feat: add git-lfs

docker/Dockerfile

@@ -8,6 +8,8 @@ ARG PREPEND_PATH=/usr/local/bin:${DEVTOOLSET_ROOTPATH}/usr/bin:
 ARG MANYLINUX_BUILDARCH=${BUILDARCH}
 ARG MANYLINUX_DISABLE_CLANG=0
 ARG MANYLINUX_DISABLE_CLANG_FOR_CPYTHON=0
+ARG MANYLINUX_CLANG_VERSION=21.1.4.0
+ARG MANYLINUX_COSIGN_VERSION=3.0.2
 
 
 FROM $BASEIMAGE AS runtime_base_packages
@@ -48,7 +50,7 @@ COPY build_scripts/build_utils.sh /build_scripts/
 
 
 # prepare cross-compilation support
-FROM --platform=linux/${MANYLINUX_BUILDARCH} ghcr.io/mayeut/static-clang:21.1.4.0 AS static_clang_bin
+FROM --platform=linux/${MANYLINUX_BUILDARCH} ghcr.io/mayeut/static-clang:${MANYLINUX_CLANG_VERSION} AS static_clang_bin
 FROM runtime_base_packages AS static_clang_prepare
 ARG MANYLINUX_DISABLE_CLANG
 COPY build_scripts/install-clang-static.sh /build_scripts/
@@ -139,7 +141,7 @@ RUN --mount=type=bind,from=static_clang,target=/tmp/cross-compiler,ro \
     /tmp/cross-compiler/entrypoint /build_scripts/build-mpdecimal.sh
 
 
-FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v2.5.0 AS cosign-bin
+FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v${MANYLINUX_COSIGN_VERSION} AS cosign-bin
 
 
 FROM build_base AS build_cpython

docker/build_scripts/finalize.sh

@@ -91,6 +91,8 @@ for TOOL_PATH in "${MY_DIR}/requirements-tools/"*; do
 	esac
 done
 
+"${MY_DIR}/install-git-lfs.sh"
+
 # We do not need the precompiled .pyc and .pyo files.
 clean_pyc /opt/_internal
 

docker/build_scripts/install-git-lfs.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Top-level build script called from Dockerfile
+
+# Stop at any error, show all commands
+set -exuo pipefail
+
+# Get script directory
+MY_DIR=$(dirname "${BASH_SOURCE[0]}")
+
+# Get build utilities
+# shellcheck source-path=SCRIPTDIR
+source "${MY_DIR}/build_utils.sh"
+
+cd /tmp
+case "${AUDITWHEEL_ARCH}" in
+	x86_64) GOARCH=amd64;;
+	i686) GOARCH=386;;
+	aarch64) GOARCH=arm64;;
+	armv7l) GOARCH=arm;;
+	*) GOARCH="${AUDITWHEEL_ARCH}";;
+esac
+
+GIT_LFS_VERSION=3.7.1
+GIT_LFS_SHA256=sha256sums.asc
+GIT_LFS_ARCHIVE="git-lfs-linux-${GOARCH}-v${GIT_LFS_VERSION}.tar.gz"
+
+# for some reason, using --homedir gpg option fails, let's backup instead
+if [ -d ~/.gnupg ]; then
+	mv ~/.gnupg ~/.gnupg.backup
+fi
+
+tar -Ozxf "${MY_DIR}/git-lfs-core-gpg-keys" | gpg --import -
+
+curl -fsSLo "${GIT_LFS_SHA256}" "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/sha256sums.asc"
+curl -fsSLo "${GIT_LFS_ARCHIVE}" "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/${GIT_LFS_ARCHIVE}"
+
+gpg -d "${GIT_LFS_SHA256}" | grep "${GIT_LFS_ARCHIVE}" | sha256sum -c
+if [ "${AUDITWHEEL_POLICY}" != "manylinux2014" ]; then
+	gpgconf --kill gpg-agent
+fi
+
+mkdir git-lfs
+tar -C git-lfs -xf "${GIT_LFS_ARCHIVE}" --strip-components 1
+./git-lfs/install.sh
+
+rm -rf ~/.gnupg
+if [ -d ~/.gnupg.backup ]; then
+	mv ~/.gnupg.backup ~/.gnupg
+fi
+
+rm -rf "${GIT_LFS_SHA256}" "${GIT_LFS_ARCHIVE}" ./git-lfs

docker/build_scripts/install-runtime-packages.sh

@@ -117,7 +117,7 @@ if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ]; then
 	fi
 	fixup-mirrors
 elif [ "${OS_ID_LIKE}" == "rhel" ]; then
-	BASE_TOOLS+=(glibc-locale-source glibc-langpack-en gzip hardlink hostname libcurl libnsl libxcrypt which)
+	BASE_TOOLS+=(glibc-locale-source glibc-langpack-en gnupg2 gzip hardlink hostname libcurl libnsl libxcrypt which)
 	echo "tsflags=nodocs" >> /etc/dnf/dnf.conf
 	dnf -y upgrade
 	EPEL=epel-release

docker/tests/run_tests.sh

@@ -119,6 +119,7 @@ automake --version
 libtoolize --version
 patchelf --version
 git --version
+git lfs --version
 cmake --version
 swig -version
 pipx run nox --version

tools/update_native_dependencies.py

@@ -199,11 +199,57 @@ def _update_tcltk(dry_run):
         break
 
 
+def _update_git_lfs(dry_run):
+    file = PROJECT_ROOT / "docker" / "build_scripts" / "install-git-lfs.sh"
+    lines = file.read_text().splitlines()
+    re_ = re.compile(r"^GIT_LFS_VERSION=(?P<version>\S+)$")
+    for i in range(len(lines)):
+        match = re_.match(lines[i])
+        if match is None:
+            continue
+        current_version = Version(match["version"])
+        latest_version = latest("git-lfs")
+        if latest_version > current_version:
+            lines[i] = f"GIT_LFS_VERSION={latest_version}"
+            message = f"Bump git-lfs  {current_version} → {latest_version}"
+            print(message)
+            if not dry_run:
+                file.write_text("\n".join(lines) + "\n")
+                subprocess.check_call(["git", "commit", "-am", message])
+        break
+
+
+def _update_image(tool, dry_run):
+    repo = {
+        "clang": "mayeut/static-clang-images",
+        "cosign": "sigstore/cosign",
+    }
+    lines = DOCKERFILE.read_text().splitlines()
+    re_ = re.compile(rf"^ARG MANYLINUX_{tool.upper()}_VERSION=(?P<version>\S+)$")
+    for i in range(len(lines)):
+        match = re_.match(lines[i])
+        if match is None:
+            continue
+        current_version = Version(match["version"])
+        latest_version = latest(repo.get(tool, tool))
+        if latest_version > current_version:
+            lines[i] = f"ARG MANYLINUX_{tool.upper()}_VERSION={latest_version}"
+            message = f"Bump {tool}  {current_version} → {latest_version}"
+            print(message)
+            if not dry_run:
+                DOCKERFILE.write_text("\n".join(lines) + "\n")
+                subprocess.check_call(["git", "commit", "-am", message])
+        break
+
+
 def main():
     parser = argparse.ArgumentParser()
     parser.add_argument("--dry-run", dest="dry_run", action="store_true", help="dry run")
     args = parser.parse_args()
+    _update_image("clang", args.dry_run)
+    _update_image("cosign", args.dry_run)
     _update_cpython(args.dry_run)
+    _update_git_lfs(args.dry_run)
     _update_sqlite(args.dry_run)
     _update_tcltk(args.dry_run)
     for tool in ["autoconf", "automake", "libtool", "git", "openssl", "curl"]: