diff --git a/.github/actionlint-matcher.json b/.github/actionlint-matcher.json
new file mode 100644
index 0000000..4613e16
--- /dev/null
+++ b/.github/actionlint-matcher.json
@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index ebdc50a..c20092b 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -15,7 +15,7 @@ jobs:
 
     - name: Extract dyndnsd version from tag name
       run: |
-        echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
+        echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> "$GITHUB_ENV"
 
     - name: Wait for dyndnsd ${{ env.DYNDNSD_VERSION }} gem to be available
       run: |
@@ -23,6 +23,7 @@ jobs:
         for retry in $(seq 1 5); do
           echo "Checking if dyndnsd $DYNDNSD_VERSION gem is retrievable from rubygems.org (try #$retry)..."
           sudo gem install dyndnsd -v "$DYNDNSD_VERSION"
+          # shellcheck disable=SC2181
           if [ $? -eq 0 ]; then
             exit 0
           fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dd084a2..96add08 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,3 +33,13 @@ jobs:
     - name: Lint and Test
       run: |
         bundle exec rake ci
+
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Check workflow files
+      run: |
+        echo "::add-matcher::.github/actionlint-matcher.json"
+        bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        ./actionlint
diff --git a/.github/workflows/vulnscan.yml b/.github/workflows/vulnscan.yml
index 7a34805..f300a33 100644
--- a/.github/workflows/vulnscan.yml
+++ b/.github/workflows/vulnscan.yml
@@ -16,9 +16,9 @@ jobs:
     steps:
     - name: Install Trivy
       run: |
-        mkdir -p $GITHUB_WORKSPACE/bin
+        mkdir -p "$GITHUB_WORKSPACE/bin"
         echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b "$GITHUB_WORKSPACE/bin"
     - name: Download Trivy DB
       run: |
         trivy image --download-db-only