diff --git a/.github/workflows/actionlint-exceptions.txt b/.github/workflows/actionlint-exceptions.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000000..4f512d84b1
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,40 @@
+name: Actionlint
+
+on:
+  pull_request:
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Note that, because our Nix configuration provisions *both* shellcheck and actionlint,
+      # actionlint is not going to install its own shellcheck.
+      # This also makes sure that this pipeline runs using
+      # the same shellcheck as the ones in Nix shells of developers.
+      - name: Install Nix with good defaults
+        uses: input-output-hk/install-nix-action@v20
+        with:
+          extra_nix_config: |
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
+            substituters = https://cache.iog.io/ https://cache.nixos.org/
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/install-nix-action@v18
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      # Make the Nix environment available to next steps
+      - uses: rrbutani/use-nix-shell-action@v1
+
+      - name: actionlint
+        run: |
+          for file in $(git ls-files ".github/workflows/*.y*ml")
+          do
+            if grep -q "$file" ".github/workflows/actionlint-exceptions.txt"
+            then
+              echo "⚠️ $file is ignored from actionlint's verifications. Please consider fixing it."
+            else
+              echo "actionlint $file"
+              actionlint "$file"
+            fi
+          done
diff --git a/.github/workflows/check-cabal-files.yml b/.github/workflows/check-cabal-files.yml
index d794486cf7..dc8a7048b9 100644
--- a/.github/workflows/check-cabal-files.yml
+++ b/.github/workflows/check-cabal-files.yml
@@ -12,7 +12,7 @@ jobs:
     - name: Workaround runner image issue
       if: runner.os == 'Linux'
       # https://github.com/actions/runner-images/issues/7061
-      run: sudo chown -R $USER /usr/local/.ghcup
+      run: sudo chown -R "$USER" /usr/local/.ghcup
 
     - name: Install Haskell
       uses: input-output-hk/setup-haskell@v1
diff --git a/.github/workflows/check-stylish-haskell.yml b/.github/workflows/check-stylish-haskell.yml
index 2343f0b578..ed6796ebf0 100644
--- a/.github/workflows/check-stylish-haskell.yml
+++ b/.github/workflows/check-stylish-haskell.yml
@@ -36,7 +36,6 @@ jobs:
 
     steps:
     - name: Download stylish-haskell
-      if: runner.os == 'Linux'
       run: |
         version="${{ env.STYLISH_HASKELL_VERSION }}"
 
@@ -44,7 +43,7 @@ jobs:
           "https://github.com/haskell/stylish-haskell/releases/download/v$version/stylish-haskell-v$version-linux-x86_64.tar.gz" \
           | tar -C "/tmp" -xz
 
-        echo "PATH=/tmp/stylish-haskell-v$version-linux-x86_64:$PATH" >> $GITHUB_ENV
+        echo "PATH=/tmp/stylish-haskell-v$version-linux-x86_64:$PATH" >> "$GITHUB_ENV"
 
     - uses: actions/checkout@v3
 
@@ -55,10 +54,10 @@ jobs:
 
         for x in $(git ls-tree --full-tree --name-only -r HEAD ${{ env.STYLISH_HASKELL_PATHS }}); do
           if [ "${x##*.}" == "hs" ]; then
-            if grep -qE '^#' $x; then
+            if grep -qE '^#' "$x"; then
               echo "$x contains CPP.  Skipping."
             else
-              stylish-haskell -i $x
+              stylish-haskell -i "$x"
             fi
           fi
         done
@@ -72,10 +71,10 @@ jobs:
         git fetch origin ${{ github.base_ref }} --unshallow
         for x in $(git diff --name-only --diff-filter=ACMR origin/${{ github.base_ref }}..HEAD ${{ env.STYLISH_HASKELL_PATHS }}); do
           if [ "${x##*.}" == "hs" ]; then
-            if grep -qE '^#' $x; then
+            if grep -qE '^#' "$x"; then
               echo "$x contains CPP.  Skipping."
             else
-              stylish-haskell -i $x
+              stylish-haskell -i "$x"
             fi
           fi
         done
diff --git a/.github/workflows/haskell.yml b/.github/workflows/haskell.yml
index 0ef1de8a1f..f394662ac8 100644
--- a/.github/workflows/haskell.yml
+++ b/.github/workflows/haskell.yml
@@ -208,7 +208,7 @@ jobs:
     - name: Create Release Tag
       id: create_release_tag
       run: |
-        echo "TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+        echo "TAG=${GITHUB_REF/refs\/tags\//}" >> "$GITHUB_OUTPUT"
 
     - name: Create Release
       id: create_release
diff --git a/flake.nix b/flake.nix
index 92eddf5348..e9652cc1b8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -87,7 +87,7 @@
               stylish-haskell = "0.14.5.0";
             };
           # and from nixpkgs or other inputs
-          shell.nativeBuildInputs = with nixpkgs; [ gh jq yq-go shellcheck ];
+          shell.nativeBuildInputs = with nixpkgs; [ gh jq yq-go actionlint shellcheck ];
           # disable Hoogle until someone request it
           shell.withHoogle = false;
           # Skip cross compilers for the shell