Objective
Fix shellcheck SC2086 (unquoted variable) warnings reported by actionlint in 15 workflows. Unquoted variables in shell scripts can cause word splitting and glob expansion bugs.
Context
Actionlint reported 24 shellcheck findings (primarily SC2086) across 15 workflows. Unquoted variables like $VAR instead of "$VAR" can cause bugs when the variable contains spaces or glob characters.
Reference: Static Analysis Report - 2026-04-11
Affected Workflows
.github/workflows/copilot-agent-analysis.md.github/workflows/copilot-pr-merged-report.md.github/workflows/copilot-pr-nlp-analysis.md.github/workflows/copilot-token-audit.md.github/workflows/copilot-token-optimizer.md.github/workflows/daily-issues-report.md.github/workflows/daily-news.md.github/workflows/deep-report.md.github/workflows/issue-arborist.md.github/workflows/prompt-clustering-analysis.md.github/workflows/release.md.github/workflows/smoke-claude.md.github/workflows/static-analysis-report.md- And 2 more workflows with shellcheck findings
Approach
For each affected .md file:
- Find
run: blocks containing unquoted variable references
- Quote each variable: change
$VAR to "$VAR" where appropriate
- For SC2012 (use
find instead of ls), replace ls with find for file listing
- For SC2129 (use
>> instead of multiple >), consolidate redirect operations
Example fix for SC2086:
# Before (vulnerable to word splitting)
echo $MY_VAR
gh api $ENDPOINT
# After (safe)
echo "$MY_VAR"
gh api "$ENDPOINT"
Steps
- For each affected
.md file, search for shellcheck annotations or unquoted variables in run: blocks
- Quote all unquoted variable references
- After all edits, run
make recompile to regenerate lock files
- Run
make agent-finish to validate
Acceptance Criteria
Generated by Plan Command for issue #25835 · ● 199.3K · ◷
Objective
Fix shellcheck SC2086 (unquoted variable) warnings reported by actionlint in 15 workflows. Unquoted variables in shell scripts can cause word splitting and glob expansion bugs.
Context
Actionlint reported 24 shellcheck findings (primarily SC2086) across 15 workflows. Unquoted variables like
$VARinstead of"$VAR"can cause bugs when the variable contains spaces or glob characters.Reference: Static Analysis Report - 2026-04-11
Affected Workflows
.github/workflows/copilot-agent-analysis.md.github/workflows/copilot-pr-merged-report.md.github/workflows/copilot-pr-nlp-analysis.md.github/workflows/copilot-token-audit.md.github/workflows/copilot-token-optimizer.md.github/workflows/daily-issues-report.md.github/workflows/daily-news.md.github/workflows/deep-report.md.github/workflows/issue-arborist.md.github/workflows/prompt-clustering-analysis.md.github/workflows/release.md.github/workflows/smoke-claude.md.github/workflows/static-analysis-report.mdApproach
For each affected
.mdfile:run:blocks containing unquoted variable references$VARto"$VAR"where appropriatefindinstead ofls), replacelswithfindfor file listing>>instead of multiple>), consolidate redirect operationsExample fix for SC2086:
Steps
.mdfile, search for shellcheck annotations or unquoted variables inrun:blocksmake recompileto regenerate lock filesmake agent-finishto validateAcceptance Criteria
make recompilecompletes without errorsmake agent-finishpassesRelated to [static-analysis] Static Analysis Report - 2026-04-11 #25835