diff --git a/.github/workflows/cache-clean-pr.yml b/.github/workflows/cache-clean-pr.yml
index 51a4282a0e9..bad5d6837df 100644
--- a/.github/workflows/cache-clean-pr.yml
+++ b/.github/workflows/cache-clean-pr.yml
@@ -19,17 +19,17 @@ jobs:
       - name: Cleanup
         run: |
           gh extension install actions/gh-actions-cache
-          REPO=${{ github.repository }}
-          BRANCH=refs/pull/${{ github.event.pull_request.number }}/merge
+          REPO="${{ github.repository }}"
+          BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
           echo "Fetching list of cache key"
-          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
+          cacheKeysForPR=$(gh actions-cache list -R "$REPO" -B "$BRANCH" | cut -f 1 )
 
-          ## Setting this to not fail the workflow while deleting cache keys. 
+          ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
           for cacheKey in $cacheKeysForPR
           do
-              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+              gh actions-cache delete "$cacheKey" -R "$REPO" -B "$BRANCH" --confirm
           done
           echo "Done"
         env:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7655592983..7e2854a9522 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,6 +36,6 @@ jobs:
 
 
 # Note (not tested, from https://github.com/orgs/community/discussions/38361)
-# To cancel jobs if one failes, the following action may help
+# To cancel jobs if one fails, the following action may help
 #       - if: "failure()"
 #        uses: "andymckay/cancel-action@0.3"
diff --git a/.github/workflows/exakat.yml b/.github/workflows/exakat.yml
index 3b1b2f656e0..420ca085cad 100644
--- a/.github/workflows/exakat.yml
+++ b/.github/workflows/exakat.yml
@@ -4,10 +4,8 @@ name: "Exakat analysis"
 on:
   # execute once a month, the 1st
   schedule:
-  - cron: "0 20 1 * *"
+    - cron: "0 20 1 * *"
   workflow_dispatch:
-    branches:
-      - develop
 
 permissions:
   contents: read
@@ -19,6 +17,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 1
+        ref: develop
     - name: Exakat
       uses: docker://exakat/exakat-ga
       with:
diff --git a/.github/workflows/phan.yml b/.github/workflows/phan.yml
index 56a33ef76c7..c1c1d610048 100644
--- a/.github/workflows/phan.yml
+++ b/.github/workflows/phan.yml
@@ -17,8 +17,7 @@ concurrency:
   cancel-in-progress: true
 env:
   gh_event: ${{ inputs.gh_event || github.event_name }}
-  PHAN_CONFIG: >
-    ${{ 'dev/tools/phan/config.php' }}
+  PHAN_CONFIG: dev/tools/phan/config.php
   PHAN_BASELINE: dev/tools/phan/baseline.txt
   PHAN_MIN_PHP: 7.0
   PHAN_QUICK: ${{ github.event.schedule && '' || '--quick' }}
@@ -43,7 +42,8 @@ jobs:
           tools: cs2pr,phan
       - name: Run Phan analysis
         run: |
-          phan $PHAN_QUICK -k $PHAN_CONFIG -B $PHAN_BASELINE --analyze-twice --minimum-target-php-version $PHAN_MIN_PHP --output-mode=checkstyle -o _phan.xml
+          # shellcheck disable=2086
+          phan $PHAN_QUICK -k "$PHAN_CONFIG" -B "$PHAN_BASELINE" --analyze-twice --minimum-target-php-version "$PHAN_MIN_PHP" --output-mode=checkstyle -o _phan.xml
       - name: Add results to PR
         if: ${{ always() }}
         run: |
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index df4141f31a3..f2056f63a14 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -67,7 +67,7 @@ jobs:
         run: |
           set -o pipefail
           pre-commit gc
-          pre-commit run --show-diff-on-failure --color=always --all-files | tee ${RAW_LOG}
+          pre-commit run --show-diff-on-failure --color=always --all-files | tee "${RAW_LOG}"
 
       # The next uses git, which is slow for a bit repo.
       # - name: Get all changed php files (if PR)
@@ -105,7 +105,8 @@ jobs:
           ALL_CHANGED_FILES: ${{ steps.changed-php.outputs.all_changed_files }}
         run: |
           set -o pipefail
-          pre-commit run php-cs --files ${ALL_CHANGED_FILES} | tee -a ${RAW_LOG}
+          # shellcheck disable=2086
+          pre-commit run php-cs --files ${ALL_CHANGED_FILES} | tee -a "${RAW_LOG}"
 
       - name: Run some pre-commit hooks on all files on push to "main" branches
         if: |
@@ -117,8 +118,8 @@ jobs:
         run: |
           set -o pipefail
           ln -sf ~/.cache .cache  # Absolute path in .pre-commit-config.yaml
-          pre-commit run --hook-stage manual -a php-cs-with-cache | tee -a ${RAW_LOG}
-          pre-commit run --hook-stage manual -a sqlfluff-lint | tee -a ${RAW_LOG}
+          pre-commit run --hook-stage manual -a php-cs-with-cache | tee -a "${RAW_LOG}"
+          pre-commit run --hook-stage manual -a sqlfluff-lint | tee -a "${RAW_LOG}"
           ls -l ~/.cache/pre-commit/
 
       - name: Convert Raw Log to Annotations
diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml
index 10e254b55fb..17521145fc1 100644
--- a/.github/workflows/windows-ci.yml
+++ b/.github/workflows/windows-ci.yml
@@ -66,7 +66,7 @@ jobs:
           KEY_ROOT: ${{ matrix.os }}-${{ env.ckey }}-${{ matrix.php_version }}
         with:
           # See https://github.com/actions/cache/issues/1275#issuecomment-1925217178
-          enableCrossOsArchive: true 
+          enableCrossOsArchive: true
           path: |
             ./db_init.sql
             ./db_init.sql.md5
@@ -114,6 +114,7 @@ jobs:
         # Note this is bash (MSYS) on Windows
         shell: bash
         run: |
+          # shellcheck disable=SC2129
           ECHO "#[group]Directory contents to verify cache files, ..."
           ls -l
           ECHO "#[endgroup]"
@@ -128,10 +129,12 @@ jobs:
           ls -l
           ECHO "#[endgroup]"
           # Export some tool paths to reuse the from CMD shell.
-          echo "TAIL=$(cygpath -w "$(which tail)")" >> "$GITHUB_ENV"
-          echo "GREP=$(cygpath -w "$(which grep)")" >> "$GITHUB_ENV"
-          echo "TEE=$(cygpath -w "$(which tee)")" >> "$GITHUB_ENV"
-          echo "BASEDIR=$(realpath .)" >> "$GITHUB_ENV"
+          {
+          echo "TAIL=$(cygpath -w "$(which tail)")"
+          echo "GREP=$(cygpath -w "$(which grep)")"
+          echo "TEE=$(cygpath -w "$(which tee)")"
+          echo "BASEDIR=$(realpath .)"
+          } >> "$GITHUB_ENV"
 
       - name: Run PHPUnit tests
         # continue-on-error: true
@@ -184,7 +187,7 @@ jobs:
         if: ${{ ! cancelled() }}
         with:
           # See https://github.com/actions/cache/issues/1275#issuecomment-1925217178
-          enableCrossOsArchive: true 
+          enableCrossOsArchive: true
           key: ${{ steps.cache.outputs.cache-primary-key }}
           path: |
             ./db_init.sql
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5c0b747191d..c2b29ef90af 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,5 +1,5 @@
 ---
-exclude: (?x)^( htdocs/includes/ckeditor/.*|(\.[^/]*/.*))$
+exclude: (?x)^( htdocs/includes/ckeditor/.*|(\.(?!github/workflows)[^/]*/.*))$
 repos:
   # Several miscellaneous checks and fix (on yaml files, end of files fix)
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -64,6 +64,12 @@ repos:
     hooks:
       - id: gitleaks
 
+  # Check github actions
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.3
+    hooks:
+      - id: actionlint
+
   # Beautify shell scripts
   - repo: https://github.com/lovesegfault/beautysh.git
     rev: v6.2.1