[plan] Fix SC2129 compiler template: use grouped redirects instead of sequential `>>`

[github-actions]

Objective

Fix the compiler template that generates cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" followed by >> appends, which triggers SC2129 (style suggestion: use grouped redirects) across 151 of 158 compiled workflows.

Context

From Static Analysis Report discussion #17668 (2026-02-22 scan):

• 164 SC2129 occurrences across 151 workflows — the most widespread issue
• SC2129 is a compiler output artifact — the shell script template in the compiler generates this pattern, so all lock files inherit it
• Fixing at the compiler level will eliminate 151 workflow issues at once

Technical Details

SC2129: "Consider using { cmd1; cmd2; } > file instead of individual redirects."

The compiler currently generates something like:

cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT"
...first chunk...
GH_AW_PROMPT_EOF
echo "...more content..." >> "$GH_AW_PROMPT"

The fix is to use a single grouped redirect or a single heredoc for the entire prompt construction, avoiding multiple separate >> redirections.

Steps

1. Locate the shell script template in the compiler — search for the GH_AW_PROMPT_EOF heredoc pattern in pkg/workflow/ or actions/setup/sh/
2. Refactor the generated shell script to use grouped redirects or consolidate all prompt construction into a single heredoc/command group
3. Run make recompile to regenerate all lock files with the new template
4. Verify SC2129 no longer appears: actionlint .github/workflows/*.lock.yml 2>&1 | grep SC2129 | wc -l should return 0
5. Run make agent-finish to validate everything passes

Acceptance Criteria

• SC2129 no longer appears in any compiled lock files
• All 158 workflows compile successfully
• make agent-finish passes

Generated by Plan Command for issue #discussion #17668

• expires on Feb 24, 2026, 7:00 AM UTC