Fix shell quoting issues (SC2086) across workflows and engines

[Copilot]

Fix Shell Quoting Issues (SC2086) - ✅ COMPLETE

Objective

Add double quotes around variable references in shell scripts across 9 workflows to prevent globbing and word splitting issues (shellcheck SC2086).

Recent Changes

• Merged main branch (commits 3ed1c41, b1a6e4a, 95b27fd, 822d3b5)
• Resolved merge conflicts in lock files by recompiling
• Verified no SC2086 violations remain
• All tests pass

Plan Completion

• Explore repository and identify affected files
• Compile workflows and verify SC2086 violations with actionlint
• Fix copilot-session-insights.md (6 occurrences)
• Fix prompt-clustering-analysis.md (3 occurrences)
• Fix daily-perf-improver.md (2 occurrences)
• Fix daily-test-improver.md (2 occurrences)
• Fix test-post-steps.md (1 occurrence)
• Fix shared/opencode.md (1 occurrence)
• Fix shared/genaiscript.md (1 occurrence)
• Fix shared/ffmpeg.md (1 occurrence)
• Fix pkg/workflow/codex_engine.go (2 occurrences)
• Recompile all affected workflows
• Run actionlint to verify fixes
• Run make agent-finish for final validation
• Merge main branch

Files Modified (9 total)

Workflow Files (5):

1. .github/workflows/copilot-session-insights.md - Fixed 6 unquoted $GITHUB_OUTPUT and $GITHUB_STEP_SUMMARY
2. .github/workflows/prompt-clustering-analysis.md - Fixed 3 unquoted variables (${{ github.repository }}, file path with variable)
3. .github/workflows/daily-perf-improver.md - Fixed 2 unquoted $GITHUB_OUTPUT
4. .github/workflows/daily-test-improver.md - Fixed 2 unquoted $GITHUB_OUTPUT
5. .github/workflows/test-post-steps.md - Fixed 1 unquoted $GITHUB_STEP_SUMMARY

Shared Configuration Files (3):
6. .github/workflows/shared/opencode.md - Fixed 1 unquoted npm package version variable
7. .github/workflows/shared/genaiscript.md - Fixed 1 unquoted $GH_AW_MCP_CONFIG
8. .github/workflows/shared/ffmpeg.md - Fixed 1 unquoted $GITHUB_OUTPUT

Source Code (1):
9. pkg/workflow/codex_engine.go - Fixed 2 unquoted $CODEX_HOME/logs in codex engine

Acceptance Criteria - All Met ✅

• All 19 SC2086 violations fixed with proper quoting
• Variables in shell scripts are double-quoted
• Workflows compile successfully
• Actionlint scan shows 0 SC2086 findings
• Workflows function correctly with quoted variables
• All tests pass (make test-unit)
• Code formatted (make fmt)
• Code linted (make lint)
• Main branch merged successfully

Verification Results

✅ actionlint: 0 SC2086 violations (19 → 0)
✅ make test-unit: PASS
✅ Merge conflicts resolved
✅ Workflows recompiled successfully

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Fix shell quoting issues across workflows (SC2086)</issue_title>
<issue_description>## Objective
Add double quotes around variable references in shell scripts to prevent globbing and word splitting issues.

Context

Shellcheck identified 15 unquoted variable references (SC2086) across 9 workflows. While these are informational severity, they represent potential bugs when paths contain spaces or special characters. This is a code quality improvement.

Related to discussion #3120 - Static Analysis Report finding #4.

