Preserve GOPATH when invoking Go tools under sudo in workflow template

[coderabbitai]

Problem Description

The GitHub Actions workflow template at .github/workflows/build-notebooks-TEMPLATE.yaml around lines 631-641 uses sudo --preserve-env=PATH when invoking the Go tool for check-payload scanning. However, this approach drops the GOPATH environment variable, causing the Go toolchain to fall back to /root and unnecessarily recompile binaries.

Current Implementation

sudo --preserve-env=PATH go tool github.com/openshift/check-payload scan local --path "${IMAGE_MOUNT_DIR}"

Impact Analysis

• Performance degradation: Go toolchain recompiles binaries when GOPATH is not preserved
• Permission pollution: Compilation artifacts created in /root directory
• Wasted build time: Unnecessary recompilation on every workflow run
• Resource inefficiency: Additional CPU and I/O overhead during builds

Solution Options

Option 1: Preserve GOPATH (Recommended)

sudo --preserve-env=PATH,GOPATH go tool github.com/openshift/check-payload scan local --path "${IMAGE_MOUNT_DIR}"

Option 2: Also preserve GOMODCACHE if used

sudo --preserve-env=PATH,GOPATH,GOMODCACHE go tool github.com/openshift/check-payload scan local --path "${IMAGE_MOUNT_DIR}"

Option 3: Drop sudo entirely

Since the mount is already unprivileged, consider removing sudo altogether:

go tool github.com/openshift/check-payload scan local --path "${IMAGE_MOUNT_DIR}"

Acceptance Criteria

• GOPATH environment variable is preserved when invoking Go tools under sudo
• No unnecessary recompilation occurs during workflow execution
• Build time is optimized by reusing existing compiled binaries
• No permission pollution in /root directory
• Workflow continues to function correctly with security requirements

Implementation Notes

• Test the change in a non-production environment first
• Consider whether GOMODCACHE should also be preserved if module caching is used
• Verify that the workflow still meets security requirements after the change
• Monitor build times to confirm performance improvement

Context

• PR: NO-JIRA: update go version and go packages in build and test tools #1407
• Review Comment: NO-JIRA: update go version and go packages in build and test tools #1407 (comment)
• File: .github/workflows/build-notebooks-TEMPLATE.yaml
• Lines: 631-641

This issue addresses workflow performance optimization identified during code review.