pr.yaml: quote $GITHUB_OUTPUT writes (SC2086)#169
Merged
Conversation
Downstream propagation of Chris-Wolfgang/repo-template#426. actionlint's shellcheck integration flags four SC2086 info-level findings on bash heredocs that write to $GITHUB_OUTPUT without quotes: Double quote to prevent globbing and word splitting GitHub sets GITHUB_OUTPUT to a fixed path with no spaces or globs, so the prior form was safe in practice — but the quoted form is the universally-correct shape and matches what actionlint and shellcheck v0.9+ keep expecting. PowerShell refs ($env:GITHUB_OUTPUT) are PowerShell syntax inside Stage 2 Windows jobs, not bash — shellcheck doesn't flag them and they don't need quoting.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Downstream propagation of repo-template#426.
Quotes the four bash
echo ... >> $GITHUB_OUTPUTwrites in pr.yaml so actionlint's shellcheck integration stops flagging SC2086 info-level findings. GitHub setsGITHUB_OUTPUTto a fixed path with no spaces or globs, so the prior form was safe in practice — but the quoted form is the universally-correct shape.Surfaced when ETL-Csv#125 added actionlint to that repo's workflow-security check. Every fleet repo that syncs pr.yaml inherits the bug; this PR brings System.Mail-Extensions in line ahead of the next template sync.
PowerShell refs (
$env:GITHUB_OUTPUT) are PowerShell syntax, not bash — shellcheck doesn't flag them and they don't need quoting.Heads-up: pr.yaml is a protected file under its own "Detect .NET Projects" guard. Expect that check to fail on this PR; admin-bypass merge to land.