notices: run notices-update in a container, run for amd64 and arm64

[mmat11]

Summary

Fixes #1224

This PR generates per-arch notices in NOTICES/amd64 and NOTICES/arm64. Most licenses are now duplicated, but this makes checking for diffs easier. Any custom merge approach would make the check phase more convoluted, I'm not sure it's worth it

Validation

• I have read and followed the contributing guidelines
• If this enhances / fixes / changes a core feature, I have updated the features documentation and support matrix as needed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.06%. Comparing base (f6a2b45) to head (4850f13).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1888      +/-   ##
==========================================
- Coverage   78.16%   78.06%   -0.10%     
==========================================
  Files         277      277              
  Lines       33598    33598              
==========================================
- Hits        26261    26228      -33     
- Misses       6092     6121      +29     
- Partials     1245     1249       +4     

Flag	Coverage Δ
integration-test	55.40% <ø> (-0.05%)	⬇️
integration-test-arm	29.10% <ø> (-0.10%)	⬇️
integration-test-vm-x86_64-5.15.152	?
integration-test-vm-x86_64-6.10.6	?
k8s-integration-test	41.60% <ø> (-0.59%)	⬇️
oats-test	37.66% <ø> (+0.20%)	⬆️
unittests	58.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

CI Supervisor

Workflow	Job	Last state	Re-running?	Attempt
Pull request checks	Generate and checks	failure	No	2/2
Pull request K8s integration tests	netolly_dropexternal	failure	Yes	1/2

[MrAlias]

Thanks for updating the notice generation to keep Go notices separated per architecture. There is one release-packaging gap that still needs to be addressed.

The new layout stores notices under NOTICES/<arch>, but the release packaging step still copies the entire NOTICES/ directory into every per-architecture archive. That means an archive like obi-*-linux-amd64.tar.gz can now include arm64-only notice content as well, for example files under NOTICES/arm64/....

This is a correctness issue for released artifacts: each architecture-specific archive should only ship the notices for its own target architecture. As written, the archive contents no longer cleanly match the binary being released, and the CycloneDX SBOM generated from unpacking that archive can end up describing files that do not actually belong to that build.

Please update the release packaging flow so each per-architecture archive includes only the matching notice tree for that architecture.

[mmat11]

@MrAlias done