From ef06c7837248a4c5c62dda4014cda23107a0fc18 Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Wed, 10 Jun 2026 18:54:36 +0200
Subject: [PATCH 1/3] ci: add shellcheck for shell scripts

Adds shellcheck to CI workflow with warning severity threshold
to catch shell script issues before merge.

Closes #13
---
 .github/workflows/ci.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f12c11e..3c94aa1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,6 +52,19 @@ jobs:
           persist-credentials: false
       - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
 
+  shellcheck:
+    needs:
+      - commitlint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run shellcheck
+        uses: ludeeus/action-shellcheck@00b27aa7cb85167568d10283c1dce7810666b51d # v2.1.0
+        with:
+          severity: warning
+
   smoke:
     needs:
       - commitlint

From c5fea457754906d900c28af5d881fc5dcb631f5c Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Wed, 10 Jun 2026 18:56:06 +0200
Subject: [PATCH 2/3] fix(ci): use correct action-shellcheck commit SHA

The previous SHA (00b27aa7cb85167568d10283c1dce7810666b51d) did not
resolve to a valid version of ludeeus/action-shellcheck. Replace
with the correct v2.0.0 commit SHA (00cae500b08a931fb5698e11e79bfbd38e612a38).
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3c94aa1..ccd16d1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -61,7 +61,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run shellcheck
-        uses: ludeeus/action-shellcheck@00b27aa7cb85167568d10283c1dce7810666b51d # v2.1.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
         with:
           severity: warning
 

From 558a905e471e0ca2ec4b06d0497b80019596a130 Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Wed, 10 Jun 2026 18:57:26 +0200
Subject: [PATCH 3/3] fix(ci): correct shellcheck version comment to match tag

zizmor's hash-pin verification requires the comment to match the
exact tag name in the repository. The tag is , not .

Fixes security scanning alert in PR #25.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ccd16d1..1e3d5d9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -61,7 +61,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run shellcheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
         with:
           severity: warning