feat: manylinux_2_38_loongarch64 & musllinux_1_2_loongarch64

[wojiushixiaobai]

• New architecture support [LoongArch] #1587

[Copilot]

Pull request overview

Adds LoongArch64 (loongarch64/loong64) support to the build, test, and packaging pipeline for the new manylinux_2_38 policy and existing musllinux_1_2 policy.

Changes:

• Extend CI build matrix and QEMU setup to build/test manylinux_2_38_loongarch64 and musllinux_1_2_loongarch64.
• Update build/runtime tooling to handle LoongArch64 specifics (base images, package installation, git-lfs arch mapping, tool install exceptions).
• Adjust tests and compatibility checks for LoongArch64 and skip unsupported tooling (uv).

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
docker/tests/run_tests.sh	Skips uv-based wheel install test on loongarch64.
docker/tests/manylinux-check.py	Allows linux-loongarch64 in the manylinux2014 compatibility heuristic used by tests.
docker/build_scripts/install-runtime-packages.sh	Adds loongarch64-specific dnf/runtime setup (Anolis/OpenAnolis repo handling, package list differences, toolchain selection for manylinux_2_38).
docker/build_scripts/install-git-lfs.sh	Maps loongarch64 to Go’s loong64 for fetching git-lfs binaries.
docker/build_scripts/finalize.sh	Skips uv on loongarch64 and installs select tools via system packages / alternative paths.
docker/build_scripts/build-cpython.sh	Applies LoongArch64-related patches/aux files when building CPython (especially older branches).
docker/build_scripts/build_utils.sh	Treats Anolis-like distros as rhel for packaging logic.
build.sh	Adds manylinux_2_38 base image/settings and loongarch64 GOARCH mapping; uses LoongArch-capable Alpine registry image for musllinux.
.github/workflows/build.yml	Adds loongarch64 to matrix and enables QEMU for it.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The config.sub/config.guess downloads are pulled from the live upstream URL without any pinning (tag/commit) or integrity verification. This makes the build non-reproducible and introduces supply-chain risk; consider pinning to a specific revision (or vendoring the files) and verifying via a recorded SHA256 before use.

Suggested change

	fetch_source "config.sub" "https://git.savannah.gnu.org/cgit/config.git/plain"
	fetch_source "config.guess" "https://git.savannah.gnu.org/cgit/config.git/plain"
	# Pin config.sub/config.guess to a specific upstream revision and verify integrity
	CONFIG_GNU_COMMIT="cea70b35f3e3afbc2281d4ed9ecb0aebf1b3ce25" # pinned config.git commit
	CONFIG_SUB_SHA256="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" # expected SHA256 for config.sub
	CONFIG_GUESS_SHA256="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" # expected SHA256 for config.guess
	curl -fsSL "https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=${CONFIG_GNU_COMMIT}" -o config.sub
	echo "${CONFIG_SUB_SHA256} config.sub" | sha256sum -c -
	curl -fsSL "https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=${CONFIG_GNU_COMMIT}" -o config.guess
	echo "${CONFIG_GUESS_SHA256} config.guess" | sha256sum -c -

[wojiushixiaobai]

Thanks @auvipy

We have refined the logic based on the existing work with the following improvements:

• Pinned Source Assets: config.sub and config.guess are now fetched from a specific commit to ensure build reproducibility, rather than pulling from the moving master branch.
• Unified Verification: Introduced a download_and_verify function to enforce SHA256 checksums for all external assets (patches and config scripts).

[mayeut]

Thanks for the PR and the follow-up.

• Per the discussion linked in the description, one pre-requisite is for PyPI to accept the wheels that will be produced by the new images which is not the case for now if I'm not mistaken.

• Given Python 3.8 is scheduled for removal next month, I'd rather wait for that as well, meaning this PR could be rebased on Add CPython 3.15 #1884 which would also allow to get rid of some patches.

I'll likely do a more thorough review once the second item is done but the PR won't be merged before the first item gets resolved.