ci: pin actions to commit SHAs and add shellcheck

[PascalThuet]

Part of splitting #2442 into smaller, dedicated PRs (per maintainer request). This is the first, dependency-free slice: workflow hygiene only, no runtime code changes.

What

• Pin actions/github-script in catalog-assign.yml to a full commit SHA (3a2844b… # v9). All other workflows were already pinned.
• Add tests/test_github_workflows.py: a repo-wide regression test asserting every non-local uses: ref is pinned to a 40-char commit SHA, accepting uppercase or lowercase hex.
• Add a shellcheck job to lint.yml (git ls-files -z -- '*.sh' | xargs -0 shellcheck --severity=error) over tracked shell scripts.
• Document the local shellcheck command in CONTRIBUTING.md with wording that matches what --severity=error actually reports.

Why

Unpinned actions are a supply-chain risk: a moved tag can change the executed code. The shellcheck job catches error-severity bugs in committed bash scripts without expanding this PR into a broader warning cleanup.

Validation

• uv sync --extra test
• .venv/bin/python -m pytest tests/test_github_workflows.py -q
• uvx ruff check tests/test_github_workflows.py
• git diff --check
• git ls-files -z -- '*.sh' | xargs -0 shellcheck --severity=error

Split from #2442. No dependency on the other split PRs.

Disclosure

Prepared by Codex (model: GPT-5) on behalf of @PascalThuet.

[Copilot]

Pull request overview

This PR improves CI/workflow supply-chain hygiene by ensuring GitHub Actions are pinned to immutable commit SHAs, adds a regression test to enforce that policy, and introduces a ShellCheck lint job for the repo’s Bash scripts.

Changes:

• Pin actions/github-script in catalog-assign.yml to a full 40-char commit SHA.
• Add tests/test_github_workflows.py to assert all workflow uses: references are pinned to commit SHAs.
• Add a shellcheck job to lint.yml and document the local command in CONTRIBUTING.md.

Show a summary per file

File	Description
tests/test_github_workflows.py	Adds a regression test to enforce SHA-pinned uses: refs across .github/workflows/*.yml(yaml).
CONTRIBUTING.md	Documents the local ShellCheck invocation consistent with the new CI job.
.github/workflows/lint.yml	Introduces a new ShellCheck job to lint scripts/bash/*.sh in CI.
.github/workflows/catalog-assign.yml	Pins actions/github-script to a full commit SHA to reduce supply-chain risk.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1

[mnriem]

Please address Copilot feedback

[PascalThuet]

Addressed the Copilot finding: the shellcheck job's actions/checkout is now pinned to the repo-standard 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 (matching the markdownlint job above it and every other workflow), instead of # v6.0.3. Commit 5d5fb75.

[Copilot]

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 2

[PascalThuet]

Posted on behalf of @PascalThuet by Codex (model: GPT-5).

Addressed the review feedback in b5190f3dc957edf0a25b159dad02479d579b31a5:

• Made the workflow SHA-pin check accept uppercase hex commit SHAs and added a regression test for that case.
• Clarified the ShellCheck documentation so it states that --severity=error reports and blocks only error-severity findings.
• Updated the PR body to match the current tracked-script ShellCheck command.

Validated with:

• uv sync --extra test
• .venv/bin/python -m pytest tests/test_github_workflows.py -q
• uvx ruff check tests/test_github_workflows.py
• git diff --check
• git ls-files -z -- '*.sh' | xargs -0 shellcheck --severity=error

[Copilot]

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 0 new

[mnriem]

Thank you!