Add shellcheck GitHub Action with annotations for .sh files

[Copilot]

Adds automated shellcheck linting on PRs that modify shell scripts, surfacing errors as GitHub Actions annotations using native problem matchers.

Changes

• New workflow: .github/workflows/shellcheck.yml

  • Triggers on .sh file changes, workflow changes, or problem matcher changes in PRs to main
  • Uses native shellcheck (pre-installed on ubuntu-latest) with custom problem matcher
  • Checks only changed shell scripts using git diff to avoid blocking unrelated PRs
  • Uses fetch-depth: 0 for full git history to enable diff comparison
  • Skips shellcheck entirely if no shell scripts were changed
  • Includes concurrency control to cancel stale runs

• Problem Matcher: .github/shellcheck-matcher.json

  • Parses shellcheck gcc-format output to create GitHub annotations
  • Supports all severity levels (error, warning, note, style)
  • Captures error codes for detailed reporting

• Documentation: .github/agents/github-workflows.agent.md

  • Guidelines for creating GitHub Actions workflows
  • Policy on third-party actions (only use approved actions like actions/*)
  • Instructions for implementing problem matchers for annotations
  • Complete ShellCheck example checking only changed files
  • Standard workflow patterns and best practices

Implementation Details

• No third-party actions: Uses only approved actions/checkout@v4 per repository policy
• Minimal permissions: Only contents: read required
• No conflicts: Verified shellcheck not used elsewhere in workflows or pipelines (27 shell scripts across cli/installer, extensions, eng/scripts)
• Non-blocking: Only checks shell scripts modified in the PR using git diff --name-only --diff-filter=ACMRT
• Smart filtering: Won't fail PRs due to pre-existing issues in unrelated scripts

- name: Get changed shell scripts
  id: changed-files
  run: |
    git fetch origin ${{ github.base_ref }}
    CHANGED_SH_FILES=$(git diff --name-only --diff-filter=ACMRT origin/${{ github.base_ref }}...HEAD | grep '\.sh$' || true)
    if [ -z "$CHANGED_SH_FILES" ]; then
      echo "No shell scripts changed"
      echo "files=" >> $GITHUB_OUTPUT
    else
      echo "Changed shell scripts:"
      echo "$CHANGED_SH_FILES"
      echo "files<<EOF" >> $GITHUB_OUTPUT
      echo "$CHANGED_SH_FILES" >> $GITHUB_OUTPUT
      echo "EOF" >> $GITHUB_OUTPUT
    fi
- name: Register ShellCheck problem matcher
  if: steps.changed-files.outputs.files != ''
  run: echo "::add-matcher::.github/shellcheck-matcher.json"
- name: Run ShellCheck
  if: steps.changed-files.outputs.files != ''
  run: |
    echo "${{ steps.changed-files.outputs.files }}" | xargs shellcheck -f gcc
- name: Unregister ShellCheck problem matcher
  if: always() && steps.changed-files.outputs.files != ''
  run: echo "::remove-matcher owner=shellcheck-gcc::"

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[EngSys] Add GitHub Action that runs shellcheck on PRs that change .sh files</issue_title>
<issue_description>Surface errors in file tab using GitHub Actions annotations</issue_description>

<agent_instructions>Make sure that shellcheck isn't used anywhere else in DevOps pipelines or workflows. If it is we'll have to rethink.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [EngSys] Add GitHub Action that runs shellcheck on PRs that change .sh files #6621

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[danieljurek]

Make a note of things you learn from this PR iteration in the appropriate instructions file targeting .github/workflows/*.yml

[danieljurek]

Do not use 3rd party actions

[Copilot]

Replaced reviewdog/action-shellcheck with native shellcheck implementation using GitHub problem matchers. The workflow now uses shellcheck directly (pre-installed on ubuntu-latest) with a custom problem matcher at .github/shellcheck-matcher.json for annotations. Commit: 5525c13

[Copilot]

Make a note of things you learn from this PR iteration in the appropriate instructions file targeting .github/workflows/*.yml

Created .github/agents/github-workflows.agent.md documenting:

• Policy to avoid third-party actions (except approved ones like actions/*)
• How to use problem matchers for annotations without third-party actions
• ShellCheck-specific implementation example
• Standard workflow patterns (concurrency, permissions, path triggers)

Commit: 5525c13

[danieljurek]

Look over changed .sh files instead of checking all files. I don't want this blocking unrelated PRs.

[Copilot]

Updated workflow to check only changed shell scripts using git diff. The workflow now:

• Uses fetch-depth: 0 to enable git history comparison
• Gets changed .sh files via git diff --name-only --diff-filter=ACMRT origin/${{ github.base_ref }}...HEAD
• Skips shellcheck entirely if no shell scripts were changed
• Won't block PRs due to pre-existing issues in unrelated scripts

Commit: f9376b2

[microsoft-github-policy-service]

Hi @@copilot. Thank you for your interest in helping to improve the Azure Developer CLI experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days.

[microsoft-github-policy-service]

Hi @@copilot. Thank you for your contribution. Since there hasn't been recent engagement, we're going to close this out. Feel free to respond with a comment containing "/reopen" if you'd like to continue working on these changes. Please be sure to use the command to reopen or remove the "no-recent-activity" label; otherwise, this is likely to be closed again with the next cleanup pass.