Fix SC2086: Quote ${GITHUB_WORKSPACE} in generated workflow steps

[Copilot]

The workflow compiler was generating shell commands with unquoted ${GITHUB_WORKSPACE} variables, triggering 108 SC2086 shellcheck warnings across 19 workflows.

Changes

Compiler fixes (5 files):

• pkg/workflow/copilot_engine.go - Quote cleanup script paths and agent file paths
• pkg/workflow/claude_engine.go - Quote agent file paths in awk commands
• pkg/workflow/codex_engine.go - Quote agent file paths in awk commands

Test updates (3 files):

• Updated test expectations to match quoted variable format

Example

Before (SC2086 warning):

run: ${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh || true

After (compliant):

run: '"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh || true'

All affected workflows recompiled. Zero GITHUB_WORKSPACE SC2086 errors remain.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Fix SC2086: Quote shell variables in workflow markdown files</issue_title>
<issue_description>## Objective
Fix 108 shellcheck SC2086 warnings by adding double quotes around shell variable expansions in workflow markdown files.

Context

This is needed to prevent word splitting and glob expansion issues. Part of discussion #3280 (Static Analysis Report - November 5, 2025).

The most common finding (93% of all static analysis issues) is unquoted ${GITHUB_WORKSPACE} variable usage across 19 workflows.

Approach

1. Add double quotes around all ${GITHUB_WORKSPACE} variable expansions
2. Use sed script to automate the bulk of fixes
3. Manually review and fix any complex cases
4. Recompile workflows and verify with actionlint

Files to Modify

Workflow Files (19 total):

• .github/workflows/artifacts-summary.md
• .github/workflows/changeset.md
• .github/workflows/cli-version-checker.md
• .github/workflows/copilot-pr-nlp-analysis.md
• .github/workflows/copilot-pr-prompt-analysis.md
• .github/workflows/daily-firewall-report.md
• .github/workflows/daily-news.md
• .github/workflows/daily-repo-chronicle.md
• .github/workflows/dev.firewall.md
• .github/workflows/firewall.md
• .github/workflows/mcp-inspector.md
• .github/workflows/python-data-charts.md
• .github/workflows/research.md
• .github/workflows/smoke-copilot.md
• .github/workflows/technical-doc-writer.md
• .github/workflows/weekly-issue-summary.md
• .github/workflows/shared/mcp/arxiv.md
• .github/workflows/shared/mcp/context7.md
• .github/workflows/shared/mcp/opencode.md

Fix Pattern

# Before (unquoted - causes SC2086 warning)
${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh

# After (quoted - shellcheck compliant)
"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh

Acceptance Criteria

• All 108 SC2086 warnings are resolved
• Variables are properly quoted: "${GITHUB_WORKSPACE}"/path
• Workflows recompile successfully with gh aw compile
• No actionlint SC2086 errors when running gh aw compile --actionlint
• All affected workflows still function correctly

Testing Steps

1. Apply fixes to workflow markdown files
2. Run: gh aw compile --actionlint
3. Verify: No SC2086 warnings in output
4. Test: Run a sample affected workflow to ensure functionality

Reference

• Shellcheck SC2086: (redacted)
• Discussion 🔍 Static Analysis Report - November 5, 2025 #3280: Static Analysis Report
  Related to 🔍 Static Analysis Report - November 5, 2025 #3280

AI generated by Plan Command for discussion #3280</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot double check about where to place quotes to fix the issue

• Fixes [task] Fix SC2086: Quote shell variables in workflow markdown files #3282

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR addresses ShellCheck warning SC2086 by adding quotes around ${GITHUB_WORKSPACE} variable references in generated shell commands. The changes update both the code generation logic and test expectations to ensure proper shell variable quoting throughout the workflow compilation process.

Key changes:

• Modified cleanup script path generation to use quoted ${GITHUB_WORKSPACE} references
• Updated agent file path handling to quote the ${GITHUB_WORKSPACE} portion
• Added single-quote wrapping around cleanup script commands to prevent word splitting
• Updated all test assertions to verify the new quoted format

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/workflow/copilot_engine.go	Updated agent path and cleanup script path generation to quote ${GITHUB_WORKSPACE}
pkg/workflow/claude_engine.go	Updated agent path generation to quote ${GITHUB_WORKSPACE}
pkg/workflow/codex_engine.go	Updated agent path generation to quote ${GITHUB_WORKSPACE}
pkg/workflow/firewall_args_test.go	Updated test assertions to expect quoted ${GITHUB_WORKSPACE}
pkg/workflow/firewall_args_integration_test.go	Updated integration test to expect quoted cleanup script paths
pkg/workflow/engine_agent_import_test.go	Updated test assertions to expect quoted agent file paths
.github/workflows/*.lock.yml	Regenerated workflow lock files with quoted variable references
.changeset/patch-fix-sc2086-quote-variables.md	Added changeset documenting the SC2086 fix

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The agent path quoting creates nested quotes that will be escaped incorrectly. The variable agentPath includes literal double quotes around ${GITHUB_WORKSPACE}, which will then be wrapped in single quotes by shellEscapeArg() (called via shellJoinArgs()), resulting in '\"${GITHUB_WORKSPACE}\"/.github/agents/file.md'. This prevents variable expansion because the $ is inside single quotes. Instead, construct the path without pre-quoting and let shellJoinArgs handle the escaping, or use a different quoting strategy that preserves variable expansion.

Suggested change

	agentPath := fmt.Sprintf("\"${GITHUB_WORKSPACE}\"/%s", workflowData.AgentFile)
	agentPath := fmt.Sprintf("${GITHUB_WORKSPACE}/%s", workflowData.AgentFile)

[Copilot]

The agent path quoting creates nested quotes. When this path is used in the shell command at line 178, it's passed directly to awk without additional quoting. The literal double quotes around ${GITHUB_WORKSPACE} will cause shell parsing issues. The variable expansion will work here because it's not being passed through shellEscapeArg(), but the double quotes will be interpreted literally by awk, potentially causing the file path to be incorrect.

Suggested change

	agentPath := fmt.Sprintf("\"${GITHUB_WORKSPACE}\"/%s", workflowData.AgentFile)
	agentPath := fmt.Sprintf("${GITHUB_WORKSPACE}/%s", workflowData.AgentFile)

[Copilot]

The agent path quoting creates nested quotes. When this path is used in the shell command at line 112, it's passed directly to awk without additional quoting. The literal double quotes around ${GITHUB_WORKSPACE} will cause shell parsing issues. The variable expansion will work here because it's not being passed through shellEscapeArg(), but the double quotes will be interpreted literally by awk, potentially causing the file path to be incorrect.

Suggested change

	agentPath := fmt.Sprintf("\"${GITHUB_WORKSPACE}\"/%s", workflowData.AgentFile)
	agentPath := fmt.Sprintf("${GITHUB_WORKSPACE}/%s", workflowData.AgentFile)

[Copilot]

The cleanup script path includes literal double quotes around ${GITHUB_WORKSPACE}, which will become part of the actual path string. Combined with the outer single quotes added at line 901 ('%s || true'), the resulting command will be '"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh || true', where the double quotes are literal characters preventing proper variable expansion. The path should either not include the quotes (relying on the outer single quotes) or use a different quoting mechanism.

Suggested change

	scriptPath = "\"${GITHUB_WORKSPACE}\"/scripts/ci/cleanup.sh"
	scriptPath = "${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh"

[Copilot]

The cleanup script path includes literal double quotes around ${GITHUB_WORKSPACE}, which will become part of the actual path string. Combined with the outer single quotes added at line 981 ('%s || true'), the resulting command will be '"${GITHUB_WORKSPACE}"/scripts/ci/cleanup.sh || true', where the double quotes are literal characters preventing proper variable expansion. The path should either not include the quotes (relying on the outer single quotes) or use a different quoting mechanism.

Suggested change

	scriptPath = "\"${GITHUB_WORKSPACE}\"/scripts/ci/cleanup.sh"
	scriptPath = "${GITHUB_WORKSPACE}/scripts/ci/cleanup.sh"