feat(build): enforce strict warnings across all linters

.github/workflows/main.yml

@@ -158,7 +158,7 @@ jobs:
     name: Terraform Validation
     uses: ./.github/workflows/terraform-validation.yml
     with:
-      soft-fail: true
+      soft-fail: false
     permissions:
       contents: read
 
@@ -178,7 +178,7 @@ jobs:
     name: Go Lint
     uses: ./.github/workflows/go-lint.yml
     with:
-      soft-fail: true
+      soft-fail: false
     permissions:
       contents: read
 
@@ -193,6 +193,15 @@ jobs:
       contents: read
       id-token: write
 
+  # ShellCheck linting for shell scripts
+  shellcheck:
+    name: ShellCheck
+    uses: ./.github/workflows/shellcheck.yml
+    with:
+      soft-fail: false
+    permissions:
+      contents: read
+
   # Terraform documentation freshness check
   terraform-docs-check:
     name: Terraform Docs Check
@@ -201,8 +210,6 @@ jobs:
       soft-fail: true
     permissions:
       contents: read
-
-
   # CodeQL security analysis
   codeql-analysis:
     name: CodeQL Analysis
@@ -234,6 +241,7 @@ jobs:
       - terraform-tests
       - go-lint
       - go-tests
+      - shellcheck
       - terraform-docs-check
       - codeql-analysis
     name: Release Please

.github/workflows/pester-tests.yml

@@ -158,7 +158,6 @@ jobs:
             $config = & scripts/tests/pester.config.ps1 -CI @configParams
             $config.Run.Exit = $false
             $result = Invoke-Pester -Configuration $config
-            $global:LASTEXITCODE = 0
 
             # Re-import CIHelpers — Pester module isolation unloads it during test execution
             Import-Module $ciHelpersPath -Force
@@ -167,18 +166,19 @@ jobs:
               $env:PESTER_FAILED = 'true'
               Set-CIOutput -Name 'pester-failed' -Value 'true'
               Write-Warning "$($result.FailedCount) test(s) failed"
+              exit 1
             }
             else {
               Set-CIOutput -Name 'pester-failed' -Value 'false'
               Write-Host "All $($result.PassedCount) tests passed"
             }
           }
           catch {
-            $global:LASTEXITCODE = 0
             $env:PESTER_FAILED = 'true'
             Import-Module $ciHelpersPath -Force -ErrorAction SilentlyContinue
             Set-CIOutput -Name 'pester-failed' -Value 'true'
             Write-Error "Pester execution failed: $_"
+            exit 1
           }
 
       - name: Upload test results

.github/workflows/pr-validation.yml

@@ -178,7 +178,7 @@ jobs:
     name: Terraform Validation
     uses: ./.github/workflows/terraform-validation.yml
     with:
-      soft-fail: true
+      soft-fail: false
       changed-files-only: true
     permissions:
       contents: read
@@ -200,7 +200,7 @@ jobs:
     name: Go Lint
     uses: ./.github/workflows/go-lint.yml
     with:
-      soft-fail: true
+      soft-fail: false
       changed-files-only: true
     permissions:
       contents: read
@@ -227,6 +227,15 @@ jobs:
       contents: read
       id-token: write
 
+  # ShellCheck linting for shell scripts
+  shellcheck:
+    name: ShellCheck
+    uses: ./.github/workflows/shellcheck.yml
+    with:
+      soft-fail: false
+      changed-files-only: true
+    permissions:
+      contents: read
 
   # CodeQL security analysis
   codeql-analysis:

.github/workflows/shellcheck.yml

@@ -0,0 +1,60 @@
+name: ShellCheck
+
+on:
+  workflow_call:
+    inputs:
+      soft-fail:
+        description: 'Whether to continue on ShellCheck failures'
+        required: false
+        type: boolean
+        default: false
+      changed-files-only:
+        description: 'Only lint when shell files changed'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: pwsh
+
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: ${{ inputs.changed-files-only && '0' || '1' }}
+
+      - name: Create logs directory
+        run: New-Item -ItemType Directory -Force -Path logs | Out-Null
+
+      - name: Install ShellCheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+        shell: bash
+
+      - name: Run ShellCheck
+        id: shellcheck
+        continue-on-error: ${{ inputs.soft-fail }}
+        run: |
+          $params = @{}
+          if ('${{ inputs.changed-files-only }}' -eq 'true') {
+            $params['ChangedFilesOnly'] = $true
+          }
+          ./scripts/linting/Invoke-ShellCheck.ps1 @params
+
+      - name: Upload ShellCheck results
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: shellcheck-results
+          path: logs/shellcheck-results.json
+          if-no-files-found: ignore

