Fix shellcheck SC2086/SC2012/SC2129 warnings across 15 workflows by Copilot · Pull Request #25872 · github/gh-aw

Copilot · 2026-04-12T00:56:41Z

Actionlint reported 24 shellcheck findings across 15 workflows. Unquoted variables in shell run: blocks risk word splitting and glob expansion bugs.

Changes

SC2086 — Unquoted variables (22 findings): Quote ${RUNNER_TEMP}, $GITHUB_REPOSITORY, $GITHUB_WORKSPACE, $CACHE_AGE in workflow .md files and shared components
SC2012 — ls for file listing (1 finding): Replace ls *.tar.gz | head -1 with find -name '*.tar.gz' | head -1 in shared/apm.md
SC2129 — Repeated redirects (1 finding): Group 10 echo ... >> "$GITHUB_STEP_SUMMARY" into { ...; } >> "$GITHUB_STEP_SUMMARY" in release.md
Compiler fix: Quote heredoc path in compiler_safe_outputs_job.go (cat > %s → cat > "%s")

Most findings came from shared components reused across multiple workflows:

Shared component	Affected workflows
`shared/copilot-pr-data-fetch.md`	5 workflows
`shared/mcp/gh-aw.md`	copilot-token-audit, copilot-token-optimizer
`shared/issues-data-fetch.md`	daily-issues-report
`shared/weekly-issues-data-fetch.md`	deep-report