Approach

1. Review all SC2086 findings in affected workflows
2. Add double quotes around variable references in shell scripts
3. Test workflows to ensure quoting doesn't break existing functionality
4. Focus on the most critical workflows first (those with most occurrences)

Files to Modify (by priority)

• .github/workflows/copilot-session-insights.md - 9 occurrences
• .github/workflows/prompt-clustering-analysis.md - 4 occurrences
• .github/workflows/smoke-opencode.md - 4 occurrences
• .github/workflows/daily-perf-improver.md - 2 occurrences
• .github/workflows/daily-test-improver.md - 2 occurrences
• .github/workflows/duplicate-code-detector.md - 2 occurrences
• .github/workflows/smoke-codex.md - 2 occurrences
• .github/workflows/test-post-steps.md - 1 occurrence
• .github/workflows/video-analyzer.md - 1 occurrence
• Recompile all affected workflows

Example Fixes

# Before (unquoted)
echo $GITHUB_OUTPUT
cp $SOURCE_FILE $DEST_FILE

# After (quoted)
echo "$GITHUB_OUTPUT"
cp "$SOURCE_FILE" "$DEST_FILE"

Acceptance Criteria

• All 15 SC2086 violations fixed with proper quoting
• Variables in shell scripts are double-quoted
• Workflows compile successfully
• Actionlint scan shows no SC2086 findings for these workflows
• Workflows function correctly with quoted variables
  Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Fix shell quoting issues across workflows (SC2086) #3126

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR adds proper quoting to shell variable references and paths in GitHub Actions workflows to improve shell script safety and prevent potential issues with special characters or spaces. The changes ensure consistent best practices for shell scripting by wrapping variable expansions and file paths in double quotes.

Key changes:

• Added double quotes around environment variable references (e.g., $CODEX_HOME, $GITHUB_OUTPUT, $GH_AW_MCP_CONFIG, ${{ github.repository }})
• Added double quotes around file paths with variable expansions (e.g., /tmp/gh-aw/prompt-cache/pr-full-data/pr-${pr_number}.json)
• Added double quotes around npm package specifications with variable expansions (e.g., opencode-ai@${GH_AW_AGENT_VERSION})

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/codex_engine.go	Added quotes around $CODEX_HOME/logs in mkdir commands
.github/workflows/video-analyzer.lock.yml	Added quotes around $GITHUB_OUTPUT in echo command
.github/workflows/test-post-steps.md	Added quotes around $GITHUB_STEP_SUMMARY in shell redirect
.github/workflows/test-post-steps.lock.yml	Added quotes around $GITHUB_STEP_SUMMARY in compiled workflow
.github/workflows/smoke-opencode.lock.yml	Added quotes around opencode-ai@${GH_AW_AGENT_VERSION} in npm install
.github/workflows/smoke-codex.lock.yml	Added quotes around $CODEX_HOME/logs in mkdir commands
.github/workflows/shared/opencode.md	Added quotes around opencode-ai@${GH_AW_AGENT_VERSION} in npm install
.github/workflows/shared/genaiscript.md	Added quotes around $GH_AW_MCP_CONFIG in genaiscript command
.github/workflows/shared/ffmpeg.md	Added quotes around $GITHUB_OUTPUT in echo command
.github/workflows/prompt-clustering-analysis.md	Added quotes around ${{ github.repository }} and file paths with variable expansion
.github/workflows/prompt-clustering-analysis.lock.yml	Added quotes around repository references and output file paths in compiled workflow
.github/workflows/duplicate-code-detector.lock.yml	Added quotes around $CODEX_HOME/logs in mkdir commands
.github/workflows/daily-test-improver.md	Added quotes around $GITHUB_OUTPUT in echo commands
.github/workflows/daily-test-improver.lock.yml	Added quotes around $GITHUB_OUTPUT in compiled workflow
.github/workflows/daily-perf-improver.md	Added quotes around $GITHUB_OUTPUT in echo commands
.github/workflows/daily-perf-improver.lock.yml	Added quotes around $GITHUB_OUTPUT in compiled workflow
.github/workflows/copilot-session-insights.md	Added quotes around $GITHUB_OUTPUT in multiple echo commands
.github/workflows/copilot-session-insights.lock.yml	Added quotes around $GITHUB_OUTPUT in compiled workflow

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot merge main

[Copilot]

@copilot merge main

Merged main branch successfully. Resolved merge conflicts in lock files by recompiling workflows. All SC2086 fixes preserved and tests pass. (f53c073)