Martin Jonas (BitVMX team) created a SHA-256 code in Bitcoin script that hashes 64 bytes, and the code fits into a standard taproot script. 

The limiting factor is the maximum script stack (1000 elements). With a larger stack, it could probably be shrank to ~100 Kb.

This was a contribution to the BitVM2 implementation in Rust.

https://github.com/BitVM/BitVM/pull/65

It's interesting the use of nibbles (4-bit words) instead of 32-bit words to operate. That's perfect for tables involving two 4-bit operands (AND, OR, XOR, SHIFT, etc.).

Why create a SHA-256 implementation in script if there is a OP_SHA256 opcode?

Because Bitcoin script cannot expand the OP_SHA256 output value (32 bytes) into individual bytes in the stack. Therefore, OP_SHA256 cannot be used to check properties of the input and output inside the script. This prevents the use of OP_SHA256 to verify Lamport/Winternitz. signatures.

(Note: Martin works @ https://fairgate.io and he is a contributor to the https://BitVMX.org project)