ci: add shellcheck linting for shell scripts

Add shellcheck to CI pipeline to ensure shell scripts follow best practices
and catch common errors. Fix existing shellcheck warnings in test scripts
to pass the new linting requirements.

.github/workflows/test.yml

@@ -31,6 +31,7 @@ jobs:
       - prettier
       - alejandra
       - typos
+      - shellcheck
       - translations
       - blueprint-compiler
       - test-pkg-linux
@@ -778,6 +779,40 @@ jobs:
       - name: typos check
         run: nix develop -c typos
 
+  shellcheck:
+    if: github.repository == 'ghostty-org/ghostty'
+    runs-on: namespace-profile-ghostty-xsm
+    timeout-minutes: 60
+    env:
+      ZIG_LOCAL_CACHE_DIR: /zig/local-cache
+      ZIG_GLOBAL_CACHE_DIR: /zig/global-cache
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Cache
+        uses: namespacelabs/nscloud-cache-action@449c929cd5138e6607e7e78458e88cc476e76f89 # v1.2.8
+        with:
+          path: |
+            /nix
+            /zig
+      - uses: cachix/install-nix-action@cebd211ec2008b83bda8fb0b21c3c072f004fe04 # v31.5.0
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          name: ghostty
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+          skipPush: true
+          useDaemon: false # sometimes fails on short jobs
+      - name: shellcheck
+        run: |
+          nix develop -c shellcheck \
+            --check-sourced \
+            --color=always \
+            --severity=warning \
+            --shell=bash \
+            --external-sources \
+            $(find . \( -name "*.sh" -o -name "*.bash" \) -type f ! -path "./zig-out/*" ! -path "./macos/build/*" ! -path "./.git/*" | sort)
+
   translations:
     if: github.repository == 'ghostty-org/ghostty'
     runs-on: namespace-profile-ghostty-xsm

nix/build-support/update-mirror.sh

@@ -6,7 +6,7 @@
 
 set -e  # Exit immediately if a command exits with a non-zero status
 
-SCRIPT_PATH="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+SCRIPT_PATH="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd)"
 INPUT_FILE="$SCRIPT_PATH/../../build.zig.zon2json-lock"
 OUTPUT_DIR="blob"
 

nix/devShell.nix

@@ -61,6 +61,7 @@
   pinact,
   hyperfine,
   typos,
+  shellcheck,
   uv,
   wayland,
   wayland-scanner,
@@ -101,6 +102,7 @@ in
         alejandra
         pinact
         typos
+        shellcheck
 
         # Testing
         parallel

test/run-all.sh

@@ -9,9 +9,6 @@ DIR=$(cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd)
 # We always copy the bin in case it was rebuilt
 cp ${DIR}/../zig-out/bin/ghostty ${DIR}/
 
-# Build our image once
-IMAGE=$(docker build --file ${DIR}/Dockerfile -q ${DIR})
-
 # Unix shortcut to just execute ./run-host for each one. We can do
 # this less esoterically if we ever wanted.
 find ${DIR}/cases \
@@ -23,4 +20,4 @@ find ${DIR}/cases \
   ${DIR}/run-host.sh \
     --case '{}' \
     --rewrite-abs-path \
-    $@
+    "$@"

test/run-host.sh

@@ -13,4 +13,4 @@ docker run \
   --entrypoint "xvfb-run" \
   $IMAGE \
   --server-args="-screen 0, 1600x900x24" \
-  /entrypoint.sh $@
+  /entrypoint.sh "$@"

test/run.sh

@@ -63,6 +63,7 @@ if [ $bad -ne 0 ]; then
 fi
 
 # Load our test case
+# shellcheck disable=SC1090
 source ${ARG_CASE}
 if ! has_func "test_do"; then
   echo "Test case is invalid."
@@ -79,7 +80,7 @@ if [ "$ARG_EXEC" = "ghostty" ]; then
   # We build in Nix (maybe). To be sure, we replace the interpreter so
   # it doesn't point to a Nix path. If we don't build in Nix, this should
   # still be safe.
-  patchelf --set-interpreter /lib/ld-linux-$(uname -m).so.1 ${ARG_EXEC}
+  patchelf --set-interpreter /lib/ld-linux-"$(uname -m)".so.1 ${ARG_EXEC}
 fi
 
 #--------------------------------------------------------------------