diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 0000000..dd953b9
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,25 @@
+name: "CI: shellcheck"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**/*.sh"
+      - ".github/workflows/shellcheck.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "**/*.sh"
+      - ".github/workflows/shellcheck.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run shellcheck on all shell scripts
+        run: find . -name '*.sh' -not -path './.git/*' -print0 | xargs -0 --no-run-if-empty shellcheck
diff --git a/lefthook.yml b/lefthook.yml
index 9783ee0..167f1fc 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -3,7 +3,7 @@
 # Docs: https://lefthook.dev/configuration/
 #
 # Glob patterns determine whether a job runs (based on staged files).
-# The run commands then check the entire module — not just staged files.
+# Go checks run on the entire module; shellcheck runs on staged files only.
 
 pre-commit:
   parallel: true
@@ -20,6 +20,10 @@ pre-commit:
       glob: "**/*.{go,mod,sum}"
       run: go test ./...
 
+    - name: shellcheck
+      glob: "**/*.sh"
+      run: if command -v shellcheck >/dev/null 2>&1; then shellcheck {staged_files}; else echo "shellcheck not installed — skipping"; fi
+
 commit-msg:
   commands:
     conventional-commit: