fix(actionlint): quote RUNNER_TEMP paths and add SC2016 to AWF shellcheck disable#42224
Merged
Merged
Conversation
…ctionlint spike Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update static analysis report for 2026-06-29
fix(actionlint): quote RUNNER_TEMP paths and add SC2016 to AWF shellcheck disable
Jun 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Reduces actionlint/ShellCheck noise in generated workflows by (1) quoting ${RUNNER_TEMP}-based Node script paths to prevent word-splitting warnings and (2) extending the generated AWF invocation’s shellcheck disable directive to include SC2016 for intentionally single-quoted bash -c payloads.
Changes:
- Quote the
generate_usage_activity_summary.cjsinvocation path in the usage artifact collection step emitter. - Add
SC2016to the compiler-emitted AWF shellcheck disable directive (and update rationale comments). - Recompile and update golden fixtures and compiled
.lock.ymlworkflows to reflect the new emitted output.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/notify_comment.go | Quotes generated Node script path under ${RUNNER_TEMP} to avoid SC2086 word-splitting warnings. |
| pkg/workflow/notify_comment_test.go | Updates assertions to require the quoted Node invocation and reject the unquoted form. |
| pkg/workflow/awf_helpers.go | Adds SC2016 to the generated shellcheck disable directive (with rationale comment update). |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Updates golden output to include SC2016 in AWF shellcheck directive. |
| .github/workflows/test-workflow.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/test-project-url-default.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/test-dispatcher.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/smoke-opencode.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/smoke-gemini.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/smoke-crush.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/smoke-ci.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/smoke-antigravity.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/release.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/hippo-embed.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/firewall.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/docs-noob-tester.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-performance-summary.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-observability-report.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-news.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-model-resolution.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-model-inventory.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-max-ai-credits-test.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-issues-report.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-hippo-learn.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-geo-optimizer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-function-namer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-fact.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-experiment-report.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-credit-limit-test.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-compiler-quality.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-cli-tools-tester.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-cli-performance.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-byok-ollama-test.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-awf-spec-compiler-surfacing.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-architecture-diagram.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/daily-ambient-context-optimizer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/craft.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/copilot-opt.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/contribution-check.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/constraint-solving-potd.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/commit-changes-analyzer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/code-scanning-fixer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/cli-consistency-checker.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/ci-coach.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/chaos-pr-bundle-fuzzer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/changeset.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/breaking-change-checker.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/brave.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/bot-detection.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/auto-triage-issues.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/artifacts-summary.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/architecture-guardian.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/archie.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/ai-moderator.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/agentic-token-optimizer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/agent-persona-explorer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/agent-performance-analyzer.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/ace-editor.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
| .github/workflows/ab-testing-advisor.lock.yml | Regenerated compiled workflow output: SC2016 suppression + quoted ${RUNNER_TEMP} Node path. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 206/269 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
+69
to
+71
| // - SC2016 is expected because ${RUNNER_TEMP} and similar runtime variables appear | ||
| // inside the single-quoted bash -c '...' argument intentionally — they are expanded | ||
| // by the outer runner shell before AWF receives them, not by the inner bash -c. |
Contributor
|
🎉 This pull request is included in a new release. Release: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Static analysis reported a +450 actionlint spike on 2026-06-29 (SC2086 5→262, SC2016 326→519), both traced to compiler emitter output across all 257 lock files.
SC2086 (+257) —
notify_comment.goUsage artifact collection step emitted an unquoted
${RUNNER_TEMP}path:SC2016 (+193) —
awf_helpers.goThe AWF command wraps its inner command in
bash -c '...'.${RUNNER_TEMP}references inside this single-quoted argument are intentionally expanded by the outer runner shell — SC2016 is a false positive here, consistent with how SC1003 and SC2086 are already suppressed on the same step:All 257 lock files recompiled and golden fixtures updated. Net result: SC2086 262→5, SC2016 519→21.