chore: update default python version for tests to 3.14 (#1892)

Also update the `docs` session to 3.10 to match the Python GAPIC code
generator used to generate Cloud Client libraries:
https://github.com/googleapis/gapic-generator-python/blob/d20dd2876fbf8c35f6a994639864815b0d7608ab/gapic/templates/noxfile.py.j2#L360-L361

Also update black to 23.7.0 to resolve the following stack trace

```
nox > python -m pip install flake8 flake8-import-order docutils click==8.0.4 black==19.3b0
nox > python -m pip install -e .
nox > black --check google tests tests_async noxfile.py setup.py docs/conf.py
Traceback (most recent call last):
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/bin/black", line 8, in <module>
    sys.exit(patched_main())
             ~~~~~~~~~~~~^^
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/black.py", line 3754, in patched_main
    main()
    ~~~~^^
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/click/core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
           ~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/click/core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/click/core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/tmpfs/src/github/google-auth-library-python/.nox/lint/lib/python3.14/site-packages/black.py", line 434, in main
    loop = asyncio.get_event_loop()
  File "/usr/local/lib/python3.14/asyncio/events.py", line 715, in get_event_loop
    raise RuntimeError('There is no current event loop in thread %r.'
                       % threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.
nox > Command black --check google tests tests_async noxfile.py setup.py docs/conf.py failed with exit code 1
```

This PR also fixes the coverage presubmit to append the coverage check
to run across python runtimes.

Author: parthea

google/auth/_cloud_sdk.py

@@ -83,7 +83,7 @@ def get_application_default_credentials_path():
 
 
 def _run_subprocess_ignore_stderr(command):
-    """ Return subprocess.check_output with the given command and ignores stderr."""
+    """Return subprocess.check_output with the given command and ignores stderr."""
     with open(os.devnull, "w") as devnull:
         output = subprocess.check_output(command, stderr=devnull)
     return output

google/auth/_default.py

@@ -538,8 +538,10 @@ def _get_impersonated_service_account_credentials(filename, info, scopes):
     from google.auth import impersonated_credentials
 
     try:
-        credentials = impersonated_credentials.Credentials.from_impersonated_service_account_info(
-            info, scopes=scopes
+        credentials = (
+            impersonated_credentials.Credentials.from_impersonated_service_account_info(
+                info, scopes=scopes
+            )
         )
     except ValueError as caught_exc:
         msg = "Failed to load impersonated service account credentials from {}".format(
@@ -554,8 +556,8 @@ def _get_gdch_service_account_credentials(filename, info):
     from google.oauth2 import gdch_credentials
 
     try:
-        credentials = gdch_credentials.ServiceAccountCredentials.from_service_account_info(
-            info
+        credentials = (
+            gdch_credentials.ServiceAccountCredentials.from_service_account_info(info)
         )
     except ValueError as caught_exc:
         msg = "Failed to load GDCH service account credentials from {}".format(filename)

google/auth/_refresh_worker.py

@@ -61,8 +61,8 @@ def start_refresh(self, cred, request):
 
     def clear_error(self):
         """
-      Removes any errors that were stored from previous background refreshes.
-      """
+        Removes any errors that were stored from previous background refreshes.
+        """
         with self._lock:
             if self._worker:
                 self._worker._error_info = None

google/auth/aws.py

@@ -348,10 +348,10 @@ def _generate_authentication_header_map(
 class AwsSecurityCredentials:
     """A class that models AWS security credentials with an optional session token.
 
-        Attributes:
-            access_key_id (str): The AWS security credentials access key id.
-            secret_access_key (str): The AWS security credentials secret access key.
-            session_token (Optional[str]): The optional AWS security credentials session token. This should be set when using temporary credentials.
+    Attributes:
+        access_key_id (str): The AWS security credentials access key id.
+        secret_access_key (str): The AWS security credentials secret access key.
+        session_token (Optional[str]): The optional AWS security credentials session token. This should be set when using temporary credentials.
     """
 
     access_key_id: str
@@ -420,7 +420,6 @@ def __init__(self, credential_source):
 
     @_helpers.copy_docstring(AwsSecurityCredentialsSupplier)
     def get_aws_security_credentials(self, context, request):
-
         # Check environment variables for permanent credentials first.
         # https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
         env_aws_access_key_id = os.environ.get(environment_vars.AWS_ACCESS_KEY_ID)
@@ -688,8 +687,8 @@ def __init__(
             )
         else:
             environment_id = credential_source.get("environment_id") or ""
-            self._aws_security_credentials_supplier = _DefaultAwsSecurityCredentialsSupplier(
-                credential_source
+            self._aws_security_credentials_supplier = (
+                _DefaultAwsSecurityCredentialsSupplier(credential_source)
             )
             self._cred_verification_url = credential_source.get(
                 "regional_cred_verification_url"
@@ -759,8 +758,10 @@ def retrieve_subject_token(self, request):
 
