Add shellcheck GitHub Action with annotations for .sh files

[Copilot]

Adds automated shellcheck linting on PRs that modify shell scripts, surfacing errors as GitHub Actions annotations using native problem matchers.

Changes

• New workflow: .github/workflows/shellcheck.yml

  • Triggers on .sh file changes, workflow changes, or problem matcher changes in PRs to main
  • Uses native shellcheck (pre-installed on ubuntu-latest) with custom problem matcher
  • Checks only changed shell scripts using git diff to avoid blocking unrelated PRs
  • Uses fetch-depth: 0 for full git history to enable diff comparison
  • Skips shellcheck entirely if no shell scripts were changed
  • Includes concurrency control to cancel stale runs

• Problem Matcher: .github/shellcheck-matcher.json

  • Parses shellcheck gcc-format output to create GitHub annotations
  • Supports all severity levels (error, warning, note, style)
  • Captures error codes for detailed reporting

• Documentation: .github/agents/github-workflows.agent.md

  • Guidelines for creating GitHub Actions workflows
  • Policy on third-party actions (only use approved actions like actions/*)
  • Instructions for implementing problem matchers for annotations
  • Complete ShellCheck example checking only changed files
  • Standard workflow patterns and best practices

Implementation Details

• No third-party actions: Uses only approved actions/checkout@v4 per repository policy
• Minimal permissions: Only contents: read required
• No conflicts: Verified shellcheck not used elsewhere in workflows or pipelines (27 shell scripts across cli/installer, extensions, eng/scripts)
• Non-blocking: Only checks shell scripts modified in the PR using git diff --name-only --diff-filter=ACMRT
• Smart filtering: Won't fail PRs due to pre-existing issues in unrelated scripts

- name: Get changed shell scripts
  id: changed-files
  run: |
    git fetch origin ${{ github.base_ref }}
    CHANGED_SH_FILES=$(git diff --name-only --diff-filter=ACMRT origin/${{ github.base_ref }}...HEAD | grep '\.sh$' || true)
    if [ -z "$CHANGED_SH_FILES" ]; then
      echo "No shell scripts changed"
      echo "files=" >> $GITHUB_OUTPUT
    else
      echo "Changed shell scripts:"
      echo "$CHANGED_SH_FILES"
      echo "files<<EOF" >> $GITHUB_OUTPUT
      echo "$CHANGED_SH_FILES" >> $GITHUB_OUTPUT
      echo "EOF" >> $GITHUB_OUTPUT
    fi
- name: Register ShellCheck problem matcher
  if: steps.changed-files.outputs.files != ''
  run: echo "::add-matcher::.github/shellcheck-matcher.json"
- name: Run ShellCheck
  if: steps.changed-files.outputs.files != ''
  run: |
    echo "${{ steps.changed-files.outputs.files }}" | xargs shellcheck -f gcc
- name: Unregister ShellCheck problem matcher
  if: always() && steps.changed-files.outputs.files != ''
  run: echo "::remove-matcher owner=shellcheck-gcc::"

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[EngSys] Add GitHub Action that runs shellcheck on PRs that change .sh files</issue_title>
<issue_description>Surface errors in file tab using GitHub Actions annotations</issue_description>

<agent_instructions>Make sure that shellcheck isn't used anywhere else in DevOps pipelines or workflows. If it is we'll have to rethink.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [EngSys] Add GitHub Action that runs shellcheck on PRs that change .sh files #6621

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[danieljurek]

Make a note of things you learn from this PR iteration in the appropriate instructions file targeting .github/workflows/*.yml

[danieljurek]

Do not use 3rd party actions

[Copilot]

Replaced reviewdog/action-shellcheck with native shellcheck implementation using GitHub problem matchers. The workflow now uses shellcheck directly (pre-installed on ubuntu-latest) with a custom problem matcher at .github/shellcheck-matcher.json for annotations. Commit: 5525c13

[Copilot]

Make a note of things you learn from this PR iteration in the appropriate instructions file targeting .github/workflows/*.yml

Created .github/agents/github-workflows.agent.md documenting:

• Policy to avoid third-party actions (except approved ones like actions/*)
• How to use problem matchers for annotations without third-party actions
• ShellCheck-specific implementation example
• Standard workflow patterns (concurrency, permissions, path triggers)

Commit: 5525c13

[danieljurek]

Look over changed .sh files instead of checking all files. I don't want this blocking unrelated PRs.

[Copilot]

Updated workflow to check only changed shell scripts using git diff. The workflow now:

• Uses fetch-depth: 0 to enable git history comparison
• Gets changed .sh files via git diff --name-only --diff-filter=ACMRT origin/${{ github.base_ref }}...HEAD
• Skips shellcheck entirely if no shell scripts were changed
• Won't block PRs due to pre-existing issues in unrelated scripts

Commit: f9376b2