Add shellcheck for shell script linting

.github/problem-matchers/README.md

@@ -10,6 +10,8 @@ prominently in the GitHub user interface.
 This directory contains Problem Matchers used by the GitHub Actions workflows
 in the [`workflows`](./workflows) subdirectory.
 
+## Original sources
+
 The following problem matcher JSON files found in this directory were copied
 from the [Home Assistant](https://github.com/home-assistant/core) project on
 GitHub. The Home Assistant project is licensed under the Apache 2.0 open-source
@@ -28,4 +30,10 @@ The following problem matcher JSON file came from the
 [hadolint-action](https://github.com/hadolint/hadolint-action) repository
 (copied on 2025-02-17, version 3.1.0):
 
-- [`problem-matcher.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json)
+- [`hadolint.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json)
+
+The Shellcheck problem matcher JSON file came from the
+[shellcheck-problem-matchers](uhttps://github.com/lumaxis/shellcheck-problem-matchers)
+repository (copied 2025-02-26, version v2.1.0).
+
+- [`shellcheck-tty.json`](https://github.com/lumaxis/shellcheck-problem-matchers/blob/main/.github/shellcheck-tty.json)

.github/problem-matchers/shellcheck.json

@@ -0,0 +1,24 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "shellcheck",
+      "pattern": [
+        {
+            "regexp": "^In\\s(.+)\\sline\\s(\\d+):$",
+            "file": 1,
+            "line": 2
+        },
+        {
+          "regexp": ".*"
+        },
+        {
+            "regexp": "SC(\\d+)(\\s\\((note|warning|error)\\))?:\\s(.+)$",
+            "code": 1,
+            "severity": 3,
+            "message": 4,
+            "loop": true
+        }
+      ]
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -91,6 +91,8 @@ jobs:
       json_files: ${{steps.filter.outputs.json_files}}
       docker: ${{steps.filter.outputs.docker}}
       docker_files: ${{steps.filter.outputs.docker_files}}
+      shell: ${{steps.filter.outputs.shell}}
+      shell_files: ${{steps.filter.outputs.shell_files}}
     steps:
       # When invoked manually, use the given SHA to figure out the change list.
       - if: github.event_name == 'workflow_dispatch'
@@ -146,6 +148,9 @@ jobs:
             docker:
               - '**/dockerfile'
               - '**/Dockerfile'
+            shell:
+              - '**/*.sh'
+              - 'check/*'
 
   setup:
     if: needs.changes.outputs.python == 'true'
@@ -518,3 +523,23 @@ jobs:
       - name: Verify that all GitHub Actions workflows are valid
         run: |
           /opt/homebrew/bin/actionlint -color
+
+  shell-script-lint:
+    if: needs.changes.outputs.shell == 'true'
+    name: Shell script checks
+    needs: changes
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    env:
+      changed_files: ${{needs.changes.outputs.shell_files}}
+    steps:
+      - name: Check out a copy of the git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up shellcheck output problem matcher
+        run: |
+          echo "::add-matcher::.github/problem-matchers/shellcheck.json"
+
+      - name: Run shellcheck on shell scripts that have been changed
+        run: |
+          shellcheck ${{env.changed_files}}

.shellcheckrc

@@ -0,0 +1,19 @@
+# Summary: config file for shellcheck program.
+#
+# The following page includes information about the .shellcheckrc file:
+# https://github.com/koalaman/shellcheck/wiki/Directive#shellcheckrc-file
+# 
+# Optional settings can be discovered by running "shellcheck --list-optional".
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# We use bash for all the scripts, so tell shellcheck to assume this dialect.
+shell=bash
+
+# Makes shellcheck include files pointed-to by the source or . statements.
+external-sources=true
+
+# Enable check for when a script uses "set -e" but a construct may disable it.
+enable=check-set-e-suppressed
+
+# Enable check for tests like [ "$var" ], which are best written [ -n "$var" ].
+enable=avoid-nullary-conditions