Mantle's release archives contain compiled Go dependencies under Apache 2.0, MIT, BSD, and MPL licenses. Apache 2.0 in particular requires that upstream NOTICE files be reproduced in distributions. Currently the release pipeline has no step to collect or bundle these notices.
Change:
- Add
go-licenses (or cyclonedx-gomod) to the release workflow to generate a NOTICE or third_party_licenses.txt file
- Include the generated file in the goreleaser archives via the
files stanza
- Optionally include it in the Docker image at
/usr/local/share/mantle/NOTICE
This is most important for Apache 2.0 dependencies like google.golang.org/grpc, OpenTelemetry, and the AWS/Azure/GCP SDKs.
Mantle's release archives contain compiled Go dependencies under Apache 2.0, MIT, BSD, and MPL licenses. Apache 2.0 in particular requires that upstream
NOTICEfiles be reproduced in distributions. Currently the release pipeline has no step to collect or bundle these notices.Change:
go-licenses(orcyclonedx-gomod) to the release workflow to generate aNOTICEorthird_party_licenses.txtfilefilesstanza/usr/local/share/mantle/NOTICEThis is most important for Apache 2.0 dependencies like
google.golang.org/grpc, OpenTelemetry, and the AWS/Azure/GCP SDKs.