letsencrypt
Produce signed Go container image as part of builds
Right now we use fetch-and-verify-go.sh to download Go from dl.google.com and verify its GPG signature. This is preferable to using the Docker Hub official golang images because we can always do it immediately after a Go release, which may be relevant for security releases. Also the official golang images aren't signed AFAICT.
Right now we do this download during the Boulder container build process. We'd like to split this out as a separate container image, and consume it from the Boulder container build process using a FROM command that takes a build arg (allowing us to override the Go container as needed). This will allow us to easily rebuild Boulder with a new Go version. It will also allow us to store our Go containers in a repo in prod that will be accessible even if dl.google.com is down.
Our automated release process should check if the appropriate Go version has a container image uploaded to our GHCR repository, and create one if needed.
Follow up to #8327
