chore: add static checks workflow for #320 phase C

[mrlunchbox777]

Summary

• add .github/workflows/static-checks.yaml to run shellcheck, shfmt -d, and actionlint in CI
• update pivot: decommission bsctl Go CLI and retire CodeQL #320 decommission planning doc with Phase C status and immediate static-check stabilization steps
• docs bump to 0.1.23 in resources/version.yaml, mirrored bsctl/static/resources/constants.yaml, and new CHANGELOG.md entry

Validation

• ran ./scripts/workflows/docs-bump_docs-bump_version-bump.sh
• ran ./scripts/workflows/docs-bump_docs-bump_CHANGELOG-bump.sh

Issue Link

• Refs pivot: decommission bsctl Go CLI and retire CodeQL #320

[mrlunchbox777]

Phase C PR is ready for review and labels are synced with issue #320.

• Added CI static-check scaffolding workflow (shellcheck, shfmt -d, actionlint).
• Docs/version bump included (0.1.23).
• Managed labels synchronized on issue/PR and status set to status/review.

[Copilot]

Pull request overview

Adds CI static analysis for shell scripts and GitHub Actions workflows as part of the Phase C transition plan in #320, while bumping versioning/docs to reflect the new milestone.

Changes:

• Added a new CI workflow to run shellcheck, shfmt -d, and actionlint on relevant changes.
• Updated the bsctl/CodeQL decommission planning doc with Phase C status and next steps.
• Bumped version to 0.1.23 and added a corresponding CHANGELOG.md entry (including legacy mirror update).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/static-checks.yaml	Introduces CI jobs for shell/workflow static checks to replace Go-focused scanning over time.
docs/plans/bsctl-codeql-decommission-plan.md	Records Phase C status and refines immediate next steps around static-check stabilization.
resources/version.yaml	Updates the primary repo version source to 0.1.23.
bsctl/static/resources/constants.yaml	Mirrors the version bump to 0.1.23 for legacy transition compatibility.
CHANGELOG.md	Adds a 0.1.23 entry documenting the workflow/doc updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The bash file targeting/exclusion logic is duplicated across the shellcheck and shfmt steps, and the exclusion sets already differ (e.g., alias/bash/git-prompt.bash is excluded for shellcheck but not for shfmt). This duplication makes it easy for the two checks to drift and become inconsistent over time. Consider generating the file lists once (or centralizing exclusions in a single variable/file) and reusing them in both steps, or add a brief note explaining why the exclusion sets intentionally differ.

Suggested change

	- name: Run shellcheck
	run: |
	mapfile -t sh_files < <(git ls-files '*.sh' | grep -v '^submodules/' || true)
	# Temporary exclusions for legacy/bash completion files pending dedicated cleanup.
	mapfile -t bash_files < <(
	git ls-files '*.bash' |
	grep -v '^submodules/' |
	grep -v '^alias/bash/git-prompt.bash$' |
	grep -v '^alias/bash/kubectl-completion.bash$' || true
	)
	if [ "${#sh_files[@]}" -eq 0 ] && [ "${#bash_files[@]}" -eq 0 ]; then
	echo "No sh/bash files found"
	exit 0
	fi
	if [ "${#sh_files[@]}" -gt 0 ]; then
	shellcheck "${sh_files[@]}"
	fi
	if [ "${#bash_files[@]}" -gt 0 ]; then
	shellcheck -s bash "${bash_files[@]}"
	fi
	- name: Run shfmt diff check
	run: |
	mapfile -t sh_files < <(git ls-files '*.sh' | grep -v '^submodules/' || true)
	# Temporary exclusions for legacy completion files pending dedicated cleanup.
	mapfile -t bash_files < <(
	git ls-files '*.bash' |
	grep -v '^submodules/' |
	grep -v '^alias/bash/kubectl-completion.bash$' || true
	)
	if [ "${#sh_files[@]}" -eq 0 ] && [ "${#bash_files[@]}" -eq 0 ]; then
	echo "No sh/bash files found"
	exit 0
	fi
	if [ "${#sh_files[@]}" -gt 0 ]; then
	shfmt -d "${sh_files[@]}"
	fi
	if [ "${#bash_files[@]}" -gt 0 ]; then
	shfmt -d "${bash_files[@]}"
	fi
	- name: Run zsh syntax check
	run: |
	mapfile -t zsh_files < <(git ls-files '*.zsh' | grep -v '^submodules/' || true)
	if [ "${#zsh_files[@]}" -eq 0 ]; then
	- name: Collect shell files
	id: collect-shell-files
	run: |
	mapfile -t sh_files < <(git ls-files '*.sh' | grep -v '^submodules/' || true)
	mapfile -t all_bash_files < <(git ls-files '*.bash' | grep -v '^submodules/' || true)
	mapfile -t zsh_files < <(git ls-files '*.zsh' | grep -v '^submodules/' || true)
	# Temporary exclusions for legacy/bash completion files pending dedicated cleanup.
	mapfile -t shellcheck_bash_files < <(
	printf '%s\n' "${all_bash_files[@]}" |
	grep -v '^alias/bash/git-prompt.bash$' |
	grep -v '^alias/bash/kubectl-completion.bash$' || true
	)
	# shfmt intentionally keeps alias/bash/git-prompt.bash included; only the known
	# completion file remains excluded here pending dedicated cleanup.
	mapfile -t shfmt_bash_files < <(
	printf '%s\n' "${all_bash_files[@]}" |
	grep -v '^alias/bash/kubectl-completion.bash$' || true
	)
	{
	echo "sh_files<<EOF"
	printf '%s\n' "${sh_files[@]}"
	echo "EOF"
	echo "shellcheck_bash_files<<EOF"
	printf '%s\n' "${shellcheck_bash_files[@]}"
	echo "EOF"
	echo "shfmt_bash_files<<EOF"
	printf '%s\n' "${shfmt_bash_files[@]}"
	echo "EOF"
	echo "zsh_files<<EOF"
	printf '%s\n' "${zsh_files[@]}"
	echo "EOF"
	} >> "$GITHUB_OUTPUT"
	- name: Run shellcheck
	run: |
	mapfile -t sh_files <<< "${{ steps.collect-shell-files.outputs.sh_files }}"
	mapfile -t bash_files <<< "${{ steps.collect-shell-files.outputs.shellcheck_bash_files }}"
	if [ "${#sh_files[@]}" -eq 0 ] && [ "${#bash_files[@]}" -eq 0 ]; then
	echo "No sh/bash files found"
	exit 0
	fi
	if [ "${#sh_files[@]}" -gt 0 ] && [ -n "${sh_files[0]}" ]; then
	shellcheck "${sh_files[@]}"
	fi
	if [ "${#bash_files[@]}" -gt 0 ] && [ -n "${bash_files[0]}" ]; then
	shellcheck -s bash "${bash_files[@]}"
	fi
	- name: Run shfmt diff check
	run: |
	mapfile -t sh_files <<< "${{ steps.collect-shell-files.outputs.sh_files }}"
	mapfile -t bash_files <<< "${{ steps.collect-shell-files.outputs.shfmt_bash_files }}"
	if [ "${#sh_files[@]}" -eq 0 ] && [ "${#bash_files[@]}" -eq 0 ]; then
	echo "No sh/bash files found"
	exit 0
	fi
	if [ "${#sh_files[@]}" -gt 0 ] && [ -n "${sh_files[0]}" ]; then
	shfmt -d "${sh_files[@]}"
	fi
	if [ "${#bash_files[@]}" -gt 0 ] && [ -n "${bash_files[0]}" ]; then
	shfmt -d "${bash_files[@]}"
	fi
	- name: Run zsh syntax check
	run: |
	mapfile -t zsh_files <<< "${{ steps.collect-shell-files.outputs.zsh_files }}"
	if [ "${#zsh_files[@]}" -eq 0 ] || [ -z "${zsh_files[0]}" ]; then