Pipelines allow unclean go.sum files that block our release pipeline

[luhring]

In neither of our primary pipelines (for PRs, and for releases) do we catch "unclean" go.sum files, where "unclean" is defined as having excess line items that would not be present after running go mod tidy.

We should catch this scenario in our Static Analysis pipeline (which runs for PRs), which is as far upstream we can detect this problem, short of changes to developer environments. We have most of the pieces in place to do this. But since we run our check-go-mod-tidy make target after having run go mod tidy, we aren't catching the problem. To correctly catch the problem in the Static Analysis pipeline, we need to:

• remove the go mod tidy command from the bootstrap step (Note: this leaves go mod download as the last Go command in the bootstrapping process)
• modify go-mod-tidy-check.sh to detect and error out upon finding a diff between "A" and "B", where: "A" is the original go.sum, and "B" is state of go.sum after running go mod tidy.

EDIT: Updated reasoning and task list in response to the go mod download fix being backported to Go 1.16.5.