[plan] Fix SC2086/SC2129 ShellCheck warnings in compiler-generated shell scripts (unquoted variables, grouped redirects)

[github-actions]

Context

From discussion #17412 — Static Analysis Report 2026-02-21.

Problem

ShellCheck (via actionlint) reports 132 SC2086 warnings across 66 workflows: shell variables referenced without double-quotes, risking word splitting and glob expansion.

The most common pattern is unquoted $GITHUB_OUTPUT and similar special variables in compiled workflow steps:

# ❌ Unquoted - risks word splitting
echo "has_content=true" >> $GITHUB_OUTPUT

# ✅ Quoted - safe
echo "has_content=true" >> "$GITHUB_OUTPUT"

Additionally, 162 SC2129 style warnings across all 156 workflows suggest using grouped redirects:

# ❌ Individual redirects
echo "foo=bar" >> $GITHUB_OUTPUT
echo "baz=qux" >> $GITHUB_OUTPUT

# ✅ Grouped redirect
{
  echo "foo=bar"
  echo "baz=qux"
} >> "$GITHUB_OUTPUT"

Steps

1. Search the workflow compiler (pkg/workflow/) for generated shell script templates that use $GITHUB_OUTPUT, $GITHUB_ENV, $GITHUB_STEP_SUMMARY etc. without quotes
2. Update the compiler templates to quote all variable references: "$GITHUB_OUTPUT", "$GITHUB_ENV", "$GITHUB_STEP_SUMMARY"
3. For grouped output patterns, update templates to use { ... } >> "$GITHUB_OUTPUT" syntax
4. Run make recompile to regenerate all .lock.yml files
5. Verify with actionlint that SC2086/SC2129 warnings are reduced
6. Run make agent-finish before committing

Acceptance Criteria

• Compiler templates quote all special GitHub environment variable references
• SC2086 warnings reduced significantly (target: 0 for compiler-generated code)
• make recompile succeeds
• All existing tests pass (make test-unit)

Generated by Plan Command for issue #discussion #17412

• expires on Feb 23, 2026, 12:57 PM UTC