# Before
bash ${RUNNER_TEMP}/gh-aw/actions/install_gh_cli.sh
gh issue list --repo $GITHUB_REPOSITORY \

# After
bash "${RUNNER_TEMP}/gh-aw/actions/install_gh_cli.sh"
gh issue list --repo "$GITHUB_REPOSITORY" \

All 187 workflows recompile cleanly. Zero SC2086/SC2012/SC2129 findings remain.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw bash -e bash --no�� rt/assertion_com-errorsas rt/assertion_for-ifaceassert x_amd64/compile -f json eck x_amd64/compile (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw bash -e bash --no�� --noprofile (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw json eck bash --no�� sues (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� GOMODCACHE 64/pkg/tool/linuInitial commit /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha se 1766666/b113/vet.cfg ache/node/24.14.1/x64/bin/node -json rk 64/bin/go git t-35�� k/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 21/001/test-complex-frontmatter-with-tools.md pKmvAbdZx ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x^remote\..*\.gh-resolved$ env (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linuremote2 /usr/bin/git ut543436904/001 i0dFibft1 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git DseGpepMC GO111MODULE Name,createdAt,s--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.8/x2 /usr/bin/git ring2058589076/0git pkg/mod/golang.orev-parse (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha add resolved$ /usr/bin/git b/workflows GO111MODULE 64/bin/go git init�� ic/asm.s go /usr/bin/git cut -f1))" GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha remove other /usr/bin/git repo9319858/001 GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 1766666/b417/_pkgit -trimpath 1766666/b417=> git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x^remote\..*\.gh-resolved$ /usr/bin/git 05 k/gh-aw/gh-aw/pkrev-parse /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel go /usr/bin/git y.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git 491270/b050/_pkggit om/modelcontextprev-parse ache/go/1.25.8/x--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v9
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build708491270/b254/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/mod@v0.34.0/semver/semver.go env -json go 64/bin/go ced successfully/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD wasm.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha remove upstream /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git m/workflows GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha GOMODCACHE c5WKOia6VGY3 /usr/bin/git b/workflows GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha /tmp/go-build2971766666/b385/_pkg_.a -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p github.com/githurev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet pack�� --all-progress-implied --revs /usr/bin/git --thin --delta-base-offrev-parse -q git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha -f json rgo/bin/bash --shell bash -e sed -n 366,380p .github/workflow-ifaceassert x_amd64/compile -f json eck x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha submodules | head -n 10 (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha bash ${RUNNER_TEMP} .github/workflows/ace-editor.md x_amd64/vet .github/workflowbash .github/workflow--norc .github/workflow--noprofile x_amd64/vet --no�� --noprofile .github/workflows/architecture-g-ifaceassert x_amd64/vet .github/workflowinfocmp .github/workflow-1 .github/workflowxterm-color x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -f json eck --shell bash -e (http block)
https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
- Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha --noprofile .cfg 64/pkg/tool/linu-f -f json eck 64/pkg/tool/linu-f --no�� --noprofile .cfg 64/pkg/tool/linu-f -f json eck 64/pkg/tool/linushow (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha integration_test.go .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } _test.go oken_test.go always_declared_/home/REDACTED/work/gh-aw/gh-aw/.github/workflows 64/pkg/tool/linurev-parse repo�� repo_test.go .cfg 64/pkg/tool/linux_amd64/vet -f json eck 64/pkg/tool/linu-f (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha -f json eck --shell bash -e (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --noprofile .cfg 64/pkg/tool/linux_amd64/vet -f json eck 64/pkg/tool/linu-f --no�� --noprofile .cfg 64/pkg/tool/linu-f -f json eck 64/pkg/tool/linuconfig (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -f json eck --shell bash -e 54,SC2157,SC2043-f --no�� -f json eck --shell bash -e 54,SC2157,SC2043config (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --git-dir x_amd64/compile /usr/bin/git -json .go x_amd64/compile git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha sistency_GoAndJavaScript4061759121/001/test-empty-frontmatter.md -trimpath /usr/lib/git-core/git-receive-pack -p github.com/githurev-parse -lang=go1.25 git-receive-pack /tmp�� ErrorFormatting1958467343/001 -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 1766666/b431/_pkg_.a -trimpath 1766666/b431=> -p b/gh-aw/pkg/slicrev-parse -lang=go1.25 git push�� ErrorFormatting1958467343/001 my-default /usr/bin/git -c=4 -nolocalimports -importcfg 1766666/b431/importcfg (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/jsonrpc/jsonrpc.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3877729507 LamLkoYmy 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 ri/jsonschema/v6@v6.0.2/kind/kind.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a YfB4YDUdE ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE chema/v6 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env ithub/workflows yVIFwLdjv x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE S8eKncR/xY8IG6Cr96T_MkWd-kcE env _.a kLZAPaMu6 /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env ithub/workflows o 64/pkg/tool/linux_amd64/compile GOINSECURE /norm GOMODCACHE 64/pkg/tool/linuorigin (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1572626009 uVfRvwDwi /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE go-sdk/internal/config GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name _3ywvdE5S 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3877729507 InX8DV7o_ 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 0/message/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a fG0BeREzZ x_amd64/compile GOINSECURE chema/v6/kind GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 0/internal/langu-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env _.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE gset GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE xbyte_wasm.o 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env 1004341235/.github/workflows yZeOx_cnJ ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE t GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name 0/internal/tag/tag.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linux_amd64/compile env 3877729507 KjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE age GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 0/feature/plural/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE ha8_stub.o 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env _.a JWpi-bmPh ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name 0/internal/stringset/set.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linux_amd64/compile 64/s�� _.a sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE pguts GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 0/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE 5519/field GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1004341235 EmzJIsP8T ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build2971766666/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote2 env _.a GO111MODULE ntdrain.test GOINSECURE o 64/src/internal/--show-toplevel ntdrain.test (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git _.a 64jHUho52 k git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git XU8RCguzS GO111MODULE x_amd64/vet git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput2332899861/001 pMTTxllzq 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env ntdrain.test Tbt35DxwQ ortcfg.link GOINSECURE GOMOD GOMODCACHE W9FT-FP7_6Kws9t3pd/XJ3yBE12j21iuconfig (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env 0629416/001 0629416/002/work-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha -f json eck --shell bash -e (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha edOutput2332899861/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User rtcf�� -json PumV21ljR ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env report.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json go 64/bin/go GOINSECURE GOMOD y.s go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build2971766666/b397/cli.test /tmp/go-build2971766666/b397/cli.test -test.testlogfile=/tmp/go-build2971766666/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build708491270/b213/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

… warnings in 15 workflows Fix 24 shellcheck findings across 15 workflows: - SC2086: Quote ${RUNNER_TEMP}, $GITHUB_REPOSITORY, $GITHUB_WORKSPACE, $CACHE_AGE - SC2012: Replace `ls *.tar.gz` with `find -name '*.tar.gz'` in shared/apm.md - SC2129: Use grouped redirect `{ ... } >> file` in release.md - Fix unquoted path in compiler_safe_outputs_job.go cat heredoc Agent-Logs-Url: https://github.com/github/gh-aw/sessions/988adcd5-a968-4d87-b1f9-0236fbfc4170 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Addresses actionlint/shellcheck warnings across workflows by hardening shell run: blocks against word-splitting/globbing and cleaning up a couple of shell antipatterns; also fixes one generated script output path quoting in the workflow compiler.

