[plan] Fix critical shellcheck issues across high-priority workflows

[github-actions]

Objective

Address critical shellcheck errors (SC2155 and other high-impact issues) in the highest-traffic workflows to improve shell script reliability and prevent bugs.

Context

Tool: actionlint + shellcheck
Count: 197 errors across 118 workflows (95.2%)
Most Common: SC2155 - Declare and assign separately to avoid masking return values
Reference: https://www.shellcheck.net/wiki/SC2155

Shellcheck findings indicate shell scripting patterns that can lead to subtle bugs, masked errors, and unexpected behavior. SC2155 is particularly problematic because it can hide command failures.

Problem Example

Bad (SC2155):

local result=$(some_command)  # If some_command fails, $? is 0 (success)

Good:

local result
result=$(some_command)  # If some_command fails, $? reflects the failure

Approach

1. Identify the top 15-20 highest-traffic workflows with SC2155 errors
2. For each workflow, review shell script blocks in the compiled .lock.yml files
3. Separate variable declaration from assignment for local variables
4. Add proper error checking after command execution
5. Test that the fix doesn't break workflow functionality
6. Run make recompile after modifying the source .md files

Priority workflows (likely high-traffic based on naming):

• CI/CD workflows (ci-doctor, ci-coach)
• Security workflows (security-compliance, security-fix-pr)
• Core automation (audit-workflows, compiler-checker)

Files to Modify

Target 15-20 workflows with the highest impact:

• .github/workflows/ci-doctor.md
• .github/workflows/ci-coach.md
• .github/workflows/security-compliance.md
• .github/workflows/audit-workflows.md
• Plus 10-15 more from the affected list

Example Fix

Before (in workflow .md file):

- name: Process result
  run: |
    local output=$(git status)
    echo "$output"

After:

- name: Process result
  run: |
    local output
    output=$(git status) || { echo "git status failed"; exit 1; }
    echo "$output"

Acceptance Criteria

• Top 15-20 workflows have SC2155 fixed
• Proper error handling added for command execution
• All modified workflows compile successfully
• Shellcheck error count reduced by at least 50 issues
• No functionality broken by the changes
• make test passes

Testing

# After each fix, compile and check
make build
./gh-aw compile .github/workflows/<workflow-name>.md

# Run actionlint to verify shellcheck issues reduced
make recompile
actionlint .github/workflows/*.lock.yml 2>&1 | grep "SC2155" | wc -l

# Run full test suite
make test

Notes

• Focus on SC2155 first as it's the most common and impactful
• Don't fix all 197 issues at once - start with high-priority workflows
• Consider creating a follow-up issue for remaining shellcheck fixes
• Document patterns in DEVGUIDE.md for future workflow authors
  Related to [plan] Security remediation plan for static analysis findings (Jan 14, 2026) #9990

AI generated by Plan Command for discussion #9966

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster