Fix SC2086 shellcheck errors: quote variables to prevent globbing and word splitting

[thpierce]

Summary

This PR fixes all SC2086 shellcheck errors by properly quoting shell variables to prevent unintended word splitting and glob expansion.

Changes Made

Files Modified (45 workflow files)

All changes involve adding double quotes around variables in shell scripts within GitHub Actions workflows.

Key Patterns Fixed

1. GitHub Actions Variables (most common):

   • >> $GITHUB_OUTPUT → >> "$GITHUB_OUTPUT"
   • >> $GITHUB_ENV → >> "$GITHUB_ENV"
   • >> $GITHUB_PATH → >> "$GITHUB_PATH"

2. AWS CLI Commands:

   • --instance-ids $instance_id → --instance-ids "$instance_id"
   • --secret-id $SECRET_NAME → --secret-id "$SECRET_NAME"
   • Values=$instance_id → Values="$instance_id"

3. Kubernetes Commands:

   • kubectl delete namespace $ns → kubectl delete namespace "$ns"
   • kubectl get pods -n $ns → kubectl get pods -n "$ns"

4. Docker Commands:

   • docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG → docker build -t "$REGISTRY/$REPOSITORY:$IMAGE_TAG"

5. File Operations:

   • zip -r file-${VERSION}.zip → zip -r file-"${VERSION}".zip
   • mkdir -p $ARTIFACTS_DIR → mkdir -p "$ARTIFACTS_DIR"

6. Function Calls:

   • watch_command $command_id → watch_command "$command_id"
   • check_instance_ready ${{...}} → check_instance_ready "${{...}}"

7. Command Substitutions:

   • echo $DIRS | jq → echo "$DIRS" | jq
   • tee --append $GITHUB_ENV → tee --append "$GITHUB_ENV"

Why This Change Is Safe

Code Quality Improvement

SC2086 warnings indicate potential bugs where:

• Variables containing spaces would be split into multiple arguments
• Variables containing glob characters (*, ?, []) would be expanded

Behavioral Equivalence

All fixes maintain identical behavior because:

1. GitHub Actions variables ($GITHUB_OUTPUT, $GITHUB_ENV, $GITHUB_PATH) are file paths that should always be quoted
2. AWS resource IDs (instance IDs, secret names) don't contain spaces or special characters, but quoting is defensive programming
3. Docker image names follow strict naming conventions without spaces
4. Kubernetes namespace names follow DNS label standards (no spaces)
5. File paths and directory names in the codebase don't contain spaces, but quoting prevents issues if they ever do

No Functional Changes

• No logic changes
• No conditional changes
• No command changes
• Only added quotes around variables

Testing

Validation Command

actionlint -color -ignore SC2004 -ignore SC2129 -ignore SC2016 -ignore SC2010 -ignore SC2015 -ignore SC2260 -ignore SC2046 -ignore SC2181 .github/workflows/*.yml

Result

✅ Exit code: 0 - All SC2086 errors resolved

Test Scenarios

The changes were validated to ensure:

1. ✅ Variables are properly quoted in all contexts
2. ✅ No syntax errors introduced
3. ✅ actionlint passes with all remaining ignore flags
4. ✅ All workflow files are valid YAML

Impact Assessment

Type: Code Quality Improvement

This is a code quality fix, not a bug fix. The code worked before because:

• GitHub Actions variables don't contain spaces
• AWS resource IDs follow strict naming conventions
• Docker and Kubernetes names are validated

Benefits

• Improved robustness: Prevents future issues if variable values change
• Better practices: Follows shellcheck recommendations
• Cleaner codebase: Reduces technical debt
• Easier maintenance: One less warning category to ignore

Removed from Ignore List

• Deleted comment: # SC2086: Double quote to prevent globbing and word splitting (212 occurrences)
• Removed flag: -ignore SC2086

Files Changed

45 workflow files across all test suites (Java, Python, Node, .NET, K8s, ECS, EKS, Lambda, EC2, etc.)

Next Steps

After this PR merges, the team can continue systematically removing other shellcheck suppressions from the ignore list.