Fix SC2086: Quote $GITHUB_OUTPUT in safe-inputs config generation

[Copilot]

Shellcheck flagged 10 SC2086 violations across 5 workflows where $GITHUB_OUTPUT was unquoted in shell scripts, risking word splitting and glob expansion.

Changes

• pkg/workflow/mcp_servers.go: Added quotes around $GITHUB_OUTPUT variable references in safe-inputs MCP server configuration generation (lines 293-294)

// Before
yaml.WriteString("          echo \"safe_inputs_api_key=${API_KEY}\" >> $GITHUB_OUTPUT\n")

// After  
yaml.WriteString("          echo \"safe_inputs_api_key=${API_KEY}\" >> \"$GITHUB_OUTPUT\"\n")

• 5 workflow lock files: Automatically recompiled with quoted variable references

Impact

Prevents potential shell expansion issues if $GITHUB_OUTPUT ever contains spaces or glob characters. All 10 SC2086 violations resolved.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE ux-amd64/bin/go GOINSECURE GOMOD GOMODCACHE /home/REDACTED/go/GO111MODULE -V=f�� GOPATH GOPROXY ux-amd64/pkg/tool/linux_amd64/compile GOSUMDB GOWORK ux-amd64/bin/go ux-amd64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login workflows 9679301/b374/_testmain.go /home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/tool/linux_amd64/li--git-dir GOSUMDB GOWORK nk /home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linrev-parse -o tags/v5 nk by/ba918fc0ac40182b5e8ab27898391712307f30a4211a5743c8fa67cdf974802b/log.json -s -w l/linux_amd64/liuser ps (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login tags/v6 -tests /usr/bin/git by/ba918fc0ac401infocmp GO111MODULE l/linux_amd64/coxterm-color git rev-�� c8fa67cdf974802b -bun.git /usr/bin/git -json GO111MODULE ux-amd64/bin/go git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix SC2086: Add missing quotes in 5 workflows</issue_title>
<issue_description>## Objective

Fix 10 occurrences of shellcheck SC2086 info-level issues across 5 workflows by adding proper quotes around variable references.

Problem

Unquoted variables can lead to unexpected word splitting or pathname expansion:

echo $variable        # ❌ Can split on whitespace, expand globs
command $arg         # ❌ May cause unexpected behavior

Solution

Add double quotes:

echo "$variable"     # ✅ Preserves spaces, prevents expansion
command "$arg"       # ✅ Treats as single argument

Why This Matters

• Prevents word splitting on spaces/tabs/newlines
• Prevents glob expansion (*, ?, etc.)
• Ensures variables are treated as single arguments
• Makes script behavior more predictable

Approach

1. Search for unquoted variable usage: grep -n '\$[A-Za-z_]' .github/workflows/*.md
2. Identify the 10 specific SC2086 violations from actionlint output
3. Add quotes around each variable reference
4. Recompile workflows: make recompile
5. Verify with actionlint

Files to Modify

5 workflow .md files in .github/workflows/ (10 total occurrences)

Acceptance Criteria

• All 10 SC2086 issues resolved
• Variables properly quoted throughout
• actionlint shows 0 SC2086 issues
• No change in intended functionality
  Related to [plan] Address static analysis findings from actionlint/shellcheck #7896

AI generated by Plan Command for discussion #7889

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix SC2086: Add missing quotes in 5 workflows #7899

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.