Fix: go-manifest false positives from node_modules in sourceCodeUri scans

[hoptical]

Summary

This PR fixes false-positive Go manifest validation errors when sourceCodeUri contains dependency trees with Go files under node_modules (including pnpm layouts).

Problem

Go manifest validation was scanning all Go files from sourceCodeUri and treating dependency files in node_modules as plugin-owned backend source. This caused errors like:

• Invalid Go manifest file: node_modules/.../flatted.go
• file ... is in the source code but not in the manifest

What changed

• Filter source-side Go file discovery to ignore files under node_modules in gomanifest.go
• Generalize manifest parsing ignore logic from a single hardcoded flatted path to node_modules path handling in gomanifest.go
• Add focused helper tests in gomanifest_test.go:
  • TestIsNodeModulesPath
  • TestFilterPluginGoFiles

Validation

• go test ./pkg/analysis/passes/gomanifest/ -v passed
• Reproduced against a real plugin project; go-manifest no longer reports node_modules-related false positives

Issues

• Fixes Validator fails on unrelated go files in node_modules -- even on empty, newly created plugin #555
• Refs Go manifest false-positive on sourceCodeUri with node_modules Go files #547

Additional note about CI

It seems to me that the current PR CI does not run this analyzer test surface (for example go-manifest paths), so this class of regression can slip through even when required checks pass. I suggest adding analyzer/package tests to PR CI, at least:

• go test ./pkg/analysis/passes/...
  or a broader:
• go test ./pkg/...

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR updates the go-manifest analyzer to avoid false-positive manifest/source mismatches when sourceCodeUri includes dependency trees that contain .go files under node_modules (including pnpm-style nested layouts).

Changes:

• Filter discovered Go source files to exclude paths under node_modules before manifest verification.
• Generalize manifest parsing to ignore node_modules entries instead of a single hardcoded ignored file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.