diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..47ff004
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,3 @@
+[*.sh]
+indent_style = space
+indent_size = 4
diff --git a/.github/sync.yml b/.github/sync.yml
index ead6f99..da3f2c0 100644
--- a/.github/sync.yml
+++ b/.github/sync.yml
@@ -8,3 +8,5 @@ group:
   files:
     - source: config/workflows/
       dest: .github/workflows/
+    - source: config/scripts/
+      dest: scripts/shared/
diff --git a/.github/workflows/shell.yml b/.github/workflows/shell.yml
new file mode 100644
index 0000000..2823f3f
--- /dev/null
+++ b/.github/workflows/shell.yml
@@ -0,0 +1,24 @@
+name: Lint shell scripts
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install shellcheck
+        run: sudo apt-get update && sudo apt-get install shellcheck -y
+      - name: Run shellcheck
+        run: shellcheck config/scripts/*
+  shfmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install shfmt
+        run: |
+          wget https://github.com/mvdan/sh/releases/download/v3.5.1/shfmt_v3.5.1_linux_amd64 -O shfmt
+          chmod +x shfmt
+      - name: Run shfmt
+        run: ./shfmt --diff config/scripts
diff --git a/.shellcheckrc b/.shellcheckrc
new file mode 100644
index 0000000..c0625d3
--- /dev/null
+++ b/.shellcheckrc
@@ -0,0 +1,4 @@
+source-path=config/scripts
+enable=avoid-nullary-conditions
+enable=deprecate-which
+enable=quote-safe-variables
diff --git a/config/scripts/get_branch.sh b/config/scripts/get_branch.sh
new file mode 100755
index 0000000..81ed7dd
--- /dev/null
+++ b/config/scripts/get_branch.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# gets the "base branch" against which to compare analysis results;
+# this would be the base branch for PRs and the head branch for pushes
+set -euo pipefail
+
+PR_NUMBER="${1:-}"
+
+#shellcheck source=lib.sh
+source "$(dirname "$0")/lib.sh"
+
+if [ -z "${PR_NUMBER}" ]; then
+    git branch --show-current
+else
+    curl_gh "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}" | jq .head.ref
+fi
diff --git a/config/scripts/lib.sh b/config/scripts/lib.sh
new file mode 100644
index 0000000..5dbf7ac
--- /dev/null
+++ b/config/scripts/lib.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+## This file is intended to be sourced by other scripts
+
+## if DEBUG is present in the env, will enable echoing every command
+if [ -n "${DEBUG:-}" ]; then
+    set -x
+    echo "DEBUG enabled"
+fi
+
+## echoes to stderr
+function err() {
+    echo >&2 "$@"
+}
+
+## makes an authenticated request to the Github API using the GITHUB_TOKEN from the environment
+function curl_gh() {
+    if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+        curl \
+            --silent \
+            --header "Authorization: token $GITHUB_TOKEN" \
+            "$@"
+    else
+        err "WARNING: No GITHUB_TOKEN found. Skipping API call"
+    fi
+
+}