From 1fbc195f6631ceaed5f56594111743910efcde8c Mon Sep 17 00:00:00 2001
From: Otto Jongerius <otto@0tt0.net>
Date: Sun, 5 Apr 2026 20:22:36 +1200
Subject: [PATCH 1/2] ci: add shellcheck to CI workflow and lefthook

Add shellcheck.yml workflow triggered on .sh file changes, and
a shellcheck pre-commit hook via lefthook. Matches the pattern
used in the ar monorepo.
---
 .github/workflows/shellcheck.yml | 23 +++++++++++++++++++++++
 lefthook.yml                     |  4 ++++
 2 files changed, 27 insertions(+)
 create mode 100644 .github/workflows/shellcheck.yml

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 0000000..bf225f6
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,23 @@
+name: "CI: shellcheck"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**/*.sh"
+  pull_request:
+    branches: [main]
+    paths:
+      - "**/*.sh"
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run shellcheck on all shell scripts
+        run: find . -name '*.sh' -not -path './.git/*' -print0 | xargs -0 --no-run-if-empty shellcheck
diff --git a/lefthook.yml b/lefthook.yml
index 9783ee0..6574cb6 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -20,6 +20,10 @@ pre-commit:
       glob: "**/*.{go,mod,sum}"
       run: go test ./...
 
+    - name: shellcheck
+      glob: "**/*.sh"
+      run: command -v shellcheck >/dev/null 2>&1 && shellcheck {staged_files} || echo "shellcheck not installed — skipping"
+
 commit-msg:
   commands:
     conventional-commit:

From e0e58cb24aab46c33f8db9aa89f5eccac7de167f Mon Sep 17 00:00:00 2001
From: Otto Jongerius <otto@0tt0.net>
Date: Sun, 5 Apr 2026 21:07:02 +1200
Subject: [PATCH 2/2] fix: address PR review feedback on shellcheck setup

- Fix lefthook command to not swallow shellcheck failures
- Add workflow file itself to path triggers
- Update header comment to clarify staged-only for shellcheck
---
 .github/workflows/shellcheck.yml | 2 ++
 lefthook.yml                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index bf225f6..dd953b9 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -5,10 +5,12 @@ on:
     branches: [main]
     paths:
       - "**/*.sh"
+      - ".github/workflows/shellcheck.yml"
   pull_request:
     branches: [main]
     paths:
       - "**/*.sh"
+      - ".github/workflows/shellcheck.yml"
 
 permissions:
   contents: read
diff --git a/lefthook.yml b/lefthook.yml
index 6574cb6..167f1fc 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -3,7 +3,7 @@
 # Docs: https://lefthook.dev/configuration/
 #
 # Glob patterns determine whether a job runs (based on staged files).
-# The run commands then check the entire module — not just staged files.
+# Go checks run on the entire module; shellcheck runs on staged files only.
 
 pre-commit:
   parallel: true
@@ -22,7 +22,7 @@ pre-commit:
 
     - name: shellcheck
       glob: "**/*.sh"
-      run: command -v shellcheck >/dev/null 2>&1 && shellcheck {staged_files} || echo "shellcheck not installed — skipping"
+      run: if command -v shellcheck >/dev/null 2>&1; then shellcheck {staged_files}; else echo "shellcheck not installed — skipping"; fi
 
 commit-msg:
   commands: