From b34c87b376370b9969fb1b55b339649bf5d80d63 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Wed, 18 Mar 2026 11:57:10 +0000
Subject: [PATCH 1/6] feat: add PR validation workflow for YAML and script
 linting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The .github repo had no CI running on pull requests — PRs merged without
any validation. This adds actionlint for workflow YAML and shellcheck for
scripts in .github/scripts/, triggered on PRs to main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/pr-validation.yaml | 34 ++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/pr-validation.yaml

diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
new file mode 100644
index 0000000..1c378c5
--- /dev/null
+++ b/.github/workflows/pr-validation.yaml
@@ -0,0 +1,34 @@
+name: PR Validation
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: local-ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install actionlint
+        run: |
+          ACTIONLINT_VERSION="1.7.7"
+          curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
+            | tar -xz -C /usr/local/bin actionlint
+
+      - name: Validate workflow YAML with actionlint
+        run: actionlint -color .github/workflows/*.yaml
+
+      - name: Shellcheck scripts
+        run: |
+          if ls .github/scripts/*.sh 1>/dev/null 2>&1; then
+            for script in .github/scripts/*.sh; do
+              echo "Checking ${script}..."
+              shellcheck --severity=warning "$script" || true
+            done
+          else
+            echo "No shell scripts to check"
+          fi

From cf887e7658cdafbc640f82451a05097d1e7ff974 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Wed, 18 Mar 2026 11:58:57 +0000
Subject: [PATCH 2/6] fix: install actionlint to user-writable path

The runner doesn't have write access to /usr/local/bin. Install to
$HOME/.local/bin instead and add it to GITHUB_PATH.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/pr-validation.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index 1c378c5..f893593 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -16,8 +16,10 @@ jobs:
       - name: Install actionlint
         run: |
           ACTIONLINT_VERSION="1.7.7"
+          mkdir -p "$HOME/.local/bin"
           curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
-            | tar -xz -C /usr/local/bin actionlint
+            | tar -xz -C "$HOME/.local/bin" actionlint
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
       - name: Validate workflow YAML with actionlint
         run: actionlint -color .github/workflows/*.yaml

From 218b67fb50b9a364420144abb9abdcc0a2d33455 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Wed, 18 Mar 2026 12:00:53 +0000
Subject: [PATCH 3/6] fix: register local-ubuntu-latest as custom runner label
 for actionlint

actionlint doesn't recognize our self-hosted runner label. Adding
actionlint.yaml config to suppress false positives.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/actionlint.yaml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .github/actionlint.yaml

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 0000000..816e4fb
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,3 @@
+self-hosted-runner:
+  labels:
+    - local-ubuntu-latest

From b6f97bf481c89d31df1d15ca62536239c72c4750 Mon Sep 17 00:00:00 2001
From: "hugh-hackman[bot]"
 <266376744+hugh-hackman[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 00:06:49 +0000
Subject: [PATCH 4/6] fix: remove || true from shellcheck step per QA review

---
 .github/workflows/pr-validation.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index f893593..b1a5f2e 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -29,7 +29,7 @@ jobs:
           if ls .github/scripts/*.sh 1>/dev/null 2>&1; then
             for script in .github/scripts/*.sh; do
               echo "Checking ${script}..."
-              shellcheck --severity=warning "$script" || true
+              shellcheck --severity=warning "$script"
             done
           else
             echo "No shell scripts to check"

From 17cfc6033f3a6116810bb666196ea73532515be0 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Thu, 19 Mar 2026 00:11:42 +0000
Subject: [PATCH 5/6] fix: install shellcheck in PR validation workflow

The shellcheck step fails with "command not found" because shellcheck
is not installed on the runner. Install it from GitHub releases, same
pattern as the actionlint install step.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/pr-validation.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index b1a5f2e..b3b721a 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -24,6 +24,13 @@ jobs:
       - name: Validate workflow YAML with actionlint
         run: actionlint -color .github/workflows/*.yaml
 
+      - name: Install shellcheck
+        run: |
+          SHELLCHECK_VERSION="0.10.0"
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
+            | tar -xJ --strip-components=1 -C "$HOME/.local/bin" "shellcheck-v${SHELLCHECK_VERSION}/shellcheck"
+
       - name: Shellcheck scripts
         run: |
           if ls .github/scripts/*.sh 1>/dev/null 2>&1; then

From 2a53ce8a7db39e3d80d22808fbbbaecd4e92a757 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Thu, 19 Mar 2026 00:12:59 +0000
Subject: [PATCH 6/6] fix: install shellcheck via apt-get (runner lacks xz for
 tar.xz)

The self-hosted runner doesn't have xz installed, so extracting the
shellcheck tar.xz release fails. Use apt-get install instead.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/pr-validation.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml
index b3b721a..10dc4b5 100644
--- a/.github/workflows/pr-validation.yaml
+++ b/.github/workflows/pr-validation.yaml
@@ -26,10 +26,7 @@ jobs:
 
       - name: Install shellcheck
         run: |
-          SHELLCHECK_VERSION="0.10.0"
-          mkdir -p "$HOME/.local/bin"
-          curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
-            | tar -xJ --strip-components=1 -C "$HOME/.local/bin" "shellcheck-v${SHELLCHECK_VERSION}/shellcheck"
+          sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck >/dev/null 2>&1
 
       - name: Shellcheck scripts
         run: |