Run shellcheck on GitHub Actions run steps as part of pre-commit

[AlexWaygood]

actionlint has an optional shellcheck integration which scrapes the run steps of GitHub workflows and passes them to shellcheck. We have some reasonably complex workflows in this repo, and shellcheck finds some issues in some of them:

Shellcheck complaints regarding our GitHub workflows

.github/workflows/publish.yml:65:9: shellcheck reported issue in this script: SC2155:warning:1:8: Declare and assign separately to avoid masking return values [shellcheck]
   |
65 |         run: |
   |         ^~~~
.github/workflows/publish.yml:65:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
   |
65 |         run: |
   |         ^~~~
.github/workflows/publish.yml:91:9: shellcheck reported issue in this script: SC2155:warning:1:8: Declare and assign separately to avoid masking return values [shellcheck]
   |
91 |         run: |
   |         ^~~~
.github/workflows/publish.yml:91:9: shellcheck reported issue in this script: SC2086:info:3:9: Double quote to prevent globbing and word splitting [shellcheck]
   |
91 |         run: |
   |         ^~~~
.github/workflows/publish.yml:91:9: shellcheck reported issue in this script: SC2086:info:4:4: Double quote to prevent globbing and word splitting [shellcheck]
   |
91 |         run: |
   |         ^~~~
.github/workflows/publish.yml:116:9: shellcheck reported issue in this script: SC2155:warning:1:8: Declare and assign separately to avoid masking return values [shellcheck]
    |
116 |         run: |
    |         ^~~~
.github/workflows/publish.yml:116:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
116 |         run: |
    |         ^~~~
.github/workflows/publish.yml:147:9: shellcheck reported issue in this script: SC2046:warning:1:6: Quote this to prevent word splitting [shellcheck]
    |
147 |         run: test $(ls dist/*.tar.gz | wc -l) = 1 && test $(ls dist/*.whl | wc -l) = 1
    |         ^~~~
.github/workflows/publish.yml:147:9: shellcheck reported issue in this script: SC2012:info:1:8: Use find instead of ls to better handle non-alphanumeric filenames [shellcheck]
    |
147 |         run: test $(ls dist/*.tar.gz | wc -l) = 1 && test $(ls dist/*.whl | wc -l) = 1
    |         ^~~~
.github/workflows/publish.yml:147:9: shellcheck reported issue in this script: SC2046:warning:1:46: Quote this to prevent word splitting [shellcheck]
    |
147 |         run: test $(ls dist/*.tar.gz | wc -l) = 1 && test $(ls dist/*.whl | wc -l) = 1
    |         ^~~~
.github/workflows/publish.yml:147:9: shellcheck reported issue in this script: SC2012:info:1:48: Use find instead of ls to better handle non-alphanumeric filenames [shellcheck]
    |
147 |         run: test $(ls dist/*.tar.gz | wc -l) = 1 && test $(ls dist/*.whl | wc -l) = 1
    |         ^~~~
.github/workflows/third_party.yml:98:9: shellcheck reported issue in this script: SC2046:warning:3:66: Quote this to prevent word splitting [shellcheck]
   |
98 |         run: |
   |         ^~~~
.github/workflows/third_party.yml:135:9: shellcheck reported issue in this script: SC2046:warning:3:65: Quote this to prevent word splitting [shellcheck]
    |
135 |         run: |
    |         ^~~~
.github/workflows/third_party.yml:172:9: shellcheck reported issue in this script: SC2046:warning:3:71: Quote this to prevent word splitting [shellcheck]
    |
172 |         run: |
    |         ^~~~
.github/workflows/third_party.yml:215:9: shellcheck reported issue in this script: SC2046:warning:3:70: Quote this to prevent word splitting [shellcheck]
    |
215 |         run: |
    |         ^~~~
.github/workflows/third_party.yml:215:9: shellcheck reported issue in this script: SC2046:warning:4:49: Quote this to prevent word splitting [shellcheck]
    |
215 |         run: |
    |         ^~~~
.github/workflows/third_party.yml:253:9: shellcheck reported issue in this script: SC2046:warning:3:67: Quote this to prevent word splitting [shellcheck]
    |
253 |         run: |
    |         ^~~~

This PR enables actionlint's shellcheck integration in our .pre-commit-config.yaml file, and fixes the complaints shellcheck has regarding our GitHub workflows. I tested locally in a shell that the new shell snippets produce the same results as before, and I tested locally that uvx pre-commit run -a still passes on this PR branch. (Note that we don't yet run pre-commit in CI -- #607 (comment).)

[srittau]

shellcheck is such a useful linter.

[Daraan]

Currently when running pipx run pre-commit run -a I consistently get the following error.

Lint GitHub Actions workflow files.......................................Failed
- hook id: actionlint
- exit code: 3

fatal error while checking .github/workflows/publish.yml: `/home/XXX/.cache/pre-commit/repomaenr34r/golangenv-default/bin/shellcheck --norc -f json -x --shell bash -e SC1091,SC2194,SC2050,SC2154,SC2157,SC2043 -` did not run successfully while checking script at line:34,col:9: /home/XXX/.cache/pre-commit/repomaenr34r/golangenv-default/bin/shellcheck exited with status 1 but stdout was empty. stderr: "2025/07/07 15:34:45 module[] function[_start] failed: wasm error: out of bounds memory access\nwasm stack trace:\n\t.$50274() i32\n\t.$21()\n"

@AlexWaygood do you have any idea about the cause or a fix?
I tried delete the complete .cache dir but that didnt help

[AlexWaygood]

@AlexWaygood do you have any idea about the cause or a fix?
I tried delete the complete .cache dir but that didnt help

No, I have no idea, sorry :-( I can't reproduce locally

pix run pre-commit run -a

Just to check, I assume you mean pipx rather than pix?

what platform are you on? I'm on MacOS.

[Daraan]

No, I have no idea, sorry :-( I can't reproduce locally

pix run pre-commit run -a

Just to check, I assume you mean pipx rather than pix?

Yes pipx, typo (on GitHub).

what platform are you on? I'm on MacOS.

Running on Ubuntu 22.04.
pipx --version is 1.0.0, looking at https://pipx.pypa.io/latest/installation/ it seems dated but the latest available?

[AlexWaygood]

A few other things you could try/check:

• What version of Python is your pipx using? Could try upgrading that?
• Have you tried clearing both your pipx cache and your pre-commit cache?

[Daraan]

A few other things you could try/check:

* What version of Python is your pipx using? Could try upgrading that?

3.11.11, tried also with 3.12 now

* Have you tried clearing both your pipx cache _and_ your pre-commit cache?

Deleted both but didn't solve it.

---

If I try to execute shellcheck directly I also get the error. I tried blank, -h, --help, --version -v, some_script it always crashes

/home/XXX/.cache/pre-commit/repo6mmeggte/golangenv-default/bin/shellcheck -h
2025/07/07 16:25:14 module[] function[_start] failed: wasm error: out of bounds memory access
wasm stack trace:
        .$50274() i32
        .$21()

I assume something goes wrong during the installation, maybe an incompatible version?