[plan] Suppress actionlint SC1003 false positives for AWF --allow-domains arguments

[github-actions]

Objective

Suppress the systemic shellcheck/SC1003 false positives in actionlint that generate 156 noisy findings across 28 workflows, as reported in discussion #18283.

Context

Shellcheck incorrectly reports SC1003 (single-quote escaping issue) on --allow-domains URL list arguments in AWF commands. These arguments contain domain name strings inside double-quoted shell expressions — shellcheck misidentifies single quotes in domain names (e.g., can't) as problematic. These are false positives with no real security impact.

• Tool: actionlint / shellcheck
• Count: 156 occurrences across 28 workflows
• Pattern: AWF --allow-domains arguments with domain names containing single quotes

Approach

1. Check if actionlint supports a configuration file (.github/actionlint.yaml or .actionlint.yaml)
2. Add SC1003 suppression to the actionlint config:

# .github/actionlint.yaml
shellcheck:
  disable:
    - SC1003

Or alternatively, identify the AWF command template that generates these steps and add an inline shellcheck disable comment:

# shellcheck disable=SC1003
gh aw run --allow-domains "..."

3. If suppression is added to a compiled workflow template in Go code (e.g., in pkg/workflow/), find the relevant template and add the disable comment there
4. Run make recompile to regenerate all .lock.yml files
5. Run make agent-finish to validate

Files to Modify

• .github/actionlint.yaml (create if not exists) — add SC1003 suppression
• OR the relevant Go template in pkg/workflow/ that generates the --allow-domains step

Acceptance Criteria

• actionlint no longer reports SC1003 for AWF --allow-domains steps
• Configuration approach is documented with a comment explaining it's a false positive
• make recompile succeeds
• make agent-finish passes

Generated by Plan Command for issue #discussion #18283

• expires on Feb 27, 2026, 6:53 AM UTC

[pelikhan]

Add the comment in generated code

shellcheck disable=SC1003