Skip to content

Comments

Fix SC2086: quote $GITHUB_OUTPUT in compiler-generated shell scripts#17500

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-shellcheck-warnings
Feb 21, 2026
Merged

Fix SC2086: quote $GITHUB_OUTPUT in compiler-generated shell scripts#17500
pelikhan merged 3 commits intomainfrom
copilot/fix-shellcheck-warnings

Conversation

Copy link
Contributor

Copilot AI commented Feb 21, 2026
edited by github-actions bot
Loading

ShellCheck (via actionlint) reported 132 SC2086 warnings across compiled workflows due to unquoted $GITHUB_OUTPUT references in compiler-generated shell steps, risking word splitting/glob expansion.

Changes

  • pkg/workflow/cache.go — Quote $GITHUB_OUTPUT in the cache-memory check step template (root cause; propagates to all 157 compiled workflows via make recompile)
  • actions/setup/sh/start_mcp_gateway.sh — Quote $GITHUB_OUTPUT in grouped redirect
  • actions/setup/js/*.test.cjs — Quote $GITHUB_OUTPUT in embedded shell script fixtures (safe_inputs_mcp_server.test.cjs, mcp_server_core.test.cjs)
  • 157 .lock.yml files — Regenerated to reflect the cache.go fix
# Before
echo "has_content=true" >> $GITHUB_OUTPUT

# After
echo "has_content=true" >> "$GITHUB_OUTPUT"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw est.cjs (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw node 64/bin/go infocmp -1 xterm-color go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE x_amd64/vet ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha runs/20260221-131008-29234/test-3304619273/.github/workflows /tmp/go-build1623199255/b160/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --check l /usr/bin/git **/*.json --ignore-path ../../../.pretti--show-toplevel git rev-�� --show-toplevel /bin/sh ache/node/24.13.0/x64/bin/node echo "��� Formatgit git 64/bin/go ache/node/24.13.0/x64/bin/node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha re re (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha se 3199255/b039/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet env 1008-29234/test-2988553013/.github/workflows GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/agent-persona-explorer.md GO111MODULE (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha bot-detection.md GOPROXY ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build1623199255/b080/vet.cfg 3199255/b379/vet.cfg f9dd00c75c79c7bagit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha brave.md /tmp/go-build1623199255/b014/vet-test.run=^Test 64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go 64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags 3199255/b388/vet.cfg -errorsas -ifaceassert -nilfunc iptables (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha ts.result test@example.com /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --git-dir x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json Linux-1.0.9/bin/-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1623199255/b421/_testmain.go env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build1623199255/b386/console.test -importcfg /usr/bin/lsof -s -w -buildmode=exe lsof -F ac /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.9/bin/-c=4 /usr/bin/git che/go-build/b1/git GOPROXY 64/bin/go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git conf�� --get remote.origin.url /usr/bin/gh -json GO111MODULE x_amd64/vet gh (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --che-errorsas GOPROXY 64/bin/go ettierignore GOWORK 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --che-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1623199255/b405/importcfg -embedcfg /tmp/go-build1623199255/b405/embedcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build1623199255/b007/vetmain Name,createdAt,startedAt,updated-lang=go1.25 GOSUMDB GOWORK 64/bin/go /usr/lib/systemd/systemd-executo-dwarf=false --de�� runs/20260221-131008-29234/test-go1.25.0 --log-level 3199255/b382/vet.cfg --log-target journal-or-kmsg 64/bin/go iptables (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 2905087001/.github/workflows GO111MODULE bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ithub-script/git/ref/tags/v8 GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret-- l 64/pkg/tool/linux_amd64/compile GOSUMDB GOWORK 64/bin/go 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2735146250/b062/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha GOPATH GOPROXY /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� runs/20260221-131008-29234/test-806292395/.github/workflows -buildtags 3199255/b384/vet.cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE de_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -instructions-test-3656841967/.g- GO111MODULE 969424/b401/vet.cfg l GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore GOPROXY /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha ./cmd/gh-aw (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/cgo GOINSECURE GOMOD GOMODCACHE x_amd64/cgo env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-test.v=true estl�� -json GO111MODULE 64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-tests env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE vo/9kfMsjtzGOFIi51OI_-c/tFE_Q0UwmvwlVjEnf88q (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path npx prettier --c-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 github.com/githu-o -lang=go1.25 go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/link env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE -j/NEbzTRrGx3Hf7Test User (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2154117918/.github/workflows GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE tions/setup/js/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE tions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet Linu�� -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go -d (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go go env -json GOMOD 64/bin/go -d (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel /home/REDACTED/worenv /usr/bin/git node /hom�� --write scripts/**/*.js modules/@npmcli/run-script/lib/node-gyp-bin/sh .prettierignore 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier /usr/bin/git go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1623199255/b380/cli.test /tmp/go-build1623199255/b380/cli.test -test.testlogfile=/tmp/go-build1623199255/b380/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)
    • Triggering command: /tmp/go-build940969424/b380/cli.test /tmp/go-build940969424/b380/cli.test -test.testlogfile=/tmp/go-build940969424/b380/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel x_amd64/vet run-script/lib/n-json node /hom�� --write **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti"prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore node (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD run-script/lib/n-bool sh -c "prettier" --che-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name cd actions/setupGOINSECURE git 64/bin/go GOMODCACHE x_amd64/vet /usr/bin/docker sh -c "prettier" --wriGOINSECURE docker (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix SC2086/SC2129 ShellCheck warnings in compiler-generated shell scripts (unquoted variables, grouped redirects)</issue_title>
<issue_description>## Context