         # Retrieve the AWS security credentials needed to generate the signed
         # request.
-        aws_security_credentials = self._aws_security_credentials_supplier.get_aws_security_credentials(
-            self._supplier_context, request
+        aws_security_credentials = (
+            self._aws_security_credentials_supplier.get_aws_security_credentials(
+                self._supplier_context, request
+            )
         )
         # Generate the signed request to AWS STS GetCallerIdentity API.
         # Use the required regional endpoint. Otherwise, the request will fail.

google/auth/compute_engine/credentials.py

@@ -399,7 +399,6 @@ def with_target_audience(self, target_audience):
 
     @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject)
     def with_quota_project(self, quota_project_id):
-
         # since the signer is already instantiated,
         # the request is not needed
         if self._use_metadata_identity_endpoint:
@@ -423,7 +422,6 @@ def with_quota_project(self, quota_project_id):
 
     @_helpers.copy_docstring(credentials.CredentialsWithTokenUri)
     def with_token_uri(self, token_uri):
-
         # since the signer is already instantiated,
         # the request is not needed
         if self._use_metadata_identity_endpoint:

google/auth/external_account.py

@@ -98,7 +98,8 @@ class Credentials(
     is used.
     When the credential configuration is accepted from an
     untrusted source, you should validate it before using.
-    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details."""
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+    """
 
     def __init__(
         self,

google/auth/external_account_authorized_user.py

@@ -70,7 +70,8 @@ class Credentials(
     is used.
     When the credential configuration is accepted from an
     untrusted source, you should validate it before using.
-    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details."""
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+    """
 
     def __init__(
         self,

google/auth/identity_pool.py

@@ -83,17 +83,17 @@ def get_subject_token(self, context, request):
 
 class _TokenContent(NamedTuple):
     """Models the token content response from file and url internal suppliers.
-        Attributes:
-            content (str): The string content of the file or URL response.
-            location (str): The location the content was retrieved from. This will either be a file location or a URL.
+    Attributes:
+        content (str): The string content of the file or URL response.
+        location (str): The location the content was retrieved from. This will either be a file location or a URL.
     """
 
     content: str
     location: str
 
 
 class _FileSupplier(SubjectTokenSupplier):
-    """ Internal implementation of subject token supplier which supports reading a subject token from a file."""
+    """Internal implementation of subject token supplier which supports reading a subject token from a file."""
 
     def __init__(self, path, format_type, subject_token_field_name):
         self._path = path
@@ -114,7 +114,7 @@ def get_subject_token(self, context, request):
 
 
 class _UrlSupplier(SubjectTokenSupplier):
-    """ Internal implementation of subject token supplier which supports retrieving a subject token by calling a URL endpoint."""
+    """Internal implementation of subject token supplier which supports retrieving a subject token by calling a URL endpoint."""
 
     def __init__(self, url, format_type, subject_token_field_name, headers):
         self._url = url
@@ -261,7 +261,8 @@ class Credentials(external_account.Credentials):
     is used.
     When the credential configuration is accepted from an
     untrusted source, you should validate it before using.
-    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details."""
+    Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details.
+    """
 
     def __init__(
         self,
@@ -566,8 +567,8 @@ def refresh(self, request):
             cert_bytes = self._get_cert_bytes()
             cert = _agent_identity_utils.parse_certificate(cert_bytes)
             if _agent_identity_utils.should_request_bound_token(cert):
-                cert_fingerprint = _agent_identity_utils.calculate_certificate_fingerprint(
-                    cert
+                cert_fingerprint = (
+                    _agent_identity_utils.calculate_certificate_fingerprint(cert)
                 )
 
         self._refresh_token(request, cert_fingerprint=cert_fingerprint)

google/auth/jwt.py

@@ -586,7 +586,7 @@ def signer(self):
 
     @property  # type: ignore
     def additional_claims(self):
-        """ Additional claims the JWT object was created with."""
+        """Additional claims the JWT object was created with."""
         return self._additional_claims
 
 
@@ -760,7 +760,6 @@ def with_claims(self, issuer=None, subject=None, additional_claims=None):
 
     @_helpers.copy_docstring(google.auth.credentials.CredentialsWithQuotaProject)
     def with_quota_project(self, quota_project_id):
-
         return self.__class__(
             self._signer,
             issuer=self._issuer,

google/auth/metrics.py

@@ -48,6 +48,7 @@ def python_and_auth_lib_version():
 
 # Token request metric header values
 
+
 # x-goog-api-client header value for access token request via metadata server.
 # Example: "gl-python/3.7 auth/1.1 auth-request-type/at cred-type/mds"
 def token_request_access_token_mds():
@@ -108,6 +109,7 @@ def token_request_user():
 
 # Miscellenous metrics
 
+
 # x-goog-api-client header value for metadata server ping.
 # Example: "gl-python/3.7 auth/1.1 auth-request-type/mds"
 def mds_ping():