": {",
+    ] + [
+        "            \"{platform}\": \"$$({get_sha256})\",".format(
+            platform = platform,
+            get_sha256 = "echo \"$$sha256s\" | (grep {} || echo ) | awk '{{print $$1}}'".format(
+                release_url.rpartition("/")[-1],
+            ),
+        )
+        for platform in metadata["sha256"].keys()
+        for release_url in get_release_info(platform, python_version)[1]
+    ] + [
         "        },",
         "        \"strip_prefix\": {strip_prefix},".format(strip_prefix = prefix),
         "    },",