The grafana/plugin-actions/build-plugin / package-plugin workflow validates the plugin with:
@grafana/plugin-validator -sourceCodeUri file://./ $PLUGIN_ARCHIVE
That points the validator at the live GitHub Actions workspace after dependencies have been installed, instead of at a clean plugin source snapshot. As a result, validation can fail with false-positive Invalid Go manifest file errors when third-party npm dependencies inside node_modules contain .go files.
Where this happens
The problematic step is the validator invocation using -sourceCodeUri file://./.
Concrete example
In my case, this was triggered by a new version of flatted, which we had to bump to address recent security findings including CVE-2026-32141 [1] [2].
That dependency ships Go source under:
node_modules/flatted/golang/pkg/flatted/flatted.go
The action then failed validation with:
error: Invalid Go manifest file: node_modules/flatted/golang/pkg/flatted/flatted.go
detail: file node_modules/flatted/golang/pkg/flatted/flatted.go is in the source code but not in the manifest
However, any dependency under node_modules that contains .go files can trigger the same failure when the validator scans the whole live workspace.
Expected behavior
The official action should validate the plugin against the plugin source only, not against the full post-install workspace contents.
Impact
This causes otherwise valid plugins to fail the official release workflow unless maintainers:
- replace the official action
- fork/vendor the action
- add cleanup workarounds before validation
The
grafana/plugin-actions/build-plugin/package-pluginworkflow validates the plugin with:@grafana/plugin-validator -sourceCodeUri file://./ $PLUGIN_ARCHIVEThat points the validator at the live GitHub Actions workspace after dependencies have been installed, instead of at a clean plugin source snapshot. As a result, validation can fail with false-positive
Invalid Go manifest fileerrors when third-party npm dependencies insidenode_modulescontain.gofiles.Where this happens
build-pluginwrapper:https://github.com/grafana/plugin-actions/blob/build-plugin/v1.0.2/build-plugin/action.yml
package-pluginatbuild-plugin/v1.0.2:https://github.com/grafana/plugin-actions/blob/build-plugin/v1.0.2/package-plugin/action.yml
package-pluginonmain:https://github.com/grafana/plugin-actions/blob/main/package-plugin/action.yml
The problematic step is the validator invocation using
-sourceCodeUri file://./.Concrete example
In my case, this was triggered by a new version of
flatted, which we had to bump to address recent security findings includingCVE-2026-32141[1] [2].That dependency ships Go source under:
node_modules/flatted/golang/pkg/flatted/flatted.goThe action then failed validation with:
However, any dependency under
node_modulesthat contains.gofiles can trigger the same failure when the validator scans the whole live workspace.Expected behavior
The official action should validate the plugin against the plugin source only, not against the full post-install workspace contents.
Impact
This causes otherwise valid plugins to fail the official release workflow unless maintainers: