diff --git a/.github/actions/build/action.yaml b/.github/actions/build/action.yaml
index 4247ede4ae7..b98f8fea79e 100644
--- a/.github/actions/build/action.yaml
+++ b/.github/actions/build/action.yaml
@@ -46,6 +46,7 @@ runs:
         echo "TMP_DIR=$TMP_DIR" >> $GITHUB_ENV
         rm -rf $TMP_DIR && mkdir $TMP_DIR && chown -R github:github $TMP_DIR $GITHUB_WORKSPACE
 
+        # shellcheck disable=SC2193
         if [ "${{ inputs.clean_ya_dir }}" == "yes" ] && [ -d /home/github/.ya/ ]; then
           echo "Cleaning ya dir"
           rm -rf /home/github/.ya/
@@ -55,35 +56,40 @@ runs:
       shell: bash --noprofile --norc -eo pipefail -x {0}
       run: |
         function grep_ya_tc() {
-          ps aux | grep [y]a-tc || true
+          ps aux | grep "[y]a-tc" || true
         }
 
         extra_params=()
 
-        if [ ! -z "${{ inputs.build_target }}" ]; then
+        # shellcheck disable=SC2157
+        if [ -n "${{ inputs.build_target }}" ]; then
           readarray -d ',' -t targets < <(printf "%s" "${{ inputs.build_target }}")
           for target in "${targets[@]}"; do
             extra_params+=(--target="${target}")
           done
         fi
 
+        # shellcheck disable=SC2157,SC2193
         if [ "${{ inputs.use_network_cache }}" == "yes" ]; then
-          if [ ! -z "${{ inputs.bazel_remote_uri }}" ]; then
+          if [ -n "${{ inputs.bazel_remote_uri }}" ]; then
             extra_params+=(--bazel-remote-store)
             extra_params+=(--bazel-remote-base-uri "${{ inputs.bazel_remote_uri }}")
           fi
 
-          if [ ! -z "${{ inputs.bazel_remote_username }}" ]; then
+          # shellcheck disable=SC2157
+          if [ -n "${{ inputs.bazel_remote_username }}" ]; then
             extra_params+=(--bazel-remote-username "${{ inputs.bazel_remote_username }}")
             extra_params+=(--bazel-remote-password "${{ inputs.bazel_remote_password }}")
             extra_params+=(--add-result .o)
           fi
 
+          # shellcheck disable=SC2193
           if [ "${{ inputs.cache_update }}" == "true" ]; then
             extra_params+=(--bazel-remote-put)
           fi
         fi
 
+        # shellcheck disable=SC2195
         case "${{ inputs.build_preset }}" in
           debug)
             build_type=debug
@@ -132,11 +138,11 @@ runs:
             start_time=$(date +%s)
 
             while true; do
-              pgrep -x "ya-tc" && {
-                  echo "ya-tc is still running."
+              pgrep -x "$process_name" && {
+                  echo "$process_name is still running."
                   grep_ya_tc
               } || {
-                  echo "ya-tc is not running."
+                  echo "$process_name is not running."
                   grep_ya_tc
                   break
               }
@@ -145,9 +151,9 @@ runs:
               elapsed_time=$((current_time - start_time))
 
               if [ "$elapsed_time" -ge "$timeout" ]; then
-                  echo "Timeout reached. ya-tc is still running. killing it"
+                  echo "Timeout reached. $process_name is still running. killing it"
                   grep_ya_tc
-                  pkill -f ya-tc || true
+                  pkill -f $process_name || true
                   grep_ya_tc
                   break
               fi
diff --git a/.github/actions/build_cmake/action.yaml b/.github/actions/build_cmake/action.yaml
index 8c60e5f1899..b776032e931 100644
--- a/.github/actions/build_cmake/action.yaml
+++ b/.github/actions/build_cmake/action.yaml
@@ -24,17 +24,19 @@ runs:
       run: |
         export TMP_DIR=$(pwd)/tmp_build
         export ROOT_PATH=$(pwd)
-        echo "TMP_DIR=$TMP_DIR" >> $GITHUB_ENV
+        {
+          echo "TMP_DIR=$TMP_DIR"
+          echo "ROOT_PATH=$ROOT_PATH"
+          echo "CONAN_USER_HOME=$TMP_DIR"
+          echo "CCACHE_SLOPPINESS=locale"
+          echo "CCACHE_BASEDIR=$TMP_DIR"
+          echo "CCACHE_MAXSIZE=500G"
+          echo "CCACHE_NOREADONLY=1"
+          echo "CCACHE_REMOTE_ONLY=1"
+          echo "CCACHE_DEBUG=1"
+          echo "CCACHE_REMOTE_STORAGE=http://${{ inputs.bazel_remote_username }}:${{ inputs.bazel_remote_password }}@195.242.17.155:9090|layout=bazel"
+        } >> $GITHUB_ENV
         rm -rf $TMP_DIR && mkdir $TMP_DIR
-        echo "ROOT_PATH=$ROOT_PATH"  >> $GITHUB_ENV
-        echo "CONAN_USER_HOME=$TMP_DIR" >> $GITHUB_ENV
-        echo "CCACHE_SLOPPINESS=locale" >> $GITHUB_ENV
-        echo "CCACHE_BASEDIR=$TMP_DIR" >> $GITHUB_ENV
-        echo "CCACHE_MAXSIZE=500G" >> $GITHUB_ENV
-        echo "CCACHE_NOREADONLY=1" >> $GITHUB_ENV
-        echo "CCACHE_REMOTE_ONLY=1" >> $GITHUB_ENV
-        echo "CCACHE_DEBUG=1" >> $GITHUB_ENV
-        echo "CCACHE_REMOTE_STORAGE=http://${{ inputs.bazel_remote_username }}:${{ inputs.bazel_remote_password }}@195.242.17.155:9090|layout=bazel" >> $GITHUB_ENV
 
     - name: build
       shell: bash --noprofile --norc -eo pipefail -x {0}
@@ -42,6 +44,7 @@ runs:
         cd $TMP_DIR
         export
 
+        # shellcheck disable=SC2195
         case "${{ inputs.build_preset }}" in
           debug)
             export CMAKE_BUILD_TYPE=Debug
@@ -57,7 +60,7 @@ runs:
             exit 1
             ;;
         esac
-        if [ $(git branch --show-current) == "main" ]; then
+        if [ "$(git branch --show-current)" == "main" ]; then
           cp ${ROOT_PATH}/contrib/ydb/library/yql/minikql/codegen/codegen_llvm_deps.h.txt ${ROOT_PATH}/contrib/ydb/library/yql/minikql/codegen/codegen_llvm_deps.h
         fi
 
diff --git a/.github/actions/nebius_cli/action.yaml b/.github/actions/nebius_cli/action.yaml
index ad9dd4e635b..6eb1e3ecc70 100644
--- a/.github/actions/nebius_cli/action.yaml
+++ b/.github/actions/nebius_cli/action.yaml
@@ -31,11 +31,11 @@ runs:
         ${sa_json}
         EOF
 
-        cat sa.json | jq -r '."subject-credentials"."private-key"' > private.pem
-        echo "::add-mask::$(cat sa.json | jq -r '."subject-credentials"."kid"')"
-        public_key_id=$(cat sa.json | jq -r '."subject-credentials"."kid"')
-        echo "::add-mask::$(cat sa.json | jq -r '."subject-credentials"."iss"')"
-        service_account_id=$(cat sa.json | jq -r '."subject-credentials"."iss"')
+        jq -r '."subject-credentials"."private-key"' sa.json > private.pem
+        echo "::add-mask::$(jq -r '."subject-credentials"."kid"' sa.json)"
+        public_key_id=$(jq -r '."subject-credentials"."kid"'  sa.json)
+        echo "::add-mask::$(jq -r '."subject-credentials"."iss"'  sa.json)"
+        service_account_id=$(jq -r '."subject-credentials"."iss"'  sa.json)
         echo "::add-mask::tenant-e00en3r863f7me6wtd"
         nebius profile create --endpoint api.eu-north1.nebius.cloud \
                               --profile nbs-github-user-sa \
diff --git a/.github/actions/prepare/action.yaml b/.github/actions/prepare/action.yaml
index 1a5ad2d07a0..9be8a50f1da 100644
--- a/.github/actions/prepare/action.yaml
+++ b/.github/actions/prepare/action.yaml
@@ -19,6 +19,7 @@ runs:
           distcc strace qemu-kvm qemu-utils dpkg-dev atop pigz pbzip2 xz-utils pixz gdb
         sudo apt-get remove -y unattended-upgrades
         sudo pip install https://github.com/librarian/python-sdk/releases/download/v0.1.1/nebiusai-0.1.1-py3-none-any.whl
+        # shellcheck disable=SC2102
         sudo pip3 install conan==1.59 pytest==7.1.3 pytest-timeout pytest-xdist==3.3.1 setproctitle==1.3.2 grpcio grpcio-tools \
              PyHamcrest tornado xmltodict pyarrow boto3 moto[server] psutil yandexcloud==0.258.0 PyGithub==2.2.0 pyinstaller==5.13.2 \
              cryptography packaging six pyyaml rapidgzip pyOpenSSL==24.2.1
diff --git a/.github/actions/s3cmd/action.yaml b/.github/actions/s3cmd/action.yaml
index 21313371608..248e985e53a 100644
--- a/.github/actions/s3cmd/action.yaml
+++ b/.github/actions/s3cmd/action.yaml
@@ -91,6 +91,7 @@ runs:
 
         folder="${{ runner.arch == 'X64' && 'x86-64' || runner.arch == 'ARM64' && 'arm64' || 'unknown' }}"
 
+        # shellcheck disable=SC2195
         case "${{ inputs.build_preset }}" in
           relwithdebinfo|release)
             ;;
@@ -114,7 +115,7 @@ runs:
             exit 1
             ;;
         esac
-
+        # shellcheck disable=SC2129
         echo "S3_BUCKET_PATH=s3://${{ inputs.s3_bucket }}/${{ github.repository }}/${GITHUB_WORKFLOW_NO_SPACES}/${{ github.run_id }}/${{ github.run_attempt || '1' }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
         echo "S3_URL_PREFIX=${{ inputs.s3_endpoint }}/${{ inputs.s3_bucket }}/${{ github.repository }}/${GITHUB_WORKFLOW_NO_SPACES}/${{ github.run_id }}/${{ github.run_attempt || '1' }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
         echo "S3_WEBSITE_PREFIX=https://${{ inputs.s3_bucket }}.${{ inputs.s3_website_suffix }}/${{ github.repository }}/${GITHUB_WORKFLOW_NO_SPACES}/${{ github.run_id }}/${{ github.run_attempt || '1' }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
diff --git a/.github/actions/ssh_keys/action.yaml b/.github/actions/ssh_keys/action.yaml
index 0b42230ed75..2139b987288 100644
--- a/.github/actions/ssh_keys/action.yaml
+++ b/.github/actions/ssh_keys/action.yaml
@@ -56,11 +56,11 @@ runs:
     - name: collect members public ssh keys
       shell: bash
       run: |
-        cat $LOGINS_FILE | while read login; do
+        cat $LOGINS_FILE | while read -r login; do
           curl  -s -L -H "Accept: application/vnd.github+json" \
                 -H "Authorization: Bearer $token" \
                 -H "X-GitHub-Api-Version: 2022-11-28" \
-                https://api.github.com/users/${login}/keys | jq -r .[].key | while read key; do
+                https://api.github.com/users/${login}/keys | jq -r .[].key | while read -r key; do
                   echo $key $login;
                 done;
         done | tee -a $KEYS_FILE
diff --git a/.github/actions/test/action.yaml b/.github/actions/test/action.yaml
index cf5e6d52b25..ffdc94cd5d6 100644
--- a/.github/actions/test/action.yaml
+++ b/.github/actions/test/action.yaml
@@ -65,15 +65,17 @@ runs:
       id: init
       run: |
         export TMP_DIR=/home/github/tmp
-        echo "TMP_DIR=$TMP_DIR" >> $GITHUB_ENV
-        echo "LOG_DIR=$TMP_DIR/logs" >> $GITHUB_ENV
-        echo "OUT_DIR=$TMP_DIR/out" >> $GITHUB_ENV
-        echo "ARTIFACTS_DIR=$TMP_DIR/artifacts" >> $GITHUB_ENV
-        echo "TESTS_DATA_DIR=$TMP_DIR/test_data" >> $GITHUB_ENV
-        echo "REPORTS_ARTIFACTS_DIR=$TMP_DIR/artifacts/test_reports" >> $GITHUB_ENV
-        echo "JUNIT_REPORT_XML=$TMP_DIR/junit.xml" >> $GITHUB_ENV
-        echo "JUNIT_REPORT_PARTS=$TMP_DIR/junit-split" >> $GITHUB_ENV
-        echo "SUMMARY_LINKS=$(mktemp -p /home/github)" >> $GITHUB_ENV
+        {
+          echo "TMP_DIR=$TMP_DIR"
+          echo "LOG_DIR=$TMP_DIR/logs"
+          echo "OUT_DIR=$TMP_DIR/out"
+          echo "ARTIFACTS_DIR=$TMP_DIR/artifacts"
+          echo "TESTS_DATA_DIR=$TMP_DIR/test_data"
+          echo "REPORTS_ARTIFACTS_DIR=$TMP_DIR/artifacts/test_reports"
+          echo "JUNIT_REPORT_XML=$TMP_DIR/junit.xml"
+          echo "JUNIT_REPORT_PARTS=$TMP_DIR/junit-split"
+          echo "SUMMARY_LINKS=$(mktemp -p /home/github)"
+        } >> $GITHUB_ENV
 
     - name: prepare
       shell: bash --noprofile --norc -eo pipefail -x {0}
@@ -83,6 +85,7 @@ runs:
         chown -R github:github $TMP_DIR $OUT_DIR $ARTIFACTS_DIR $LOG_DIR $JUNIT_REPORT_PARTS \
                                $REPORTS_ARTIFACTS_DIR $SUMMARY_LINKS $GITHUB_WORKSPACE \
                                $GITHUB_STEP_SUMMARY $TESTS_DATA_DIR
+        # shellcheck disable=SC2193
         if [ "${{ inputs.clean_ya_dir }}" == "yes" ] && [ -d /home/github/.ya/ ]; then
           echo "Cleaning ya dir"
           rm -rf /home/github/.ya/
@@ -93,7 +96,7 @@ runs:
         set -x
         extra_params=()
 
-        # FIXME: copy-paste from build_ya
+        # shellcheck disable=SC2195
         case "${{ inputs.build_preset }}" in
           debug)
             build_type=debug
@@ -127,25 +130,29 @@ runs:
             ;;
         esac
 
-
-        if [ ! -z "${{ inputs.test_target }}" ]; then
+        # shellcheck disable=SC2157
+        if [ -n "${{ inputs.test_target }}" ]; then
           readarray -d ',' -t targets < <(printf "%s" "${{ inputs.test_target }}")
           for target in "${targets[@]}"; do
             extra_params+=(--target="${target}")
           done
         fi
 
+        # shellcheck disable=SC2193
         if [ "${{ inputs.use_network_cache }}" == "yes" ]; then
-          if [ ! -z "${{ inputs.bazel_remote_uri }}" ]; then
+          # shellcheck disable=SC2157
+          if [ -n "${{ inputs.bazel_remote_uri }}" ]; then
             extra_params+=(--bazel-remote-store)
             extra_params+=(--bazel-remote-base-uri "${{ inputs.bazel_remote_uri }}")
           fi
 
-          if [ ! -z "${{ inputs.bazel_remote_username }}" ]; then
+          # shellcheck disable=SC2157
+          if [ -n "${{ inputs.bazel_remote_username }}" ]; then
             extra_params+=(--bazel-remote-username "${{ inputs.bazel_remote_username }}")
             extra_params+=(--bazel-remote-password "${{ inputs.bazel_remote_password }}")
           fi
 
+          # shellcheck disable=SC2193
           if [ "${{ inputs.cache_update }}" = "true" ]; then
             extra_params+=(--bazel-remote-put)
           fi
@@ -167,7 +174,7 @@ runs:
         date
         echo "::group::ya-make-test"
         sudo -E -H -u github ./ya test -k --build "${build_type}" \
-          ${test_size[@]/#/--test-size=} ${test_type[@]/#/--test-type=} \
+          "${test_size[@]/#/--test-size=}" "${test_type[@]/#/--test-type=}" \
           --test-threads "${{ inputs.test_threads }}" --link-threads "${{ inputs.link_threads }}" \
           --cache-size 512G --do-not-output-stderrs -T \
           --stat --log-file "$LOG_DIR/ya_log.txt" --evlog-file "$LOG_DIR/ya_evlog.jsonl" \
@@ -200,6 +207,7 @@ runs:
     - name: archive unitest reports (orig)
       shell: bash --noprofile --norc -eo pipefail -x {0}
       run: |
+        # shellcheck disable=SC2024
         sudo -E -H -u github gzip -c $JUNIT_REPORT_XML > $REPORTS_ARTIFACTS_DIR/orig_junit.xml.gz
 
     - name: postprocess junit report
@@ -209,6 +217,7 @@ runs:
         cat .github/config/muted_ya.txt
         cat .github/config/muted_ya_nebius.txt
         MUTED_CONFIG=".github/config/muted_ya.txt"
+        # shellcheck disable=SC2193
         [ "${{ inputs.nebius }}" == "yes" ] && MUTED_CONFIG=".github/config/muted_ya_nebius.txt"
         echo "::endgroup::"
         echo "::group::postprocess-junit"
@@ -226,7 +235,7 @@ runs:
     - name: archive unitest reports (transformed)
       shell: bash --noprofile --norc -eo pipefail -x {0}
       run: |
-        sudo -E -H -u github tar -C $JUNIT_REPORT_PARTS/.. -czf $REPORTS_ARTIFACTS_DIR/junit_parts.xml.tar.gz $(basename $JUNIT_REPORT_PARTS) $JUNIT_REPORT_XML
+        sudo -E -H -u github tar -C $JUNIT_REPORT_PARTS/.. -czf $REPORTS_ARTIFACTS_DIR/junit_parts.xml.tar.gz "$(basename $JUNIT_REPORT_PARTS)" $JUNIT_REPORT_XML
 
     - name: write tests summary
       shell: bash --noprofile --norc -eo pipefail -x {0}
@@ -260,7 +269,7 @@ runs:
 
           echo "::group::Copy-failed-tests-data"
           sudo -E -H -u github .github/scripts/tests/fail-checker.py "$JUNIT_REPORT_XML" --paths-only
-          sudo -E -H -u github .github/scripts/tests/fail-checker.py "$JUNIT_REPORT_XML" --paths-only | while read path; do
+          sudo -E -H -u github .github/scripts/tests/fail-checker.py "$JUNIT_REPORT_XML" --paths-only | while read -r path; do
             echo $path
             find "${GITHUB_WORKSPACE}/${path}" -print0 | xargs -0 xargs -0 cp -L -r --parents -t "$TESTS_DATA_DIR"
           done
@@ -272,7 +281,7 @@ runs:
           echo "::endgroup::"
           echo "::group::remove-images-from-tests-data-dir"
           find "$TESTS_DATA_DIR" -name generated_raw_image -o -name generated_vmdk_image -o -name invalid_qcow2_image -o -name qcow2_fuzzing_image
-          find "$TESTS_DATA_DIR" -name generated_raw_image -o -name generated_vmdk_image -o -name invalid_qcow2_image -o -name qcow2_fuzzing_image -delete
+          find "$TESTS_DATA_DIR" \( -name generated_raw_image -o -name generated_vmdk_image -o -name invalid_qcow2_image -o -name qcow2_fuzzing_image \) -delete
           echo "::endgroup::"
           echo "::group::s3-sync"
           if [ "$SYNC_TO_S3" = "true" ];
@@ -324,18 +333,18 @@ runs:
       if: success() && inputs.upload_ya_dir == 'yes'
       run: |
         function grep_ya_tc() {
-          ps aux | grep [y]a-tc || true
+          ps aux | grep "[y]a-tc" || true
         }
         process_name="ya-tc"
         # by default ya-tc should terminate within 5 minutes
         timeout=360
         start_time=$(date +%s)
         while true; do
-            pgrep -x "ya-tc" && {
-                echo "ya-tc is still running."
+            pgrep -x "$process_name" && {
+                echo "$process_name is still running."
                 grep_ya_tc
             } || {
-                echo "ya-tc is not running."
+                echo "$process_name is not running."
                 grep_ya_tc
                 break
             }
@@ -344,9 +353,9 @@ runs:
             elapsed_time=$((current_time - start_time))
 
             if [ "$elapsed_time" -ge "$timeout" ]; then
-                echo "Timeout reached. ya-tc is still running. killing it"
+                echo "Timeout reached. $process_name is still running. killing it"
                 grep_ya_tc
-                pkill -f ya-tc || true
+                pkill -f $process_name || true
                 grep_ya_tc
                 break
             fi
diff --git a/.github/actions/test_cmake/action.yaml b/.github/actions/test_cmake/action.yaml
index dd92d18b1f1..a3edc2b4460 100644
--- a/.github/actions/test_cmake/action.yaml
+++ b/.github/actions/test_cmake/action.yaml
@@ -7,10 +7,12 @@ runs:
     - name: prepare
       shell: bash --noprofile --norc -eo pipefail -x {0}
       run: |
-        echo "SHELLOPTS=$SHELLOPTS:xtrace" >> $GITHUB_ENV
-        echo "ARTIFACTS_DIR=${TMP_DIR}/artifacts" >> $GITHUB_ENV
-        echo "SUMMARY_DIR=${ARTIFACTS_DIR}/summary" >> $GITHUB_ENV
-        echo "SUMMARY_LINKS=$(mktemp)" >> $GITHUB_ENV
+        {
+          echo "SHELLOPTS=$SHELLOPTS:xtrace"
+          echo "ARTIFACTS_DIR=${TMP_DIR}/artifacts"
+          echo "SUMMARY_DIR=${ARTIFACTS_DIR}/summary"
+          echo "SUMMARY_LINKS=$(mktemp)"
+        } >> $GITHUB_ENV
 
     - name: create dirs
       shell: bash --noprofile --norc -eo pipefail -x {0}
diff --git a/.github/scripts/shell-extractor.py b/.github/scripts/shell-extractor.py
new file mode 100644
index 00000000000..d4ea22baab5
--- /dev/null
+++ b/.github/scripts/shell-extractor.py
@@ -0,0 +1,165 @@
+import os
+import yaml
+
+ACTIONS_DIR = ".github/actions"
+WORKFLOWS_DIR = ".github/workflows"
+TEMP_ACTIONS_DIR = ".temporary/actions"
+TEMP_WORKFLOWS_DIR = ".temporary/workflows"
+
+os.makedirs(TEMP_ACTIONS_DIR, exist_ok=True)
+os.makedirs(TEMP_WORKFLOWS_DIR, exist_ok=True)
+
+
+def load_yaml_file(filepath):
+    with open(filepath, "r") as f:
+        return yaml.safe_load(f)
+
+
+def extract_runs_from_workflow(data):
+    """Extract run commands from a workflow YAML structure."""
+    runs = []
+    if not data or "jobs" not in data:
+        return runs
+
+    for job_id, job_data in data["jobs"].items():
+        steps = job_data.get("steps", [])
+        if steps and isinstance(steps, list):
+            for step in steps:
+                if "run" in step:
+                    runs.append(step["run"])
+    return runs
+
+
+def extract_runs_from_action(data):
+    """Extract run commands from a composite action YAML structure."""
+    runs = []
+    if not data or "runs" not in data:
+        return runs
+
+    runs_data = data["runs"]
+    if runs_data.get("using") == "composite":
+        steps = runs_data.get("steps", [])
+        if steps and isinstance(steps, list):
+            for step in steps:
+                if "run" in step:
+                    runs.append(step["run"])
+    return runs
+
+
+def parse_command_blocks(run_content):
+    """
+    Parse the run content into command blocks.
+
+    Rules:
+    - If a line ends with a backslash, it continues the same command block.
+    - If we encounter a line with '<<EOF', we enter a heredoc block and continue
+      until we find a line that is exactly 'EOF'.
+    - Otherwise, each line not ending with a backslash or not part of a heredoc is its own block.
+
+    Returns a list of command blocks, where each block is a list of lines.
+    """
+    lines = run_content.splitlines()
+    command_blocks = []
+    current_block = []
+
+    in_heredoc = False
+
+    for line in lines:
+        # If we are currently in a heredoc block, we add lines until we find EOF
+        if in_heredoc:
+            current_block.append(line)
+            if line.strip() == "EOF":
+                # End of heredoc block
+                command_blocks.append(current_block)
+                current_block = []
+                in_heredoc = False
+            # continue to next line
+            continue
+
+        # Check if this line starts a heredoc
+        if "<<" in line and "EOF" in line:
+            # This starts a heredoc block
+            if current_block:
+                # If we had a previous block (e.g. single line), finalize it first
+                command_blocks.append(current_block)
+                current_block = []
+            in_heredoc = True
+            current_block.append(line)
+            continue
+
+        # If not heredoc, check if line ends with a backslash
+        stripped = line.strip()
+        current_block.append(line)
+        if not stripped.endswith("\\"):
+            # This block ends here
+            command_blocks.append(current_block)
+            current_block = []
+
+    # If there's any leftover block (should not typically happen if run_content is well-formed)
+    if current_block:
+        command_blocks.append(current_block)
+
+    return command_blocks
+
+
+def write_runs_to_files(runs, output_dir, prefix):
+    """
+    Write each run command to a unique .sh file in the given output_dir.
+    Adds a #!/usr/bin/env bash shebang at the start of each script.
+
+    For each run:
+      - Parse into command blocks.
+      - If any block contains '${{ ... }}', insert '# shellcheck disable=SC2296' before that block.
+    """
+    for i, run_content in enumerate(runs, 1):
+        file_id = f"{prefix}-{i}.sh"
+        filepath = os.path.join(output_dir, file_id)
+
+        command_blocks = parse_command_blocks(run_content)
+
+        with open(filepath, "w") as f:
+            f.write("#!/usr/bin/env bash\n\n")
+            for block in command_blocks:
+                # Check if this block contains GitHub variables
+                if any("${{" in line for line in block):
+                    f.write("# shellcheck disable=SC2296,SC1083\n")
+                for line in block:
+                    f.write(line + "\n")
+
+
+def process_workflows():
+    for root, dirs, files in os.walk(WORKFLOWS_DIR):
+        for file in files:
+            if file.endswith((".yml", ".yaml")):
+                filepath = os.path.join(root, file)
+                data = load_yaml_file(filepath)
+                runs = extract_runs_from_workflow(data)
+                if runs:
+                    base_name = os.path.splitext(file)[0]
+                    write_runs_to_files(runs, TEMP_WORKFLOWS_DIR, base_name)
+
+
+def process_actions():
+    # For actions, we assume each action directory under .github/actions contains an action.yml or action.yaml
+    for action_dir in os.listdir(ACTIONS_DIR):
+        full_path = os.path.join(ACTIONS_DIR, action_dir)
+        if os.path.isdir(full_path):
+            # Look for action.yml or action.yaml
+            action_file = None
+            for candidate in ["action.yml", "action.yaml"]:
+                candidate_path = os.path.join(full_path, candidate)
+                if os.path.exists(candidate_path):
+                    action_file = candidate_path
+                    break
+
+            if action_file:
+                data = load_yaml_file(action_file)
+                runs = extract_runs_from_action(data)
+                if runs:
+                    write_runs_to_files(runs, TEMP_ACTIONS_DIR, action_dir)
+
+
+if __name__ == "__main__":
+    process_workflows()
+    process_actions()
+    print("Run commands have been extracted and saved in .temporary/")
diff --git a/.github/workflows/github_actions_scripts.yaml b/.github/workflows/github_actions_scripts.yaml
index f16c250c474..b38a41dff2f 100644
--- a/.github/workflows/github_actions_scripts.yaml
+++ b/.github/workflows/github_actions_scripts.yaml
@@ -44,7 +44,7 @@ jobs:
         find . -type f -exec md5sum {} + | sort -k2,2 | tee ${GITHUB_WORKSPACE}/.github/scripts/tests/test-data/MD5SUMS
         cp $TMP_DIR/{fail-checker,summary_env,ya-test.html} ${GITHUB_WORKSPACE}/.github/scripts/tests/test-data/
         cd ${GITHUB_WORKSPACE}/.github/scripts/tests/test-data/
-        export NEW_VERSION=$(($ACTIONS_TEST_DATA_VERSION + 1))
+        export NEW_VERSION=$((ACTIONS_TEST_DATA_VERSION + 1))
         tar zcvf cloud-v${NEW_VERSION}.tar.gz cloud/ MD5SUMS fail-checker  junit.xml summary_env ya-test.html muted_ya.txt
 
         Upload resulting cloud-v${NEW_VERSION}.tar.gz to the storage.ai.nebius.cloud bucket github-actions-test-data
@@ -148,7 +148,7 @@ jobs:
       shell: bash
       run: |
         cd $TMP_DIR
-        grep FAILED RESULT | awk -F: '{print $1}' | while read f;
+        grep FAILED RESULT | awk -F: '{print $1}' | while read -r f;
         do
           echo "=========="
           echo $f
diff --git a/.github/workflows/packer.yaml b/.github/workflows/packer.yaml
index b888dff2c99..73da7d20318 100644
--- a/.github/workflows/packer.yaml
+++ b/.github/workflows/packer.yaml
@@ -162,11 +162,11 @@ jobs:
         ${sa_json}
         EOF
 
-        cat sa.json | jq -r '."subject-credentials"."private-key"' > private.pem
-        echo "::add-mask::$(cat sa.json | jq -r '."subject-credentials"."kid"')"
-        public_key_id=$(cat sa.json | jq -r '."subject-credentials"."kid"')
-        echo "::add-mask::$(cat sa.json | jq -r '."subject-credentials"."iss"')"
-        service_account_id=$(cat sa.json | jq -r '."subject-credentials"."iss"')
+        jq -r '."subject-credentials"."private-key"'  sa.json> private.pem
+        echo "::add-mask::$(jq -r '."subject-credentials"."kid"' sa.json)"
+        public_key_id=$(jq -r '."subject-credentials"."kid"' sa.json)
+        echo "::add-mask::$(jq -r '."subject-credentials"."iss"' sa.json)"
+        service_account_id=$(jq -r '."subject-credentials"."iss" sa.json')
         echo "::add-mask::tenant-e00en3r863f7me6wtd"
         nebius profile create --endpoint api.eu-north1.nebius.cloud \
                               --profile nbs-github-user-sa \
diff --git a/.github/workflows/pr-github-actions.yaml b/.github/workflows/pr-github-actions.yaml
index e324cf92536..4f22e6ea5b4 100644
--- a/.github/workflows/pr-github-actions.yaml
+++ b/.github/workflows/pr-github-actions.yaml
@@ -44,14 +44,28 @@ jobs:
           if_true: "github-pr-review"
           if_false: "github-check"
 
-      - name: shellcheck
-        uses: reviewdog/action-shellcheck@v1.19.0
+      - name: set up dependencies
+        run: pip install pyyaml
+
+      - name: generate shellscripts from github actions
+        run: |
+          python .github/scripts/shell-extractor.py
+          find .temporary/ -type f -name "*.sh";
+
+      - name: shellcheck for .github dir
+        uses: ludeeus/action-shellcheck@master
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: ${{ steps.reporter.outputs.value }}
-          path: |
-            .github/
-          pattern: "*.sh"
+          scandir: .github
+        env:
+          SHELLCHECK_OPTS: "-e SC2155,SC2086,SC2154,SC2164,SC2009,SC2015"
+
+
+      - name: shellcheck for github actions shell scripts in .temporary dir
+        uses: ludeeus/action-shellcheck@master
+        env:
+          SHELLCHECK_OPTS: "-e SC2155,SC2086,SC2154,SC2164,SC2009,SC2015"
+        with:
+          scandir: .temporary
 
       - name: shfmt
         uses: librarian/action-shfmt@v0.0.1
@@ -121,8 +135,8 @@ jobs:
         run: |
           set -x
           export TMP_OUT=$(mktemp)
-          find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) \
-            | xargs -I {} action-validator --verbose {} > $TMP_OUT
+          find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) -print0 \
+            | xargs -0 -I {} action-validator --verbose {} > $TMP_OUT
 
           echo "WORKFLOW_LINT=$(cat $TMP_OUT | awk -v ORS='\\n' 1)"
           cat $TMP_OUT >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 8fd4ac0b152..5be87b7f13c 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -203,17 +203,19 @@ jobs:
           fi
 
           # Output to GitHub environment file
-          echo "build_target=\"$build_target\"" >> $GITHUB_OUTPUT
-          echo "build_target_asan=\"$build_target_asan\"" >> $GITHUB_OUTPUT
-          echo "build_target_tsan=\"$build_target_tsan\"" >> $GITHUB_OUTPUT
-          echo "build_target_msan=\"$build_target_msan\"" >> $GITHUB_OUTPUT
-          echo "build_target_ubsan=\"$build_target_ubsan\"" >> $GITHUB_OUTPUT
+          {
+            echo "build_target=\"$build_target\""
+            echo "build_target_asan=\"$build_target_asan\""
+            echo "build_target_tsan=\"$build_target_tsan\""
+            echo "build_target_msan=\"$build_target_msan\""
+            echo "build_target_ubsan=\"$build_target_ubsan\""
 
-          echo "test_target=\"$test_target\"" >> $GITHUB_OUTPUT
-          echo "test_target_asan=\"$test_target_asan\"" >> $GITHUB_OUTPUT
-          echo "test_target_tsan=\"$test_target_tsan\"" >> $GITHUB_OUTPUT
-          echo "test_target_msan=\"$test_target_msan\"" >> $GITHUB_OUTPUT
-          echo "test_target_ubsan=\"$test_target_ubsan\"" >> $GITHUB_OUTPUT
+            echo "test_target=\"$test_target\""
+            echo "test_target_asan=\"$test_target_asan\""
+            echo "test_target_tsan=\"$test_target_tsan\""
+            echo "test_target_msan=\"$test_target_msan\""
+            echo "test_target_ubsan=\"$test_target_ubsan\""
+          } >> $GITHUB_OUTPUT
 
         env:
           contains_blockstore: ${{ contains(github.event.pull_request.labels.*.name, 'blockstore') && 'true' || 'false' }}