diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 0000000000000..71c1e9cac478e
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,44 @@
+name: Lint shell scripts
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - '**/*.sh'
+      - '.github/workflows/shellcheck.yml'
+      - '.github/workflows/actionlint.dockerfile'
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - '**/*.sh'
+      - '.github/workflows/shellcheck.yml'
+      - '.github/workflows/actionlint.dockerfile'
+
+env:
+  LC_ALL: en_US.UTF-8
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: "Download shellcheck"
+        run: |
+          docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
+
+      - name: "Check shell scripts"
+        run: |
+          docker run --volume="${PWD}:/repo:z" --workdir=/repo --entrypoint /usr/bin/find actionlint \
+            /repo -type f -name "*.sh" -exec /usr/local/bin/shellcheck {} +