feat(ci): make shellcheck mandatory — add .shellcheckrc, fix 24 violations, add CI jobs

Adds shellcheck as a required CI gate across GitHub Actions and Gitea workflows.

Changes:
- .shellcheckrc: project-wide config (shell=bash, severity=warning, exclude SC1090/SC1091)
- Fix SC2155 (declare+assign): debug.sh, migrate_benchmarks.sh, verify_constant_sync.sh
- Fix SC2034 (unused vars): lane-runtime.sh, self-update-quality.sh, prompts-submodule.sh,
  fix-hardcoded-permissions.sh, fix_hardcoded_addresses.sh (dead code removed),
  test-governance-integration.sh, actions.sh (disable comment for intentional capture)
- Fix SC2124 (array→string): deploy-to-servers.sh
- .github/workflows/ci.yml: new mandatory 'shellcheck' job
- .gitea/workflows/governance-check.yml: shellcheck step before governance tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CodeMonkeyCybersecurity

.gitea/workflows/governance-check.yml

@@ -35,6 +35,21 @@ jobs:
             echo "SUBMODULE_INIT=failed"
           fi
 
+      - name: Run shellcheck on all shell scripts
+        run: |
+          set -euo pipefail
+          if ! command -v shellcheck &>/dev/null; then
+            apt-get update -qq && apt-get install -y shellcheck
+          fi
+          mapfile -t shell_files < <(git ls-files '*.sh' | sort)
+          if [[ ${#shell_files[@]} -eq 0 ]]; then
+            echo "No shell files found"
+            exit 0
+          fi
+          echo "Checking ${#shell_files[@]} shell file(s)..."
+          shellcheck -x "${shell_files[@]}"
+          echo "shellcheck: all files passed"
+
       - name: Run governance unit tests (70%)
         run: |
           set -euo pipefail

.github/workflows/ci.yml

@@ -196,6 +196,36 @@ PY
         run: |
           test -f outputs/ci/lint/report.json && cat outputs/ci/lint/report.json || true
 
+  shellcheck:
+    name: shellcheck
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+
+      - name: Install shellcheck
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y shellcheck
+
+      - name: Run shellcheck
+        run: |
+          set -euo pipefail
+          mapfile -t shell_files < <(
+            git ls-files '*.sh' | sort
+          )
+          if [[ ${#shell_files[@]} -eq 0 ]]; then
+            echo "No shell files found"
+            exit 0
+          fi
+          echo "Checking ${#shell_files[@]} shell file(s)..."
+          shellcheck -x "${shell_files[@]}"
+          echo "shellcheck: all files passed"
+
   ci-unit:
     name: ci-unit
     runs-on: ubuntu-latest

.shellcheckrc

@@ -0,0 +1,7 @@
+# .shellcheckrc — shellcheck configuration for the eos project
+shell=bash
+enable=avoid-nullary-conditions,check-unassigned-uppercase,require-variable-braces
+severity=warning
+# SC1090: Can't follow non-constant source — safe with # shellcheck source= directives
+# SC1091: Not following source — safe in test mocks
+exclude=SC1090,SC1091

scripts/ci/debug.sh

@@ -38,7 +38,8 @@ lane_run_step "preflight" scripts/ci/preflight.sh
 lane_run_step "sanitize_git_env" ge_unset_git_local_env
 lane_run_step "git_conflict_guard" ensure_no_merge_conflicts
 
-export PATH="$(go env GOPATH)/bin:${PATH}"
+_gopath="$(go env GOPATH)"
+export PATH="${_gopath}/bin:${PATH}"
 if ! command -v golangci-lint >/dev/null 2>&1; then
   lane_log "INFO" "ci_debug.bootstrap" "golangci-lint missing; installing pinned v2.0.0" "bootstrap"
   lane_run_step "install_golangci_lint" go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.0
@@ -99,9 +100,9 @@ lane_run_step "governance_propagation_shell_coverage" \
     -- bash -c 'bash test/ci/test-lane-runtime-unit.sh && bash test/ci/test-submodule-freshness.sh && bash test/ci/test-governance-check.sh'
 lane_run_step "verify_parity_contract_tests" bash test/ci/test-verify-parity.sh
 
-CI_LANE_FAILED_STAGE="none"
-CI_LANE_FAILED_COMMAND=""
-CI_LANE_FAILED_LINE=0
-CI_LANE_FAILED_EXIT=0
-CI_LANE_STAGE="complete"
+export CI_LANE_FAILED_STAGE="none"
+export CI_LANE_FAILED_COMMAND=""
+export CI_LANE_FAILED_LINE=0
+export CI_LANE_FAILED_EXIT=0
+export CI_LANE_STAGE="complete"
 lane_finish "pass" "ci:debug completed successfully" 0

scripts/ci/lib/lane-runtime.sh

@@ -171,6 +171,6 @@ lane_on_err() {
   CI_LANE_FAILED_STAGE="${CI_LANE_STAGE}"
   CI_LANE_FAILED_COMMAND="${cmd}"
   CI_LANE_FAILED_LINE="${line}"
-  CI_LANE_FAILED_EXIT="${exit_code}"
+  export CI_LANE_FAILED_EXIT="${exit_code}"
   lane_finish "fail" "${CI_LANE_NAME} failed at stage ${CI_LANE_STAGE} line ${line}" "${exit_code}"
 }

scripts/ci/self-update-quality.sh

@@ -104,7 +104,7 @@ awk -v cov="${focus_coverage}" -v min="${focus_threshold}" 'BEGIN { if (cov+0 <
   false
 }
 
-CI_LANE_EXTRA_METRICS="# TYPE eos_self_update_quality_coverage_percent gauge
+export CI_LANE_EXTRA_METRICS="# TYPE eos_self_update_quality_coverage_percent gauge
 eos_self_update_quality_coverage_percent ${focus_coverage}
 # TYPE eos_self_update_quality_threshold_percent gauge
 eos_self_update_quality_threshold_percent ${focus_threshold}
@@ -115,7 +115,7 @@ eos_self_update_quality_integration_weight ${integration_weight}
 # TYPE eos_self_update_quality_e2e_weight gauge
 eos_self_update_quality_e2e_weight ${e2e_weight}"
 
-CI_LANE_EXTRA_REPORT_FIELDS="coverage_percent=${focus_coverage}
+export CI_LANE_EXTRA_REPORT_FIELDS="coverage_percent=${focus_coverage}
 coverage_threshold=#int:${focus_threshold}
 weight_unit=#int:${unit_weight}
 weight_integration=#int:${integration_weight}

scripts/deploy-to-servers.sh

@@ -4,7 +4,7 @@
 
 set -euo pipefail
 
-SERVERS="${@:-vhost2}"  # Default to vhost2, or use provided list
+SERVERS="${*:-vhost2}"  # Default to vhost2, or use provided list
 BUILD_DIR="/tmp/eos-deploy-$(date +%s)"
 INSTALL_PATH="/usr/local/bin/eos"
 

scripts/fix-hardcoded-permissions.sh

@@ -27,10 +27,8 @@ CREATE_CONSTANTS_ONLY=false
 BACKUP_EXT=".permissions.bak"
 CONSTANTS_FILE="pkg/shared/permissions.go"
 REPLACED_COUNT=0
-SKIPPED_COUNT=0
 
 # Colors for output
-RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
@@ -243,7 +241,7 @@ for file in $FILES; do
 
     # Check each replacement pattern
     for replacement in "${REPLACEMENTS[@]}"; do
-        IFS=':' read -r octal_value constant_name usage <<< "$replacement"
+        IFS=':' read -r octal_value constant_name _usage <<< "$replacement"
 
         # Check if file contains this hardcoded value
         if grep -q "$octal_value" "$file"; then

scripts/fix_hardcoded_addresses.sh

@@ -4,13 +4,6 @@
 
 set -euo pipefail
 
-# Detect OS for sed compatibility
-if [[ "$OSTYPE" == "darwin"* ]]; then
-    SED_INPLACE="sed -i ''"
-else
-    SED_INPLACE="sed -i"
-fi
-
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'

scripts/lib/prompts-submodule/actions.sh

@@ -23,6 +23,8 @@ ps_capture_run() {
   # Ensure temp files are cleaned up on any exit path (including signals).
   trap 'rm -f "${stdout_file}" "${stderr_file}"' RETURN
   "$@" >"${stdout_file}" 2>"${stderr_file}" || rc=$?
+  # PS_LAST_COMMAND_STDOUT is intentionally captured but not always used by callers.
+  # shellcheck disable=SC2034
   PS_LAST_COMMAND_STDOUT="$(cat "${stdout_file}")"
   PS_LAST_COMMAND_STDERR="$(cat "${stderr_file}")"
   return "${rc}"