diff --git a/.github/workflows/check-shell-validation.yml b/.github/workflows/check-shell-validation.yml
new file mode 100644
index 0000000..3f80b24
--- /dev/null
+++ b/.github/workflows/check-shell-validation.yml
@@ -0,0 +1,19 @@
+name: "[Check] Shell validation"
+
+on:
+  pull_request:
+    paths:
+      - "**.sh"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: shellcheck
+        run: ./scripts/shellcheck.sh
diff --git a/ci/s3sync.sh b/ci/s3sync.sh
index ced114d..60d05c2 100755
--- a/ci/s3sync.sh
+++ b/ci/s3sync.sh
@@ -6,11 +6,9 @@
 
 DIRS="bootloader bridge firmware legal registry udev suite connect security transparency misc"
 BUCKET=data.trezor.io
-ROLLBACK=rollback-data.trezor.io
 DISTRIBUTION_ID="E1ERY5K2OTKKI1"
 
-./check_releases.py
-if [ "$?" != "0" ]; then
+if ! ./check_releases.py; then
     echo "check_releases.py failed."
     exit
 fi
@@ -21,10 +19,10 @@ set -e
 # aws s3 sync s3://$BUCKET s3://$ROLLBACK
 
 for DIR in $DIRS; do
-    if [ "x$1" == "x-d" ]; then
-        aws s3 sync --delete --cache-control 'public, max-age=3600' $DIR s3://$BUCKET/$DIR
+    if [ "$1" == "-d" ]; then
+        aws s3 sync --delete --cache-control 'public, max-age=3600' "$DIR" s3://$BUCKET/"$DIR"
     else
-        aws s3 sync --cache-control 'public, max-age=3600' $DIR s3://$BUCKET/$DIR
+        aws s3 sync --cache-control 'public, max-age=3600' "$DIR" s3://$BUCKET/"$DIR"
     fi
 done
 
diff --git a/scripts/shellcheck.sh b/scripts/shellcheck.sh
new file mode 100755
index 0000000..9254743
--- /dev/null
+++ b/scripts/shellcheck.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -x
+set -o pipefail
+
+shellcheck --version
+
+find . -type f -name '*.sh' -exec shellcheck {} +