Skip to content

Fix SC2086 shellcheck errors: quote variables to prevent globbing and word splitting#571

Merged
thpierce merged 2 commits intomainfrom
fix-SC2086-shellcheck-errors
Feb 17, 2026
Merged

Fix SC2086 shellcheck errors: quote variables to prevent globbing and word splitting#571
thpierce merged 2 commits intomainfrom
fix-SC2086-shellcheck-errors

Conversation

@thpierce
Copy link
Contributor

Summary

This PR fixes all SC2086 shellcheck errors by properly quoting shell variables to prevent unintended word splitting and glob expansion.

Changes Made

Files Modified (45 workflow files)

All changes involve adding double quotes around variables in shell scripts within GitHub Actions workflows.

Key Patterns Fixed

  1. GitHub Actions Variables (most common):

    • >> $GITHUB_OUTPUT>> "$GITHUB_OUTPUT"
    • >> $GITHUB_ENV>> "$GITHUB_ENV"
    • >> $GITHUB_PATH>> "$GITHUB_PATH"
  2. AWS CLI Commands:

    • --instance-ids $instance_id--instance-ids "$instance_id"
    • --secret-id $SECRET_NAME--secret-id "$SECRET_NAME"
    • Values=$instance_idValues="$instance_id"
  3. Kubernetes Commands:

    • kubectl delete namespace $nskubectl delete namespace "$ns"
    • kubectl get pods -n $nskubectl get pods -n "$ns"
  4. Docker Commands:

    • docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAGdocker build -t "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
  5. File Operations:

    • zip -r file-${VERSION}.zipzip -r file-"${VERSION}".zip
    • mkdir -p $ARTIFACTS_DIRmkdir -p "$ARTIFACTS_DIR"
  6. Function Calls:

    • watch_command $command_idwatch_command "$command_id"
    • check_instance_ready ${{...}}check_instance_ready "${{...}}"
  7. Command Substitutions:

    • echo $DIRS | jqecho "$DIRS" | jq
    • tee --append $GITHUB_ENVtee --append "$GITHUB_ENV"

Why This Change Is Safe

Code Quality Improvement

SC2086 warnings indicate potential bugs where:

  • Variables containing spaces would be split into multiple arguments
  • Variables containing glob characters (*, ?, []) would be expanded

Behavioral Equivalence

All fixes maintain identical behavior because:

  1. GitHub Actions variables ($GITHUB_OUTPUT, $GITHUB_ENV, $GITHUB_PATH) are file paths that should always be quoted
  2. AWS resource IDs (instance IDs, secret names) don't contain spaces or special characters, but quoting is defensive programming
  3. Docker image names follow strict naming conventions without spaces
  4. Kubernetes namespace names follow DNS label standards (no spaces)
  5. File paths and directory names in the codebase don't contain spaces, but quoting prevents issues if they ever do

No Functional Changes

  • No logic changes
  • No conditional changes
  • No command changes
  • Only added quotes around variables

Testing

Validation Command

actionlint -color -ignore SC2004 -ignore SC2129 -ignore SC2016 -ignore SC2010 -ignore SC2015 -ignore SC2260 -ignore SC2046 -ignore SC2181 .github/workflows/*.yml

Result

Exit code: 0 - All SC2086 errors resolved

Test Scenarios

The changes were validated to ensure:

  1. ✅ Variables are properly quoted in all contexts
  2. ✅ No syntax errors introduced
  3. ✅ actionlint passes with all remaining ignore flags
  4. ✅ All workflow files are valid YAML

Impact Assessment

Type: Code Quality Improvement

This is a code quality fix, not a bug fix. The code worked before because:

  • GitHub Actions variables don't contain spaces
  • AWS resource IDs follow strict naming conventions
  • Docker and Kubernetes names are validated

Benefits

  • Improved robustness: Prevents future issues if variable values change
  • Better practices: Follows shellcheck recommendations
  • Cleaner codebase: Reduces technical debt
  • Easier maintenance: One less warning category to ignore

Removed from Ignore List

  • Deleted comment: # SC2086: Double quote to prevent globbing and word splitting (212 occurrences)
  • Removed flag: -ignore SC2086

Files Changed

45 workflow files across all test suites (Java, Python, Node, .NET, K8s, ECS, EKS, Lambda, EC2, etc.)

Next Steps

After this PR merges, the team can continue systematically removing other shellcheck suppressions from the ignore list.

… word splitting

- Quote $GITHUB_OUTPUT and $GITHUB_ENV in all echo redirects
- Quote $GITHUB_PATH in echo redirects
- Quote variables in AWS CLI commands (instance IDs, secret names, etc.)
- Quote variables in kubectl commands
- Quote variables in docker commands
- Quote variables in file operations (zip, mkdir, etc.)
- Quote variables in command substitutions and pipes

All changes preserve existing functionality while improving shell script safety
by preventing unintended word splitting and glob expansion.
@thpierce thpierce force-pushed the fix-SC2086-shellcheck-errors branch from 2d3d4dd to 7b074eb Compare February 14, 2026 07:01
@thpierce thpierce enabled auto-merge (squash) February 17, 2026 20:24
@thpierce thpierce merged commit dd2e08c into main Feb 17, 2026
54 checks passed
@thpierce thpierce deleted the fix-SC2086-shellcheck-errors branch February 17, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants