chore: Add Differential ShellCheck workflow

Author: rm3l

.github/workflows/.github/workflows/scripts-checks.yaml

@@ -0,0 +1,43 @@
+name: Differential ShellCheck
+
+on:
+  push:
+    paths:
+      - '**.sh'
+      - '.github/workflows/scripts-checks.yaml'
+    branches: [ main ]
+  pull_request:
+    paths:
+      - '**.sh'
+      - '.github/workflows/scripts-checks.yaml'
+    branches: [ 'main' ]
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck-lint:
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          # Differential ShellCheck requires full git history
+          fetch-depth: 0
+
+      - id: ShellCheck
+        name: Differential ShellCheck
+        uses: redhat-plumbers-in-action/differential-shellcheck@0d9e5b29625f871e6a4215380486d6f1a7cb6cdd # v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - if: always()
+        name: Upload artifact with ShellCheck defects in SARIF format
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: Differential ShellCheck SARIF
+          path: ${{ steps.ShellCheck.outputs.sarif }}