SafeEnvironmentFileRedirect

GITHUB_OUTPUT must be quoted.

Defined by SafeEnvironmentFileRedirectRule which supports workflows, actions in the "Default" ruleset.

Description

Environment files can be written in many different ways from shell scripts.

To be consistent with ShellCheck recommendations (SC2086 and SC2250), it is recommended to quote and use curly braces around environment file path variables, for example:

>> "${GITHUB_OUTPUT}"

While other styles also work, this style is the most robust and safe. If this style is copied elsewhere it can only benefit the target script. In short, the benefits are:

• Quotes around file paths help with spaces and special characters.
• Curly braces help with explicit variable references and disambiguation.

References:

• Environment files documentation
• Prefer putting braces around variable references even when not strictly required.
• Double quote to prevent globbing and word splitting.

Compliant example

Fully quoted and safe access to GITHUB_OUTPUT environment variable.

example.yml

on: push
jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - run: echo "result=Example" >> "${GITHUB_OUTPUT}"

Non-compliant example

Missing quotes and curly braces around GITHUB_OUTPUT.

example.yml

on: push
jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - run: echo "result=Example" >> $GITHUB_OUTPUT

• Line 6: Step[#0] in Job[example] should be formatted as >> "${GITHUB_OUTPUT}".