ci: add shellcheck to pre-commit and fix existing warnings

[ralphbean]

Summary

• Add shellcheck-py pre-commit hook so all shell scripts are linted on every commit and in CI (no extra install step needed — the hook bundles its own binary)
• Fix all existing shellcheck warnings across 7 files (unused vars, bare redirections, useless cat, ungrouped appends)
• Globally suppress three codes that are false positives in this codebase: SC1091 (dynamic source paths), SC2001 (sed backrefs), SC2016 (intentional single-quoted $vars in GraphQL)

Test plan

• pre-commit run shellcheck --all-files passes clean
• make script-test passes — no regressions from the fixes

🤖 Generated with Claude Code

[github-actions]

Site preview

Preview: https://164e536e-site.fullsend-ai.workers.dev

Commit: adac6c8e5ec022606a26dbe5989d4063830c40f5

[fullsend-ai-review]

Review

Findings

High

• [protected-path] .pre-commit-config.yaml — This PR modifies a protected infrastructure file (.pre-commit-config.yaml) without a linked issue providing authorization for the change. The modification itself is sound (adding shellcheck-py as a pre-commit hook), but human approval is required for all protected-path changes. Consider linking a tracking issue to this PR.

Notes

The shellcheck fixes across all 7 files are correct and behavioral-preserving:

• > file → : > file — replaces bare redirections (SC2188) with the idiomatic null-command form
• Grouped consecutive >> $GITHUB_ENV appends into a single { ... } >> $GITHUB_ENV block (SC2129)
• Removed unused filename variable in hack/lint-workflow-size
• Renamed unused pr_url to _pr_url in pre-code.sh
• Replaced cat file | head with head file (SC2002)

The globally suppressed shellcheck codes are reasonable:

• SC1091 — dynamic source paths that shellcheck cannot follow
• SC2001 — sed with backreferences that cannot use ${var//search/replace}
• SC2016 — intentional single-quoted $vars in GraphQL heredocs (consistent with actionlint's existing SC2016 suppression)

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] protected-path

This PR modifies a protected infrastructure file (.pre-commit-config.yaml) without a linked issue providing authorization for the change. The modification itself is sound (adding shellcheck-py as a pre-commit hook), but human approval is required for all protected-path changes. Consider linking a tracking issue to this PR.