Changes:

Quote workflow environment variables/paths in run: steps to resolve SC2086 across shared components and workflows.
Replace ls *.tar.gz | head -1 with a find ... | head -1 pattern for APM bundle discovery (SC2012).
Consolidate repeated >> "$GITHUB_STEP_SUMMARY" redirects into a single grouped redirect (SC2129) and quote heredoc output path in the compiler.

Show a summary per file

File	Description
pkg/workflow/compiler_safe_outputs_job.go	Quote heredoc output path when generating `cat > ...` steps.
.github/workflows/static-analysis-report.md	Quote `$GITHUB_WORKSPACE` binary path usages.
.github/workflows/static-analysis-report.lock.yml	Regenerated lock with quoted paths and updated heredoc markers.
.github/workflows/smoke-claude.lock.yml	Replace `ls` tarball selection with `find`; quote heredoc output path.
.github/workflows/shared/weekly-issues-data-fetch.md	Quote `$RUNNER_TEMP` and `$GITHUB_REPOSITORY` in gh CLI steps.
.github/workflows/shared/mcp/gh-aw.md	Quote `$RUNNER_TEMP` when staging `gh-aw` binary for MCP.
.github/workflows/shared/issues-data-fetch.md	Quote `$RUNNER_TEMP` and `$GITHUB_REPOSITORY` in gh CLI steps.
.github/workflows/shared/discussions-data-fetch.md	Quote `$RUNNER_TEMP` in gh CLI install step.
.github/workflows/shared/copilot-session-data-fetch.md	Quote `$RUNNER_TEMP` in gh CLI install step.
.github/workflows/shared/copilot-pr-data-fetch.md	Quote `$RUNNER_TEMP` in gh CLI install step.
.github/workflows/shared/apm.md	Use `find` instead of `ls` to locate APM bundle tarball.
.github/workflows/release.md	Group summary `echo` statements under one redirect to step summary.
.github/workflows/release.lock.yml	Regenerated lock reflecting grouped redirect and updated heredoc markers.
.github/workflows/prompt-clustering-analysis.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.
.github/workflows/issue-arborist.md	Quote `$GITHUB_REPOSITORY` for `gh issue list`.
.github/workflows/issue-arborist.lock.yml	Regenerated lock reflecting quoted `$GITHUB_REPOSITORY` usage.
.github/workflows/deep-report.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` and `$GITHUB_REPOSITORY` usage.
.github/workflows/daily-news.md	Quote `$RUNNER_TEMP` and `$CACHE_AGE` in shell condition.
.github/workflows/daily-news.lock.yml	Regenerated lock reflecting quoted `$CACHE_AGE` and `$RUNNER_TEMP`.
.github/workflows/daily-issues-report.lock.yml	Regenerated lock reflecting quoted `$GITHUB_REPOSITORY` usage.
.github/workflows/copilot-token-optimizer.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` staging paths.
.github/workflows/copilot-token-audit.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` staging paths.
.github/workflows/copilot-session-insights.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.
.github/workflows/copilot-agent-analysis.lock.yml	Regenerated lock reflecting quoted `$RUNNER_TEMP` install step.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 27/27 changed files
Comments generated: 2

Copilot · 2026-04-12T01:37:23Z

  - name: Find APM bundle path
    id: apm_bundle
-    run: echo "path=$(ls /tmp/gh-aw/apm-bundle/*.tar.gz | head -1)" >> "$GITHUB_OUTPUT"
+    run: echo "path=$(find /tmp/gh-aw/apm-bundle -name '*.tar.gz' | head -1)" >> "$GITHUB_OUTPUT"


Switching from ls .../*.tar.gz to find ... -name '*.tar.gz' | head -1 changes behavior in a couple ways: (1) it will recurse into subdirectories (the previous glob only matched the top-level), and (2) if no bundle exists, find|head typically exits 0 and writes an empty path=..., so the step may succeed but downstream restore will fail later with a less direct error. Consider limiting search depth (e.g., only the bundle directory) and explicitly failing the step when no match is found to preserve early/clear failure semantics.

