Go manifest false-positive on sourceCodeUri with node_modules Go files

[hoptical]

Description

When validating a plugin archive with -sourceCodeUri, plugin-validator can fail with Invalid Go manifest file if dependency trees contain Go files (for example node_modules/.pnpm/.../flatted/golang/pkg/flatted/flatted.go).

These files are third-party dependency internals and not plugin-owned backend source, but they are still considered during source/manifest validation.

Expected behavior

Validation should not fail because of Go files inside dependency folders such as node_modules/.pnpm.
Only plugin-relevant source files should be considered for Go manifest/source consistency checks.

Actual behavior

Validation fails with errors similar to:

• Invalid Go manifest file
• <dependency path>/flatted.go is in the source code but not in the manifest

This can happen even if build-side mitigations are applied to prevent those files from being added to the plugin Go manifest.

Why this matters

• Common JS dependency trees may include non-JS assets, including Go files.
• Since plugin-actions/package-plugin runs validator automatically, this can fail CI/plugin release builds by default.
• Workarounds are fragile (renaming node_modules, postinstall pruning, etc.).
• Security/compliance constraints can make dependency-version workarounds unacceptable.

Minimal reproduction

1. Create plugin archive from dist/ as documented.
2. Ensure dependencies include a package that ships Go sources under node_modules (e.g. flatted/golang).
3. Run:

   npx @grafana/plugin-validator@latest -sourceCodeUri file://. <plugin-id>.zip

4. Observe go-manifest/source mismatch errors referencing dependency paths.

Proposed solution

• Add built-in default exclusions for source scanning/comparison for dependency directories, such as:
  • node_modules/**
  • .pnpm/**
  • other package-manager cache/dependency paths
• Add configurable exclude globs (global or analyzer-specific) for source analyzers, especially sourcecode and go-manifest.
• Constrain go-manifest/source comparison to plugin-owned backend source roots rather than a full repository walk.

[sunker]

Fixed in #539

[hoptical]

@sunker
I think the issue is still not fixed.

I can still reproduce it in CI with @grafana/plugin-validator@latest:
https://github.com/hoptical/grafana-kafka-datasource/actions/runs/23663023909/job/68937911513#step:5:2195

The current failure is:

• Invalid Go manifest file: node_modules/.pnpm/.../flatted/golang/pkg/flatted/flatted.go
• file ... is in the source code but not in the manifest

PR #539 appears to have fixed only the manifest-side case by ignoring node module entries like node_modules/flatted/... when parsing go_plugin_build_manifest.

What is still happening is different:
The validator is still scanning the full source tree for **/*.go, including node_modules/.pnpm/..., and then treating those third-party dependency files as plugin source that must be present in the Go manifest.

So the underlying bug remains:
node_modules Go files are still being considered during go-manifest validation.

What do you think?