feat(build): add Go CI pipeline with golangci-lint and go test

[katriendg]

Description

Adds CI plumbing for Go linting and testing as a single bundled PR closing three Phase 3 issues from the Go Toolchain Prerequisites epic (#290). These three issues (#331, #334, #336) are tightly coupled: the PowerShell wrapper is consumed by the reusable workflow, and the Codecov flag receives the coverage output from that workflow. Shipping them together avoids intermediate broken-pipeline states and simplifies review.

The pipeline follows established patterns from the Terraform CI infrastructure. Invoke-GoTest.ps1 mirrors Invoke-TerraformTest.ps1 structurally; go-tests.yml mirrors terraform-tests.yml. No Go test code is included — this PR provides the scaffolding that future test files will execute through.

Closes #331
Closes #334
Closes #336

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

Complete this section for bug fix PRs. Skip for other contribution types.

• Linked to issue being fixed
• Regression test included, OR
• Justification for no regression test:

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

---

Changes

PowerShell Test Wrapper

Created Invoke-GoTest.ps1 following the Invoke-TerraformTest.ps1 skeleton. The script runs golangci-lint and go test sequentially against the Go module in infrastructure/terraform/e2e/, parsing go test -json output into per-package results and writing structured JSON to logs/go-test-results.json.

• Guard predicates exit early (code 0) when go.mod is missing or no Go files changed with -ChangedFilesOnly
• Auto-installs golangci-lint v2.11.4 via SHA256-verified direct binary download when not on PATH, matching the actionlint pattern used in devcontainer.json
• Generates CI annotations for test failures and a GitHub step summary table
• Write-EmptyResults helper ensures consistent JSON schema across all exit paths

Pester Unit Tests

Created Invoke-GoTest.Tests.ps1 with 33 tests across 10 contexts, covering every code path in the wrapper.

• Mocks go and golangci-lint CLIs via ParameterFilter routing per subcommand
• Contexts: tool availability, go.mod guard, no test files, lint pass/fail, test pass/fail, ChangedFilesOnly, output file creation, multiple packages, golangci-lint installation
• Follows Invoke-TerraformTest.Tests.ps1 patterns (Save/Restore-CIEnvironment, Initialize-MockCIEnvironment)

Reusable Workflow

Created go-tests.yml mirroring terraform-tests.yml with three inputs: soft-fail, changed-files-only, code-coverage.

• Uses actions/setup-go v5.6.0 (SHA-pinned) with go-version-file from infrastructure/terraform/e2e/go.mod
• Uploads test results artifact and Go coverage .out file to Codecov via OIDC (no secrets required)
• No JUnit XML conversion needed — Codecov natively processes Go coverage format

Orchestrator Wiring

Wired go-tests into both CI orchestrators between terraform-tests and codeql-analysis.

• main.yml: soft-fail: true, code-coverage: true, added to release-please needs list
• pr-validation.yml: adds changed-files-only: true for incremental PR testing

Codecov Configuration

• Added go flag definition with paths: [infrastructure/terraform/e2e/] and carryforward: true
• Added go project status entry (target: auto, threshold: 1%)
• Added test:go npm script to package.json

Supply-Chain Hardening

• Invoke-GoTest.ps1: downloads the release tarball from GitHub Releases, verifies against a pinned SHA256 checksum via sha256sum -c, then extracts the binary to GOPATH/bin
• devcontainer.json: added golangci-lint to onCreateCommand following the existing actionlint pattern (version + SHA256 + sha256sum -c --quiet), pre-installing it in the dev container

Related Issues

• Closes chore(ci): add test:go npm script and Invoke-GoTest.ps1 #331 — Invoke-GoTest.ps1 PowerShell wrapper + test:go npm script
• Closes ci(infrastructure): create Go test reusable CI workflow #334 — go-tests.yml reusable CI workflow + orchestrator wiring
• Closes ci(infrastructure): add Codecov go flag for Go test coverage #336 — Codecov go flag configuration
• Related to test(infrastructure): Go/Terratest contract and integration tests — tracking issue #290 — Go Toolchain Prerequisites epic

Notes

These three issues are bundled because they form a single atomic CI capability. The PowerShell script (#331) is the execution engine, the workflow (#334) is the CI orchestration, and the Codecov flag (#336) is the reporting endpoint. Each depends on the others to function end-to-end.

• setup-go v5.6.0 selected over v6.3.0 for stability in this repo's runner environment; upgrade to v6 tracked as follow-up
• The script handles the no-tests case gracefully since no *_test.go files exist yet in infrastructure/terraform/e2e/
• All action SHA pins match versions already used elsewhere in the repository (checkout v6.0.2, upload-artifact v7.0.0, codecov-action v5.5.3)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 12d7861.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-go	40f1582b2485089dde7abd97c1529aa768e1baff	🟢 6.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/codecov/codecov-action	1af58845a975a7985b0beb0cbe6fbbb71a41dbad	🟢 6.9	Details Check Score Reason Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 13 contributing companies or organizations

Scanned Files

• .github/workflows/go-tests.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.58%. Comparing base (6804630) to head (12d7861).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #351   +/-   ##
=======================================
  Coverage   43.58%   43.58%           
=======================================
  Files         242      242           
  Lines       14840    14840           
  Branches     1903     1855   -48     
=======================================
  Hits         6468     6468           
  Misses       8082     8082           
  Partials      290      290           

Flag	Coverage Δ		*Carryforward flag
pester	79.87% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from 323bf44
pytest-dataviewer	61.98% <ø> (ø)
vitest	50.72% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.