fix(build): quote shell variables and group redirects in workflow files (#299)

WilliamBerryiii · web-flow · commit 337250909ffa · 2026-01-26T11:45:45.000-08:00
## Description Fixed shellcheck warnings SC2086 (unquoted variables) and SC2129 (ungrouped redirects) in GitHub Actions workflow files. These warnings were surfaced during CI runs and follow the same fix patterns established in PR #246. - Quoted `$GITHUB_ENV` and `$GITHUB_STEP_SUMMARY` shell variables to prevent word splitting - Grouped multiple `echo` statements into single redirects using brace syntax `{ ...; } >> file` - Applied fixes to both `markdown-lint.yml` and `codeql-analysis.yml` workflows ## Related Issue(s) Fixes #298 ## Type of Change Select all that apply: **Code & Documentation:** - [x] Bug fix (non-breaking change fixing an issue) - [ ] New feature (non-breaking change adding functionality) - [ ] Breaking change (fix or feature causing existing functionality to change) - [ ] Documentation update **Infrastructure & Configuration:** - [x] GitHub Actions workflow - [ ] Linting configuration (markdown, PowerShell, etc.) - [ ] Security configuration - [ ] DevContainer configuration - [ ] Dependency update **AI Artifacts:** - [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback - [ ] Copilot instructions (`.github/instructions/*.instructions.md`) - [ ] Copilot prompt (`.github/prompts/*.prompt.md`) - [ ] Copilot agent (`.github/agents/*.agent.md`) > **Note for AI Artifact Contributors**: > > - **Agents**: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > - **Model Versions**: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > - See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** - [ ] Script/automation (`.ps1`, `.sh`, `.py`) - [ ] Other (please describe): ## Sample Prompts (for AI Artifact Contributions) N/A - This PR does not include AI artifacts. ## Testing - Ran `actionlint` locally against both modified workflow files with no errors - Prior art validated in PR #246 which applied identical fix patterns ## Checklist ### Required Checks - [ ] Documentation is updated (if applicable) - [x] Files follow existing naming conventions - [x] Changes are backwards compatible (if applicable) - [ ] Tests added for new functionality (if applicable) ### AI Artifact Contributions N/A ### Required Automated Checks The following validation commands must pass before merging: - [ ] Markdown linting: `npm run lint:md` - [ ] Spell checking: `npm run spell-check` - [ ] Frontmatter validation: `npm run lint:frontmatter` - [ ] Link validation: `npm run lint:md-links` - [ ] PowerShell analysis: `npm run lint:ps` ## Security Considerations - [x] This PR does not contain any sensitive or NDA information - [x] Any new dependencies have been reviewed for security issues - [x] Security-related scripts follow the principle of least privilege ## Additional Notes These shellcheck warnings existed prior to Dependabot PR #295 and were surfaced during CI validation. The fixes align with patterns from PR #246 which addressed identical issues in `extension-publish*.yml` workflows. 🔧 Generated by Copilot
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -48,8 +48,10 @@ jobs:
       - name: Add job summary
         if: always()
         run: |
-          echo "## CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY
-          echo "**Language:** ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
-          echo "**Queries:** security-extended, security-and-quality" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "📊 View results in the Security tab under Code Scanning" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## CodeQL Security Analysis Complete"
+            echo "**Language:** ${{ matrix.language }}"
+            echo "**Queries:** security-extended, security-and-quality"
+            echo ""
+            echo "📊 View results in the Security tab under Code Scanning"
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Run markdown lint
         id: markdown-lint
         run: |
-          npm run lint:md > markdown-lint-output.txt 2>&1 || echo "MARKDOWN_LINT_FAILED=true" >> $GITHUB_ENV
+          npm run lint:md > markdown-lint-output.txt 2>&1 || echo "MARKDOWN_LINT_FAILED=true" >> "$GITHUB_ENV"
           cat markdown-lint-output.txt
         continue-on-error: true
 
@@ -57,15 +57,20 @@ jobs:
       - name: Add job summary
         if: always()
         run: |
-          echo "## Markdown Lint Results" >> $GITHUB_STEP_SUMMARY
           if [ "${{ env.MARKDOWN_LINT_FAILED }}" == "true" ]; then
-            echo "❌ **Status**: Failed" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "Markdown linting violations detected. Please review the artifact for details." >> $GITHUB_STEP_SUMMARY
+            {
+              echo "## Markdown Lint Results"
+              echo "❌ **Status**: Failed"
+              echo ""
+              echo "Markdown linting violations detected. Please review the artifact for details."
+            } >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "✅ **Status**: Passed" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "No markdown linting violations detected." >> $GITHUB_STEP_SUMMARY
+            {
+              echo "## Markdown Lint Results"
+              echo "✅ **Status**: Passed"
+              echo ""
+              echo "No markdown linting violations detected."
+            } >> "$GITHUB_STEP_SUMMARY"
           fi
 
       - name: Fail job if violations found
