Description
Likely has been an issue throughout the lifetime of the code.
At present the code is pulling the old pre-modules version of the code (2.32.0), so 2.33.0 through to present, haven't reflected licences to the go boot code. We need to check to see if those releases are missing licenses, but I think the risk there is small as the Go code used isn't large.
The current fix would be to move things to be module aware and pull the v2 (post module) paths with go-get.
Our mitigation options in the short term are Be Eager (@master), or Be Stale (using @latest), which have the following implications. Being Stale means getting the code at the previous release, meaning the licences included do not include what's new since the last release. This is marginally better than present (locked at 2.32.0). Being Eager would mean getting what's at Beam Repo Head, which will include the release being built, but be at risk of diffs since the cut.
The first PR is to stopgap into getting us to Be Eager which given the rate of change to the boot loaders, to be more accurate.
The ideal would be to plumb the current release tag being built (or at least the short commit ID) so we can get the precise version of the code being built for licenses. This Jira is to track that fix.