Fix: go-manifest false positives from node_modules in sourceCodeUri scans

[hoptical]

Summary

This PR fixes false-positive Go manifest validation errors when sourceCodeUri contains dependency trees with Go files under node_modules (including pnpm layouts).

Problem

Go manifest validation was scanning all Go files from sourceCodeUri and treating dependency files in node_modules as plugin-owned backend source. This caused errors like:

• Invalid Go manifest file: node_modules/.../flatted.go
• file ... is in the source code but not in the manifest

What changed

• Filter source-side Go file discovery to ignore files under node_modules in gomanifest.go
• Generalize manifest parsing ignore logic from a single hardcoded flatted path to node_modules path handling in gomanifest.go
• Add focused helper tests in gomanifest_test.go:
  • TestIsNodeModulesPath
  • TestFilterPluginGoFiles

Validation

• go test ./pkg/analysis/passes/gomanifest/ -v passed
• Reproduced against a real plugin project; go-manifest no longer reports node_modules-related false positives

Issues

• Fixes Validator fails on unrelated go files in node_modules -- even on empty, newly created plugin #555
• Refs Go manifest false-positive on sourceCodeUri with node_modules Go files #547

Additional note about CI

It seems to me that the current PR CI does not run this analyzer test surface (for example go-manifest paths), so this class of regression can slip through even when required checks pass. I suggest adding analyzer/package tests to PR CI, at least:

• go test ./pkg/analysis/passes/...
  or a broader:
• go test ./pkg/...

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR updates the go-manifest analyzer to avoid false-positive manifest/source mismatches when sourceCodeUri includes dependency trees that contain .go files under node_modules (including pnpm-style nested layouts).

Changes:

• Filter discovered Go source files to exclude paths under node_modules before manifest verification.
• Generalize manifest parsing to ignore node_modules entries instead of a single hardcoded ignored file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[academo]

@hoptical even though the code is correct I want to keep this a dedicated list.

this has been the only case of a false positive from the gomanifest and the current code opens the door to someone doing

pkg
   node_modules/
       now_this_wont_be_checked.go

which is what we want to avoid with the dedicated list of specific files

[hoptical]

@hoptical even though the code is correct I want to keep this a dedicated list.

this has been the only case of a false positive from the gomanifest and the current code opens the door to someone doing

pkg
   node_modules/
       now_this_wont_be_checked.go

which is what we want to avoid with the dedicated list of specific files

@academo
Thanks, agreed. I updated this to use an explicit manifest allowlist (known entries only), rather than broad node_modules skipping.

So now:

• Manifest side: only allowlisted paths are ignored.
• Source scan side: node_modules is still filtered to avoid sourceCodeUri false positives.

Tests:

• allowlisted entry is ignored
• nested non-allowlisted node_modules paths are still validated
• Windows path normalization still works

Please let me know if it satisfies your concern and does the fix.