v1.1.0

Author: fidpa

.github/workflows/lint.yml

@@ -0,0 +1,30 @@
+name: Lint
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run ShellCheck
+        run: |
+          find . -name "*.sh" -not -path "./.git/*" -print0 | xargs -0 shellcheck --severity=error
+
+  syntax-check:
+    name: Bash Syntax
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Validate Bash syntax
+        run: |
+          find . -name "*.sh" -not -path "./.git/*" -print0 | xargs -0 -I {} bash -n {}

.github/workflows/release.yml

@@ -0,0 +1,24 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.shellcheckrc

@@ -0,0 +1,53 @@
+# .shellcheckrc - Pi-Router + NAS Server shellcheck config
+# Multi-Device Setup: 552 Shell-Scripts (Pi 5: ~249, NAS: ~303)
+# Best Practices 2025 compliant
+# Optimized for ShellCheck 0.9.0+ (Last reviewed: 12. Dezember 2025)
+#
+# References:
+# - https://www.shellcheck.net/wiki/Directive
+# - https://www.shellcheck.net/wiki/Optional
+# - https://man.archlinux.org/man/extra/shellcheck/shellcheck.1.en
+
+# ============================================================================
+# DISABLED CHECKS
+# ============================================================================
+
+# SC1090: Can't follow non-constant source
+# SC1091: Not following sourced file
+# Rationale: Scripts use dynamic library paths (e.g., ${SCRIPT_DIR}/../lib/)
+#            shellcheck cannot resolve these at static analysis time
+# Example: source "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")/../lib/logging.sh"
+disable=SC1090,SC1091
+
+# ============================================================================
+# OPTIONAL CHECKS
+# ============================================================================
+
+# NOT using enable=all (Best Practice 2025)
+# Reason: enable=all activates subjective/conflicting optional checks
+#         meant for discovery only, not production
+# Instead: Selectively enable specific optional checks if needed
+#
+# Available optional checks (use shellcheck --list-optional):
+# - avoid-nullary-conditions, deprecate-which, quote-safe-variables, etc.
+
+# No optional checks enabled (Production default)
+
+# ============================================================================
+# CONFIGURATION
+# ============================================================================
+
+# Shell dialect (Raspberry Pi OS Bookworm: bash 5.2.15, Ubuntu 24.04: bash 5.2.21)
+shell=bash
+
+# Source path for library resolution
+# SCRIPTDIR = directory of currently checked script
+source-path=SCRIPTDIR
+
+# Allow following source statements (Best Practice 2025)
+# Safely enables shellcheck to open sourced files where possible
+external-sources=true
+
+# Minimum severity threshold (focus on errors + warnings)
+# Consistent with script-audit.sh Production-Ready threshold (85%+ clean)
+severity=warning

CHANGELOG.md

@@ -12,6 +12,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Ansible playbook support
 - Docker security hardening module
 
+## [1.1.0] - 2026-01-21
+
+### Added
+- CI/CD pipeline with GitHub Actions
+- ShellCheck linting workflow (severity: error)
+- Bash syntax validation workflow
+- Automated release workflow
+- `.shellcheckrc` configuration (Best Practices 2025)
+- CI status badge in README.md
+
+### Changed
+- All bash scripts now validated on every push to main branch
+
 ## [1.0.1] - 2026-01-20
 
 ### Changed
@@ -62,9 +75,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 | Version | Date | Highlights |
 |---------|------|------------|
+| 1.1.0 | 2026-01-21 | CI/CD pipeline with GitHub Actions (ShellCheck, automated releases) |
 | 1.0.1 | 2026-01-20 | Documentation patch (CODE_OF_CONDUCT.md contact update) |
 | 1.0.0 | 2026-01-20 | Initial release with 14 security components |
 
-[Unreleased]: https://github.com/fidpa/ubuntu-server-security/compare/v1.0.1...HEAD
+[Unreleased]: https://github.com/fidpa/ubuntu-server-security/compare/v1.1.0...HEAD
+[1.1.0]: https://github.com/fidpa/ubuntu-server-security/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/fidpa/ubuntu-server-security/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/fidpa/ubuntu-server-security/releases/tag/v1.0.0

README.md

@@ -3,6 +3,7 @@
 ![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)
 ![Ubuntu](https://img.shields.io/badge/Ubuntu-22.04%20%7C%2024.04-orange?logo=ubuntu)
 ![CIS Benchmark](https://img.shields.io/badge/CIS%20Benchmark-100%25-blue)
+![CI](https://github.com/fidpa/ubuntu-server-security/actions/workflows/lint.yml/badge.svg)
 
 Production-ready security configurations for Ubuntu servers.
 

vaultwarden/vaultwarden-credentials.sh

@@ -336,7 +336,6 @@ if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
     fi
     echo ""
     echo "Checking vault status..."
-    local status
     status=$(bw status 2>/dev/null | grep -o '"status":"[^"]*"' | cut -d'"' -f4)
     echo "  Status: $status"
     echo ""