diff --git a/.github/workflows/check-python-versions.lock.yml b/.github/workflows/check-python-versions.lock.yml
index 2154731..6f50b61 100644
--- a/.github/workflows/check-python-versions.lock.yml
+++ b/.github/workflows/check-python-versions.lock.yml
@@ -21,9 +21,9 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Annual check of the latest supported Python versions from devguide.python.org. Creates a PR to add newly released versions and remove end-of-life versions from CI workflows, actions, Azure Pipelines, and source code.
+# Annual check of the latest supported Python versions from peps.python.org. Creates a PR to add newly released versions and remove end-of-life versions from CI workflows, actions, Azure Pipelines, and source code.
 #
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"9d3296491efb7bf7c3e0a99978036edb72d9a02f8e161a3522fe3da88a67ba65","compiler_version":"v0.47.5"}
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"bb962f8e02a0b044f2a7f184807c71f4bd237159c4e6fdbf55a16dbc05c241ad","compiler_version":"v0.47.5"}
 
 name: 'Annual Python Version Update'
 'on':
@@ -312,7 +312,7 @@ jobs:
               actor: context.actor,
               event_name: context.eventName,
               staged: false,
-              allowed_domains: ["python"],
+              allowed_domains: ["defaults","python","peps.python.org"],
               firewall_enabled: true,
               awf_version: "v0.20.2",
               awmg_version: "v0.1.4",
@@ -678,7 +678,7 @@ jobs:
         timeout-minutes: 20
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crates.io,files.pythonhosted.org,github.com,host.docker.internal,index.crates.io,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,static.crates.io,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,index.crates.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,peps.python.org,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,static.crates.io,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \
             -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
         env:
           COPILOT_AGENT_RUNNER_TYPE: STANDALONE
@@ -758,7 +758,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
-          GH_AW_ALLOWED_DOMAINS: '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crates.io,files.pythonhosted.org,github.com,host.docker.internal,index.crates.io,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,static.crates.io,telemetry.enterprise.githubcopilot.com'
+          GH_AW_ALLOWED_DOMAINS: '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,index.crates.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,peps.python.org,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,static.crates.io,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com'
           GITHUB_SERVER_URL: ${{ github.server_url }}
           GITHUB_API_URL: ${{ github.api_url }}
         with:
@@ -978,7 +978,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: 'Annual Python Version Update'
-          WORKFLOW_DESCRIPTION: 'Annual check of the latest supported Python versions from devguide.python.org. Creates a PR to add newly released versions and remove end-of-life versions from CI workflows, actions, Azure Pipelines, and source code.'
+          WORKFLOW_DESCRIPTION: 'Annual check of the latest supported Python versions from peps.python.org. Creates a PR to add newly released versions and remove end-of-life versions from CI workflows, actions, Azure Pipelines, and source code.'
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
diff --git a/.github/workflows/check-python-versions.md b/.github/workflows/check-python-versions.md
index 5c74ca0..baa209b 100644
--- a/.github/workflows/check-python-versions.md
+++ b/.github/workflows/check-python-versions.md
@@ -1,8 +1,11 @@
 ---
 description: >
-  Annual check of the latest supported Python versions from devguide.python.org.
+  Annual check of the latest supported Python versions from peps.python.org.
   Creates a PR to add newly released versions and remove end-of-life versions
   from CI workflows, actions, Azure Pipelines, and source code.
+strict: false
+engine:
+  id: copilot
 on:
   schedule:
     - cron: "0 12 15 10 *"
@@ -15,7 +18,9 @@ tools:
     toolsets: [default]
 network:
   allowed:
+    - defaults
     - python
+    - "peps.python.org"
 safe-outputs:
   create-pull-request:
     draft: true
@@ -35,9 +40,9 @@ This repository is a VS Code extension that supports all actively maintained Pyt
 
 ### Step 1: Fetch current supported Python versions
 
-Fetch `https://devguide.python.org/versions/` and parse the **Supported versions** table.
+Fetch `https://peps.python.org/api/release-cycle.json` and parse the JSON response.
 
-Extract all versions that have a status of **bugfix** or **security**. These are the released, actively supported versions. Ignore versions with status **feature** or **prerelease** (these are not yet released).
+Each key in the JSON object is a Python version (e.g., `"3.13"`), and its value contains a `"status"` field. Extract all versions where the status is **`security`**, **`bugfix`**, or **`feature`**. Ignore versions with status **`end-of-life`** (or any other status).
 
 Build a sorted list of supported versions (e.g., `['3.10', '3.11', '3.12', '3.13', '3.14']`). The lowest is the minimum supported version, the highest is the newest.
 
@@ -94,7 +99,7 @@ Create a pull request with all the changes using the `create-pull-request` safe
 - **Title**: `Update supported Python versions`
 - **Body**: Include:
   - A summary of what changed (versions added/removed, minimum version update if applicable)
-  - A link to https://devguide.python.org/versions/ as the source of truth
+  - A link to https://peps.python.org/api/release-cycle.json as the source of truth
   - The list of files modified
   - A note to verify CI passes before merging
 
@@ -104,4 +109,4 @@ Create a pull request with all the changes using the `create-pull-request` safe
 - Preserve the quoting style in YAML files (single quotes around version strings)
 - Keep the matrix list sorted in ascending version order
 - The `PYTHON_VERSION` / `PythonVersion` / `PYTHON_MINOR` values represent the **minimum** supported version and should only be updated if that version has gone end-of-life
-- Do not include pre-release Python versions (status `feature` or `prerelease`) in any updates
+- Do not include pre-release Python versions (status `feature` or `prerelease`) in any updates
\ No newline at end of file