refactor: streamline Docker build and .deb packaging process

sheurich · sheurich · commit 556ccf8943d5 · 2025-09-10T08:04:02.000-04:00
diff --git a/tools/container-build.sh b/tools/container-build.sh
@@ -33,27 +33,27 @@ case "$PLATFORM" in
     *) echo "Unsupported platform: ${PLATFORM}" && exit 1 ;;
 esac
 
+# Define single tag to avoid collisions and redundancy
+TAG="boulder:${VERSION}-${ARCH}"
+
 # Create platform-specific image
 docker buildx build \
     --file Containerfile \
     --platform "$PLATFORM" \
     --build-arg "COMMIT_ID=${COMMIT_ID}" \
     --build-arg "GO_VERSION=${GO_VERSION}" \
     --build-arg "VERSION=${VERSION}" \
-    --tag "boulder:${VERSION}-${ARCH}" \
-    --tag "boulder:${VERSION}" \
-    --tag "boulder:${COMMIT_ID}" \
-    --tag boulder \
+    --tag "${TAG}" \
     --load \
     .
 
 # Create tarball
-docker run "boulder:${VERSION}-${ARCH}" tar -C /opt/boulder -cpz . > "./boulder-${VERSION}-${COMMIT_ID}.${ARCH}.tar.gz"
+docker run "${TAG}" tar -C /opt/boulder -cpz . > "./boulder-${VERSION}-${COMMIT_ID}.${ARCH}.tar.gz"
 
 # Create .deb package
 docker run -v .:/boulderrepo \
     -e "COMMIT_ID=${COMMIT_ID}" \
     -e "VERSION=${VERSION}" \
     -e "ARCH=${ARCH}" \
-    "boulder:${VERSION}-${ARCH}" \
+    "${TAG}" \
     /boulderrepo/tools/make-deb.sh
diff --git a/tools/make-deb.sh b/tools/make-deb.sh
@@ -1,43 +1,34 @@
 #!/usr/bin/env bash
 #
-# Produce a .deb from a built Boulder plus helper files.
+# Produce a .deb package from a built Boulder container.
 #
-# This script expects to run on Ubuntu, as configured on GitHub Actions runners
-# (with curl, make, and git installed).
+# This script is executed inside the Boulder Docker container by container-build.sh.
+# It packages the Boulder binary and assets into a Debian package for distribution.
 #
 # -e Stops execution in the instance of a command or pipeline error.
 # -u Treat unset variables as an error and exit immediately.
 set -eu
-cd "$(realpath -- "$(dirname -- "$0")")/.."
 
-BUILD="$(mktemp -d)"
+if [ -z "${VERSION:-}" ]; then echo "VERSION not set"; exit 1; fi
+if [ -z "${COMMIT_ID:-}" ]; then echo "COMMIT_ID not set"; exit 1; fi
+if [ -z "${ARCH:-}" ]; then echo "ARCH not set"; exit 1; fi
 
+BUILD="$(mktemp -d)"
 mkdir -p "${BUILD}/opt"
 cp -a /opt/boulder "${BUILD}/opt/boulder"
 
-# Determine architecture - use ARCH env var if set, otherwise detect from uname
-if [ -n "${ARCH:-}" ]; then
-    DEB_ARCH="${ARCH}"
-else
-    case "$(uname -m)" in
-        "x86_64") DEB_ARCH="amd64" ;;
-        "aarch64"|"arm64") DEB_ARCH="arm64" ;;
-        *) echo "Unsupported architecture: $(uname -m)" && exit 1 ;;
-    esac
-fi
-
 mkdir -p "${BUILD}/DEBIAN"
-cat > "${BUILD}/DEBIAN/control" <<-EOF
+cat >"${BUILD}/DEBIAN/control" <<-EOF
 Package: boulder
 Version: 1:${VERSION}
 License: Mozilla Public License v2.0
 Vendor: ISRG
-Architecture: ${DEB_ARCH}
+Architecture: ${ARCH}
 Maintainer: Community
 Section: default
 Priority: extra
 Homepage: https://github.com/letsencrypt/boulder
 Description: Boulder is an ACME-compatible X.509 Certificate Authority
 EOF
 
-dpkg-deb -Zgzip -b "${BUILD}" "boulder-${VERSION}-${COMMIT_ID}.${DEB_ARCH}.deb"
+dpkg-deb -Zgzip -b "${BUILD}" "boulder-${VERSION}-${COMMIT_ID}.${ARCH}.deb"