From discussion #17412 — Static Analysis Report 2026-02-21.

Problem

ShellCheck (via actionlint) reports 132 SC2086 warnings across 66 workflows: shell variables referenced without double-quotes, risking word splitting and glob expansion.

The most common pattern is unquoted $GITHUB_OUTPUT and similar special variables in compiled workflow steps:

# ❌ Unquoted - risks word splitting
echo "has_content=true" >> $GITHUB_OUTPUT

# ✅ Quoted - safe
echo "has_content=true" >> "$GITHUB_OUTPUT"

Additionally, 162 SC2129 style warnings across all 156 workflows suggest using grouped redirects:

# ❌ Individual redirects
echo "foo=bar" >> $GITHUB_OUTPUT
echo "baz=qux" >> $GITHUB_OUTPUT

# ✅ Grouped redirect
{
  echo "foo=bar"
  echo "baz=qux"
} >> "$GITHUB_OUTPUT"

Steps

  1. Search the workflow compiler (pkg/workflow/) for generated shell script templates that use $GITHUB_OUTPUT, $GITHUB_ENV, $GITHUB_STEP_SUMMARY etc. without quotes
  2. Update the compiler templates to quote all variable references: "$GITHUB_OUTPUT", "$GITHUB_ENV", "$GITHUB_STEP_SUMMARY"
  3. For grouped output patterns, update templates to use { ... } >> "$GITHUB_OUTPUT" syntax
  4. Run make recompile to regenerate all .lock.yml files
  5. Verify with actionlint that SC2086/SC2129 warnings are reduced
  6. Run make agent-finish before committing

Acceptance Criteria

  • Compiler templates quote all special GitHub environment variable references
  • SC2086 warnings reduced significantly (target: 0 for compiler-generated code)
  • make recompile succeeds
  • All existing tests pass (make test-unit)

Generated by Plan Command for issue #discussion #17412

  • expires on Feb 23, 2026, 12:57 PM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Changeset

  • Type: patch
  • Description: Stop exposing the legacy cache.name override so generated cache steps keep their auto-generated names while doc/engine references stay in sync and the Gemini execution step label is clarified.