.shellcheckrc

@@ -0,0 +1,5 @@
+# ShellCheck configuration
+# Severity: warning (excludes info and style per warnings_strict policy)
+shell=bash
+severity=warning
+external-sources=true

CONTRIBUTING.md

@@ -1,3 +1,3 @@
 ---
 title: Contributing
 description: How to contribute to the Physical AI Toolchain
@@ -151,6 +151,23 @@
 
 For Terraform and shell script validation, see the [Prerequisites](docs/contributing/prerequisites.md#build-and-validation-requirements) guide.
 
+### Warning Policy
+
+All CI linters enforce warnings-as-errors. PRs that introduce new warnings will not merge.
+
+| Linter               | Enforcement       | Configuration                                 |
+|----------------------|-------------------|-----------------------------------------------|
+| Markdown (lint:md)   | Errors block      | .markdownlint-cli2.jsonc                      |
+| PowerShell (lint:ps) | Errors + warnings | scripts/linting/Invoke-PSScriptAnalyzer.ps1 |
+| YAML (lint:yaml)     | Errors + warnings | .yamllint.yml                                 |
+| Terraform (lint:tf)  | Errors block      | .tflint.hcl                                   |
+| Go (lint:go)         | Errors block      | .golangci.yml                                 |
+| ShellCheck (lint:sh) | Warnings + errors | .shellcheckrc                                 |
+| Python (lint:py)     | Errors block      | pyproject.toml [tool.ruff]                    |
+| Link check           | Errors block      | .markdownlint-cli2.jsonc                      |
+
+To suppress a specific warning locally, use the linter's inline suppression syntax. Do not change CI configuration to suppress warnings globally without team discussion.
+
 ## Updating External Components
 
 Reused externally-maintained components (Helm charts, container images, Terraform providers, Python packages, GitHub Actions) require periodic updates for security patches and compatibility. Dependabot automates updates for Python, Terraform, and GitHub Actions ecosystems. Helm charts and container images require manual updates.

package.json

@@ -12,12 +12,14 @@
     "lint:md": "markdownlint-cli2 \"**/*.md\"",
     "lint:md:fix": "markdownlint-cli2 \"**/*.md\" --fix",
     "lint:ps": "pwsh -File scripts/linting/Invoke-PSScriptAnalyzer.ps1",
+    "lint:py": "uvx ruff check .",
     "lint:links": "pwsh -File scripts/linting/Invoke-LinkLanguageCheck.ps1",
     "lint:go": "pwsh -File scripts/linting/Invoke-GoLint.ps1",
+    "lint:sh": "pwsh -File scripts/linting/Invoke-ShellCheck.ps1",
     "lint:yaml": "pwsh -File scripts/linting/Invoke-YamlLint.ps1",
     "lint:tf": "pwsh -File scripts/linting/Invoke-TFLint.ps1",
     "lint:tf:validate": "pwsh -File scripts/linting/Invoke-TerraformValidation.ps1",
-    "lint:all": "npm run lint:md && npm run lint:ps && npm run lint:links && npm run lint:yaml && npm run lint:tf && npm run lint:go",
+    "lint:all": "npm run lint:md && npm run lint:ps && npm run lint:links && npm run lint:yaml && npm run lint:tf && npm run lint:go && npm run lint:sh && npm run lint:py",
     "format:tables": "markdown-table-formatter \"**/*.md\"",
     "test:ps": "pwsh -File ./scripts/tests/Invoke-PesterTests.ps1",
     "test:tf": "pwsh -File scripts/linting/Invoke-TerraformTest.ps1",