Fix SC2046 shellcheck errors: Quote command substitutions to prevent word splitting

[thpierce]

Summary

This PR fixes all SC2046 shellcheck errors by adding quotes around command substitutions to prevent word splitting. SC2046 has been removed from the actionlint ignore list in .github/workflows/pr-build.yml.

Changes Made

Files Modified (5 workflow files + 1 config file)

1. .github/workflows/pr-build.yml (lines 79, 90)

• Removed SC2046 comment and ignore flag from actionlint configuration

2. .github/workflows/dotnet-lambda-test.yml (line 143)

- run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/dotnet/lambda/lambda && echo API_GATEWAY_URL=$(terraform output -raw api-gateway-url) >> $GITHUB_ENV
+ run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/dotnet/lambda/lambda && echo API_GATEWAY_URL="$(terraform output -raw api-gateway-url)" >> $GITHUB_ENV

3. .github/workflows/java-lambda-test.yml (line 145)

- run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/java/lambda/lambda && echo API_GATEWAY_URL=$(terraform output -raw api-gateway-url) >> $GITHUB_ENV
+ run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/java/lambda/lambda && echo API_GATEWAY_URL="$(terraform output -raw api-gateway-url)" >> $GITHUB_ENV

4. .github/workflows/node-lambda-test.yml (line 147)

- run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && echo API_GATEWAY_URL=$(terraform output -raw api-gateway-url) >> $GITHUB_ENV
+ run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/node/lambda/lambda && echo API_GATEWAY_URL="$(terraform output -raw api-gateway-url)" >> $GITHUB_ENV

5. .github/workflows/python-lambda-test.yml (line 163)

- run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/python/lambda/lambda && echo API_GATEWAY_URL=$(terraform output -raw api-gateway-url) >> $GITHUB_ENV
+ run: cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/python/lambda/lambda && echo API_GATEWAY_URL="$(terraform output -raw api-gateway-url)" >> $GITHUB_ENV

6. .github/workflows/python-ec2-genesis-test.yml (line 72)

- ID_1="$(printf '%08x' $(date +%s))"
+ ID_1="$(printf '%08x' "$(date +%s)")"

Why This Change is Safe

Lambda Tests (dotnet, java, node, python)

• What it does: Captures the API Gateway URL from terraform output and stores it in $GITHUB_ENV
• Before: API_GATEWAY_URL=$(terraform output -raw api-gateway-url)
• After: API_GATEWAY_URL="$(terraform output -raw api-gateway-url)"
• Impact: URLs from terraform should never contain spaces, but quoting ensures the entire output is treated as a single value even if it unexpectedly contains whitespace
• Risk: None - the value is immediately written to $GITHUB_ENV and used in subsequent steps

Python EC2 Genesis Test

• What it does: Generates a Unix timestamp and formats it as 8-character hex for trace IDs
• Before: ID_1="$(printf '%08x' $(date +%s))"
• After: ID_1="$(printf '%08x' "$(date +%s)")"
• Impact: Unix timestamps never contain spaces, but quoting the inner command substitution follows best practices
• Risk: None - the timestamp is a numeric value that gets formatted to hex

Testing

Actionlint Validation

actionlint -color -ignore SC2086 -ignore SC2004 -ignore SC2129 -ignore SC2016 -ignore SC2010 -ignore SC2015 -ignore SC2260 -ignore SC2181 .github/workflows/*.yml

Exit code: 0 ✅

Behavioral Testing

Test 1: API Gateway URL Assignment

# Normal case (no spaces)
OLD: API_GATEWAY_URL=https://api.example.com/test
NEW: API_GATEWAY_URL="https://api.example.com/test"
Result: Identical ✅

# Edge case (with spaces - demonstrates the bug SC2046 prevents)
OLD: API_GATEWAY_URL=https://api.example.com/test path
  - Splits into multiple words: ["https://api.example.com/test", "path"]
NEW: API_GATEWAY_URL="https://api.example.com/test path"
  - Treated as single string: "https://api.example.com/test path"
Result: NEW is safer ✅

Test 2: Timestamp Formatting

OLD: ID_1="$(printf '%08x' $(date +%s))"
  - Output: 698ff526 (8 hex chars) ✅
NEW: ID_1="$(printf '%08x' "$(date +%s)")"
  - Output: 698ff526 (8 hex chars) ✅
Result: Identical behavior ✅

What SC2046 Prevents

SC2046 warns about unquoted command substitutions because they undergo word splitting. If a command's output contains spaces, tabs, or newlines, the shell will split it into multiple words. This can lead to:

• Incorrect variable assignments
• Unexpected command arguments
• Potential security issues if the output is used in sensitive contexts

In this codebase:

• Lambda tests: terraform output should never contain spaces, but quoting is defensive programming
• Genesis test: date output is always numeric, but quoting is best practice

Impact Assessment

Type: Code quality improvement

This is not a bug fix but a best practice improvement. The commands being quoted (terraform output and date +%s) produce predictable output without spaces, so the unquoted versions work correctly. However, quoting command substitutions is a shell scripting best practice that:

1. Prevents word splitting edge cases
2. Makes the code more robust against unexpected input
3. Follows shellcheck recommendations for maintainable code
4. Aligns with security best practices

Verification Checklist

• SC2046 removed from ignore list in pr-build.yml
• All 5 occurrences fixed across 5 workflow files
• actionlint passes with exit code 0
• Behavioral tests confirm identical functionality
• No temporary files created
• Changes are minimal and focused