Fix shellcheck SC2162 warnings in workflow files

[Copilot]

Plan: Fix shellcheck SC2162 warnings in workflow files

Task Summary

Address static analysis findings from December 2024 scan by fixing shellcheck SC2162 warnings. The SC2162 warning occurs when the read command is used without the -r flag, which can cause backslashes to be interpreted as escape characters.

Checklist

• Identify all workflow files with SC2162 warnings
• Understand the issue context and scope
• Fix SC2162 warning in .github/workflows/daily-malicious-code-scan.md (2 instances)
• Fix SC2162 warning in .github/workflows/mergefest.md (1 instance)
• Fix TypeScript type cast issue in pkg/workflow/js/add_comment.cjs
• Format code with prettier
• Run make recompile to update lock files
• Validate changes with unit tests and JavaScript tests
• Verify all lock files are properly updated
• Run make lint to verify code quality
• Merge main branch

Changes Made

1. Workflow Files - Added -r flag to read commands in:

   • .github/workflows/daily-malicious-code-scan.md (2 instances)
   • .github/workflows/mergefest.md (1 instance)

2. TypeScript Fix - Fixed type cast in pkg/workflow/js/add_comment.cjs:

   • Wrapped comment in parentheses before accessing node_id property
   • Applied prettier formatting to ensure code style consistency

3. Lock Files - Recompiled all workflows to update lock files with the changes

4. Merge Main - Successfully merged latest changes from main branch

Validation Results

• ✅ make build - Successful
• ✅ make test-unit - All tests passed
• ✅ npm test - All JavaScript tests passed (2137 passed, 5 skipped)
• ✅ make recompile - Successfully compiled 114/118 workflows
• ✅ make lint - All validations passed
• ✅ Merge completed - No conflicts in .go or .cjs files

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Address static analysis findings from December 2024 scan</issue_title>
<issue_description>## Overview

This tracking issue covers addressing findings from the comprehensive static analysis scan completed on December 11, 2024.

Source: Discussion #6117

Scan Results Summary

• Workflows Scanned: 109
• Total Findings: 1 (Info severity)
• Security Issues: 0 ✅
• Critical/High Issues: 0 ✅

Status

Overall security posture is excellent (⭐⭐⭐⭐⭐). This issue tracks the single minor code quality improvement identified.

Planned Tasks

1. Fix shellcheck SC2162 warning in ci-coach workflow (add -r flag to read command)

Tools Used

• zizmor: Security scanner (0 findings)
• actionlint: Linting & best practices (1 info-level finding)
• poutine: Supply chain security (skipped - requires GitHub API token)

Future Enhancements

Consider in future work (not part of this issue):

• Configure GitHub API token for enhanced zizmor audits
• Enable poutine supply chain security analysis
• Add static analysis to CI/CD pipeline
• Schedule regular automated scans

AI generated by Plan Command for discussion #6117

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Address static analysis findings from December 2024 scan #6188

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot merge main