Generated by Changeset Generator

@pelikhan
Fix SC2086: quote $GITHUB_OUTPUT in compiler templates and shell fixt…
8ac418a 
…ures

- pkg/workflow/cache.go: quote $GITHUB_OUTPUT in generated cache-memory check steps
- actions/setup/sh/start_mcp_gateway.sh: quote $GITHUB_OUTPUT in grouped redirect
- actions/setup/js/safe_inputs_mcp_server.test.cjs: quote $GITHUB_OUTPUT in shell fixtures
- actions/setup/js/mcp_server_core.test.cjs: quote $GITHUB_OUTPUT in shell fixtures
- Regenerated all .lock.yml files via make recompile

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix SC2086 and SC2129 ShellCheck warnings in workflows Fix SC2086: quote $GITHUB_OUTPUT in compiler-generated shell scripts Feb 21, 2026
@pelikhan pelikhan marked this pull request as ready for review February 21, 2026 13:22
Copilot AI review requested due to automatic review settings February 21, 2026 13:22
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates compiler-generated and related shell snippets to quote "$GITHUB_OUTPUT" to eliminate ShellCheck SC2086 warnings and avoid word splitting/globbing in output redirections.

Changes:

  • Quote "$GITHUB_OUTPUT" in the cache-memory compiler template and regenerate compiled workflow lockfiles.
  • Quote "$GITHUB_OUTPUT" in the MCP gateway startup script’s grouped redirect.
  • Quote "$GITHUB_OUTPUT" in embedded shell-script fixtures in JS tests.

Reviewed changes

Copilot reviewed 71 out of 71 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/workflow/cache.go Quotes "$GITHUB_OUTPUT" in the cache-memory check step template emitted into compiled workflows.
actions/setup/sh/start_mcp_gateway.sh Quotes "$GITHUB_OUTPUT" in a grouped redirect when emitting action outputs.
actions/setup/js/safe_inputs_mcp_server.test.cjs Quotes "$GITHUB_OUTPUT" in embedded shell fixture scripts used by tests.
actions/setup/js/mcp_server_core.test.cjs Quotes "$GITHUB_OUTPUT" in embedded shell fixture scripts (including grouped redirect case).
.github/workflows/*.lock.yml (157 files) Regenerated compiled workflow lockfiles reflecting the quoted "$GITHUB_OUTPUT" output redirections.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan added the smoke label Feb 21, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026
edited
Loading

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026

PR titles: doc(skills): Add GitHub API limitations section to github-mcp-server skill; Fix typos in AI Engines reference documentation
GitHub MCP (2 merged PRs): ✅
Serena MCP (activate + find_symbol ≥3): ✅
Playwright (title contains "GitHub"): ✅
File write + cat: ✅
Build (make build): ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex

@github-actions github-actions bot mentioned this pull request Feb 21, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026

🤖 Smoke Test Results for PR #17500

Test Status
GitHub MCP
Safe Inputs GH CLI
Serena MCP ❌ (unavailable)
Playwright
File Writing
Bash Tool
Discussion Interaction
Build gh-aw
Discussion Creation
Workflow Dispatch
PR Review

Overall: ⚠️ PARTIAL PASS (10/11 — Serena MCP not available)

PR author: @copilot-swe-agent

📰 BREAKING: Report filed by Smoke Copilot

@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions github-actions bot mentioned this pull request Feb 21, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026

Smoke Test Results — Run §22257667055

Overall: PARTIAL (all pass; 1 skipped)

Core (#1#10): ✅✅✅✅✅✅✅✅✅✅
PR Review (#11#17): ✅✅✅✅✅✅⚠️(#17 skipped — no test PR)

PR #17500 used for review tests.

💥 [THE END] — Illustrated by Smoke Claude

github-actions[bot]
github-actions bot reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

@pelikhan pelikhan merged commit 22c427d into main Feb 21, 2026
@pelikhan pelikhan deleted the copilot/fix-shellcheck-warnings branch February 21, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-claude smoke-codex smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Fix SC2086/SC2129 ShellCheck warnings in compiler-generated shell scripts (unquoted variables, grouped redirects)

2 participants

@pelikhan