diff --git a/docker/Dockerfile b/docker/Dockerfile index b9e438ae..834e6970 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -8,6 +8,8 @@ ARG PREPEND_PATH=/usr/local/bin:${DEVTOOLSET_ROOTPATH}/usr/bin: ARG MANYLINUX_BUILDARCH=${BUILDARCH} ARG MANYLINUX_DISABLE_CLANG=0 ARG MANYLINUX_DISABLE_CLANG_FOR_CPYTHON=0 +ARG MANYLINUX_CLANG_VERSION=21.1.4.0 +ARG MANYLINUX_COSIGN_VERSION=3.0.2 FROM $BASEIMAGE AS runtime_base_packages @@ -48,7 +50,7 @@ COPY build_scripts/build_utils.sh /build_scripts/ # prepare cross-compilation support -FROM --platform=linux/${MANYLINUX_BUILDARCH} ghcr.io/mayeut/static-clang:21.1.4.0 AS static_clang_bin +FROM --platform=linux/${MANYLINUX_BUILDARCH} ghcr.io/mayeut/static-clang:${MANYLINUX_CLANG_VERSION} AS static_clang_bin FROM runtime_base_packages AS static_clang_prepare ARG MANYLINUX_DISABLE_CLANG COPY build_scripts/install-clang-static.sh /build_scripts/ @@ -139,7 +141,7 @@ RUN --mount=type=bind,from=static_clang,target=/tmp/cross-compiler,ro \ /tmp/cross-compiler/entrypoint /build_scripts/build-mpdecimal.sh -FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v2.5.0 AS cosign-bin +FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v${MANYLINUX_COSIGN_VERSION} AS cosign-bin FROM build_base AS build_cpython diff --git a/docker/build_scripts/finalize.sh b/docker/build_scripts/finalize.sh index 883b55a7..ce713649 100755 --- a/docker/build_scripts/finalize.sh +++ b/docker/build_scripts/finalize.sh @@ -91,6 +91,8 @@ for TOOL_PATH in "${MY_DIR}/requirements-tools/"*; do esac done +"${MY_DIR}/install-git-lfs.sh" + # We do not need the precompiled .pyc and .pyo files. clean_pyc /opt/_internal diff --git a/docker/build_scripts/git-lfs-core-gpg-keys b/docker/build_scripts/git-lfs-core-gpg-keys new file mode 100644 index 00000000..fd06df83 Binary files /dev/null and b/docker/build_scripts/git-lfs-core-gpg-keys differ diff --git a/docker/build_scripts/install-git-lfs.sh b/docker/build_scripts/install-git-lfs.sh new file mode 100755 index 00000000..1ade8eda --- /dev/null +++ b/docker/build_scripts/install-git-lfs.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# Top-level build script called from Dockerfile + +# Stop at any error, show all commands +set -exuo pipefail + +# Get script directory +MY_DIR=$(dirname "${BASH_SOURCE[0]}") + +# Get build utilities +# shellcheck source-path=SCRIPTDIR +source "${MY_DIR}/build_utils.sh" + +cd /tmp +case "${AUDITWHEEL_ARCH}" in + x86_64) GOARCH=amd64;; + i686) GOARCH=386;; + aarch64) GOARCH=arm64;; + armv7l) GOARCH=arm;; + *) GOARCH="${AUDITWHEEL_ARCH}";; +esac + +GIT_LFS_VERSION=3.7.1 +GIT_LFS_SHA256=sha256sums.asc +GIT_LFS_ARCHIVE="git-lfs-linux-${GOARCH}-v${GIT_LFS_VERSION}.tar.gz" + +# for some reason, using --homedir gpg option fails, let's backup instead +if [ -d ~/.gnupg ]; then + mv ~/.gnupg ~/.gnupg.backup +fi + +tar -Ozxf "${MY_DIR}/git-lfs-core-gpg-keys" | gpg --import - + +curl -fsSLo "${GIT_LFS_SHA256}" "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/sha256sums.asc" +curl -fsSLo "${GIT_LFS_ARCHIVE}" "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/${GIT_LFS_ARCHIVE}" + +gpg -d "${GIT_LFS_SHA256}" | grep "${GIT_LFS_ARCHIVE}" | sha256sum -c +if [ "${AUDITWHEEL_POLICY}" != "manylinux2014" ]; then + gpgconf --kill gpg-agent +fi + +mkdir git-lfs +tar -C git-lfs -xf "${GIT_LFS_ARCHIVE}" --strip-components 1 +./git-lfs/install.sh + +rm -rf ~/.gnupg +if [ -d ~/.gnupg.backup ]; then + mv ~/.gnupg.backup ~/.gnupg +fi + +rm -rf "${GIT_LFS_SHA256}" "${GIT_LFS_ARCHIVE}" ./git-lfs diff --git a/docker/build_scripts/install-runtime-packages.sh b/docker/build_scripts/install-runtime-packages.sh index c3d7dcdb..d8b5f33d 100755 --- a/docker/build_scripts/install-runtime-packages.sh +++ b/docker/build_scripts/install-runtime-packages.sh @@ -117,7 +117,7 @@ if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ]; then fi fixup-mirrors elif [ "${OS_ID_LIKE}" == "rhel" ]; then - BASE_TOOLS+=(glibc-locale-source glibc-langpack-en gzip hardlink hostname libcurl libnsl libxcrypt which) + BASE_TOOLS+=(glibc-locale-source glibc-langpack-en gnupg2 gzip hardlink hostname libcurl libnsl libxcrypt which) echo "tsflags=nodocs" >> /etc/dnf/dnf.conf dnf -y upgrade EPEL=epel-release diff --git a/docker/tests/run_tests.sh b/docker/tests/run_tests.sh index cbde49e2..c1e042a9 100755 --- a/docker/tests/run_tests.sh +++ b/docker/tests/run_tests.sh @@ -119,6 +119,7 @@ automake --version libtoolize --version patchelf --version git --version +git lfs --version cmake --version swig -version pipx run nox --version diff --git a/tools/update_native_dependencies.py b/tools/update_native_dependencies.py index 2e24c070..f2da70db 100644 --- a/tools/update_native_dependencies.py +++ b/tools/update_native_dependencies.py @@ -199,11 +199,57 @@ def _update_tcltk(dry_run): break +def _update_git_lfs(dry_run): + file = PROJECT_ROOT / "docker" / "build_scripts" / "install-git-lfs.sh" + lines = file.read_text().splitlines() + re_ = re.compile(r"^GIT_LFS_VERSION=(?P\S+)$") + for i in range(len(lines)): + match = re_.match(lines[i]) + if match is None: + continue + current_version = Version(match["version"]) + latest_version = latest("git-lfs") + if latest_version > current_version: + lines[i] = f"GIT_LFS_VERSION={latest_version}" + message = f"Bump git-lfs {current_version} → {latest_version}" + print(message) + if not dry_run: + file.write_text("\n".join(lines) + "\n") + subprocess.check_call(["git", "commit", "-am", message]) + break + + +def _update_image(tool, dry_run): + repo = { + "clang": "mayeut/static-clang-images", + "cosign": "sigstore/cosign", + } + lines = DOCKERFILE.read_text().splitlines() + re_ = re.compile(rf"^ARG MANYLINUX_{tool.upper()}_VERSION=(?P\S+)$") + for i in range(len(lines)): + match = re_.match(lines[i]) + if match is None: + continue + current_version = Version(match["version"]) + latest_version = latest(repo.get(tool, tool)) + if latest_version > current_version: + lines[i] = f"ARG MANYLINUX_{tool.upper()}_VERSION={latest_version}" + message = f"Bump {tool} {current_version} → {latest_version}" + print(message) + if not dry_run: + DOCKERFILE.write_text("\n".join(lines) + "\n") + subprocess.check_call(["git", "commit", "-am", message]) + break + + def main(): parser = argparse.ArgumentParser() parser.add_argument("--dry-run", dest="dry_run", action="store_true", help="dry run") args = parser.parse_args() + _update_image("clang", args.dry_run) + _update_image("cosign", args.dry_run) _update_cpython(args.dry_run) + _update_git_lfs(args.dry_run) _update_sqlite(args.dry_run) _update_tcltk(args.dry_run) for tool in ["autoconf", "automake", "libtool", "git", "openssl", "curl"]: