chore: add static checks workflow for #320 phase C

Author: mrlunchbox777

.github/workflows/static-checks.yaml

@@ -0,0 +1,66 @@
+name: Static Checks
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "**/*.sh"
+      - "**/*.bash"
+      - "**/*.zsh"
+      - ".github/workflows/**"
+      - ".github/workflows/static-checks.yaml"
+  push:
+    branches:
+      - main
+    paths:
+      - "**/*.sh"
+      - "**/*.bash"
+      - "**/*.zsh"
+      - ".github/workflows/**"
+      - ".github/workflows/static-checks.yaml"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  shell-static:
+    name: ShellCheck and shfmt
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install shellcheck and shfmt
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck shfmt
+
+      - name: Run shellcheck
+        run: |
+          mapfile -t shell_files < <(git ls-files '*.sh' '*.bash' '*.zsh' | grep -v '^submodules/' || true)
+          if [ "${#shell_files[@]}" -eq 0 ]; then
+            echo "No shell files found"
+            exit 0
+          fi
+          shellcheck "${shell_files[@]}"
+
+      - name: Run shfmt diff check
+        run: |
+          mapfile -t shell_files < <(git ls-files '*.sh' '*.bash' '*.zsh' | grep -v '^submodules/' || true)
+          if [ "${#shell_files[@]}" -eq 0 ]; then
+            echo "No shell files found"
+            exit 0
+          fi
+          shfmt -d "${shell_files[@]}"
+
+  actionlint:
+    name: actionlint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@v1

CHANGELOG.md

@@ -3,6 +3,17 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+---
+## [0.1.23] - 2026-04-09
+
+### Added
+
+- Added `.github/workflows/static-checks.yaml` to introduce Phase C CI scaffolding for `shellcheck`, `shfmt -d`, and `actionlint` as part of #320 code-scanning transition.
+
+### Changed
+
+- Updated `docs/plans/bsctl-codeql-decommission-plan.md` with Phase C status and immediate next steps for static-check validation before CodeQL re-scope/removal.
+
 ---
 ## [0.1.22] - 2026-04-09
 

bsctl/static/resources/constants.yaml

@@ -1,2 +1,2 @@
 # BasicSetupCliVersion - constant for semantic versioning
-BasicSetupCliVersion: "0.1.22"
+BasicSetupCliVersion: "0.1.23"

docs/plans/bsctl-codeql-decommission-plan.md

@@ -46,6 +46,10 @@ Retire remaining `bsctl` Go CLI and CodeQL dependencies without breaking release
 - Re-scope or remove `.github/workflows/codeql.yaml` only after replacement checks are enforced in CI.
 - Document rationale and replacement security posture.
 
+Current status:
+
+- Added `.github/workflows/static-checks.yaml` scaffolding for `shellcheck`, `shfmt -d`, and `actionlint`.
+
 ### Phase D: `bsctl/` retirement
 
 - Remove remaining `bsctl/` tree once dependencies and references are eliminated.
@@ -61,6 +65,6 @@ Retire remaining `bsctl` Go CLI and CodeQL dependencies without breaking release
 
 ## Immediate Next Steps
 
-1. Complete Phase B PR merge and verify workflow parity on `main`.
-2. Start Phase C by adding shell/workflow static checks (`shellcheck`, `shfmt -d`, `actionlint`) in CI.
-3. Reassess CodeQL scope and retire/re-scope `.github/workflows/codeql.yaml` once replacement checks are stable.
+1. Validate `.github/workflows/static-checks.yaml` in CI and tune file targeting/exclusions for stable signal.
+2. Reassess CodeQL scope and retire/re-scope `.github/workflows/codeql.yaml` once replacement checks are stable.
+3. Update issue #320 acceptance checkboxes as Phase C milestones complete.

resources/version.yaml

@@ -1,2 +1,2 @@
 # BasicSetupCliVersion - primary version source for releases and docs bump automation
-BasicSetupCliVersion: "0.1.22"
+BasicSetupCliVersion: "0.1.23"