Suggested change

run: echo "path=$(find /tmp/gh-aw/apm-bundle -name '*.tar.gz' | head -1)" >> "$GITHUB_OUTPUT"

run: |

bundle_path=$(find /tmp/gh-aw/apm-bundle -maxdepth 1 -type f -name '*.tar.gz' | head -n 1)

if [ -z "$bundle_path" ]; then

echo "No APM bundle found in /tmp/gh-aw/apm-bundle" >&2

exit 1

fi

echo "path=$bundle_path" >> "$GITHUB_OUTPUT"

Copilot · 2026-04-12T01:37:24Z

      - id: apm_bundle
        name: Find APM bundle path
-        run: echo "path=$(ls /tmp/gh-aw/apm-bundle/*.tar.gz | head -1)" >> "$GITHUB_OUTPUT"
+        run: echo "path=$(find /tmp/gh-aw/apm-bundle -name '*.tar.gz' | head -1)" >> "$GITHUB_OUTPUT"


This find ... -name '*.tar.gz' | head -1 lookup is recursive and will typically succeed even if no .tar.gz exists, resulting in an empty path= output. Previously the ls glob would fail the step when no bundle was present. To avoid masking missing artifacts (and to avoid accidentally picking a tarball from a nested folder), consider constraining the search to the expected directory level and failing explicitly when the match is empty.

Suggested change

run: echo "path=$(find /tmp/gh-aw/apm-bundle -name '*.tar.gz' | head -1)" >> "$GITHUB_OUTPUT"

run: |

bundle_path="$(find /tmp/gh-aw/apm-bundle -maxdepth 1 -type f -name '*.tar.gz' | head -n 1)"

if [ -z "$bundle_path" ]; then

echo "Expected APM bundle artifact in /tmp/gh-aw/apm-bundle, but no .tar.gz file was found." >&2

exit 1

fi

echo "path=$bundle_path" >> "$GITHUB_OUTPUT"

Initial plan

7c4ec4b

Copilot AI assigned Copilot and pelikhan Apr 12, 2026

Copilot started work on behalf of pelikhan April 12, 2026 00:56 View session

Copilot AI linked an issue Apr 12, 2026 that may be closed by this pull request

[plan] Fix shellcheck SC2086 unquoted variables in 15 workflows #25865

Closed

5 tasks

This was referenced Apr 12, 2026

[aw] No-Op Runs #25214

Closed

Smoke Test: Claude - 24295465170 #25877

Closed

Copilot AI changed the title ~~[WIP] Fix shellcheck SC2086 unquoted variables in workflows~~ Fix shellcheck SC2086/SC2012/SC2129 warnings across 15 workflows Apr 12, 2026

Copilot AI requested a review from pelikhan April 12, 2026 01:33

Copilot finished work on behalf of pelikhan April 12, 2026 01:33

pelikhan marked this pull request as ready for review April 12, 2026 01:33

Copilot AI review requested due to automatic review settings April 12, 2026 01:33

Copilot started reviewing on behalf of pelikhan April 12, 2026 01:35 View session

Copilot AI reviewed Apr 12, 2026

View reviewed changes

pelikhan approved these changes Apr 12, 2026

View reviewed changes

pelikhan merged commit 9f90a5e into main Apr 12, 2026
74 of 79 checks passed

pelikhan deleted the copilot/fix-shellcheck-sc2086-issues branch April 12, 2026 01:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix shellcheck SC2086/SC2012/SC2129 warnings across 15 workflows#25872

Fix shellcheck SC2086/SC2012/SC2129 warnings across 15 workflows#25872
pelikhan merged 2 commits intomainfrom
copilot/fix-shellcheck-sc2086-issues

Copilot AI commented Apr 12, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 12, 2026

Uh oh!

Copilot AI Apr 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

-    run: echo "path=$(find /tmp/gh-aw/apm-bundle -name '*.tar.gz' | head -1)" >> "$GITHUB_OUTPUT"
+    run: |
+      bundle_path=$(find /tmp/gh-aw/apm-bundle -maxdepth 1 -type f -name '*.tar.gz' | head -n 1)
+      if [ -z "$bundle_path" ]; then
+        echo "No APM bundle found in /tmp/gh-aw/apm-bundle" >&2
+        exit 1
+      fi
+      echo "path=$bundle_path" >> "$GITHUB_OUTPUT"

Conversation

Copilot AI commented Apr 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 12, 2026 •

edited

Loading