Merge bitcoin/bitcoin#34547: lint: modernise lint tooling

2424e52836 lint: doc: detail lint tool install methods (will)
5fefa5a654 Don't pin Python patch version (Sjors Provoost)
fd15b55c2e lint: use requirements.txt (will)
5f4d3383da lint: switch to ruff for formatting and linting (will)
a53b81ce4e lint: switch to uv for python management in linter (will)

Pull request description:

  Modernise our lint tooling by:

  \- Replacing pyenv + pip with [uv](https://docs.astral.sh/uv/) for better Python environment and dependency management
  \- Move uv ruff and ty to install via `COPY --from` multi-stage Docker image imports
  \- Moving ruff lint rules from hardcoded Rust array (in lint_py.rs) into a top-level ruff.toml
  \- Extracting all remaining pip dependencies into dedicated ci/lint/requirements.txt

  Extra rationale:

  `COPY --from` pulls pre-built binaries from upstream images instead of compiling/downloading at runtime. Containerfile layer optimisations reduce rebuild frequency further.

  Pinning tool versions in the dockerfile makes it more excplicit and easier to find.

  The tradeoff we make here is that there is no longer a single install script to install tooling on a local machine. However I think this is OK, as it currently only works for `apt`-based OSes anyway, and I don't think running the linter outside of the container is such a valuable use-case as it is with some of the other CI jobs.

ACKs for top commit:
  maflcko:
    review ACK 2424e52836 🗿
  sedited:
    ACK 2424e52836

Tree-SHA512: 32ef989c1e241cebe5f13da10abd23f6f63306591fd1f81880d688b886082bca17987591dc592c41fbb72278eba57b3cc6e786de7cfa80eb490ab34465d0119b

ci/lint/01_install.sh

@@ -22,29 +22,14 @@ ${CI_RETRY_EXE} apt-get update
 # - moreutils (used by scripted-diff)
 ${CI_RETRY_EXE} apt-get install -y cargo curl xz-utils git gpg moreutils
 
-PYTHON_PATH="/python_build"
-if [ ! -d "${PYTHON_PATH}/bin" ]; then
-  (
-    ${CI_RETRY_EXE} git clone --depth=1 https://github.com/pyenv/pyenv.git
-    cd pyenv/plugins/python-build || exit 1
-    ./install.sh
-  )
-  # For dependencies see https://github.com/pyenv/pyenv/wiki#suggested-build-environment
-  ${CI_RETRY_EXE} apt-get install -y build-essential libssl-dev zlib1g-dev \
-    libbz2-dev libreadline-dev libsqlite3-dev curl llvm \
-    libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev \
-    clang
-  env CC=clang python-build "$(cat "/.python-version")" "${PYTHON_PATH}"
-fi
-export PATH="${PYTHON_PATH}/bin:${PATH}"
+# Install Python and create venv using uv (reads version from .python-version)
+uv venv /python_env
+
+export PATH="/python_env/bin:${PATH}"
 command -v python3
 python3 --version
 
-${CI_RETRY_EXE} pip3 install \
-  lief==0.17.5 \
-  mypy==1.19.1 \
-  pyzmq==27.1.0 \
-  ruff==0.15.5
+uv pip install --python /python_env --requirements /ci/lint/requirements.txt
 
 SHELLCHECK_VERSION=v0.11.0
 curl --fail -L "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.$(uname --machine).tar.xz" | \

ci/lint/06_script.sh

@@ -12,7 +12,7 @@ set -o errexit -o pipefail -o xtrace
 # of the mounted bitcoin src dir.
 git config --global --add safe.directory /bitcoin
 
-export PATH="/python_build/bin:${PATH}"
+export PATH="/python_env/bin:${PATH}"
 
 if [ -n "${LINT_CI_IS_PR}" ]; then
   export COMMIT_RANGE="HEAD~..HEAD"

ci/lint/requirements.txt

@@ -0,0 +1,3 @@
+lief==0.17.5
+mypy==1.19.1
+pyzmq==27.1.0

ci/lint_imagefile

@@ -6,8 +6,15 @@
 
 FROM mirror.gcr.io/ubuntu:24.04
 
+# Pin uv and ruff to minor version to avoid breaking changes
+# https://docs.astral.sh/uv/reference/policies/versioning/
+# https://docs.astral.sh/ruff/versioning/
+COPY --from=ghcr.io/astral-sh/uv:0.10 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/ruff:0.15 /ruff /bin/
+
 COPY ./ci/retry/retry /ci_retry
 COPY ./.python-version /.python-version
+COPY ./ci/lint/requirements.txt /ci/lint/requirements.txt
 COPY ./ci/lint/01_install.sh /install.sh
 
 RUN /install.sh && \