diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index bc857d5d4..25a483227 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -2,10 +2,13 @@ name: main
 
 on:
   push:
-    branches: []
-    tags: []
+    branches:
+      - "*"
+    tags:
+      - "*"
   pull_request:
-    branches: []
+    branches:
+      - "*"
 
 jobs:
   build-and-test:
@@ -84,13 +87,14 @@ jobs:
         set -evx
         curl -o /tmp/web-flow.gpg "$WEB_FLOW_KEY_URL"
         gpg --import /tmp/web-flow.gpg
+        # shellcheck disable=SC2126
         if ! git verify-commit "$GITHUB_REF_NAME" && \
            [[ "$( git cat-file -p "$GITHUB_REF_NAME" \
                 | grep -Ei '^parent\s+[0-9a-f]{40}$' | wc -l )" -lt 2 ]]; then
           echo "::error title=Invalid tag commit::Tags must refer to a merge" \
                "commit or a commit signed by GitHub web-flow" \
                "($WEB_FLOW_KEY_URL).  The tag $GITHUB_REF_NAME refers to " \
-               "a commit $(git rev-parse $GITHUB_REF_NAME) which is neither" \
+               "a commit $(git rev-parse "$GITHUB_REF_NAME") which is neither" \
                "a merge commit nor signed by GitHub web-flow."
           exit 1
         fi
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c2df4f8c0..6402fbfff 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,8 +23,8 @@ jobs:
           project_suffix=dev.${{ github.sha }}
           dotnet_args="$dotnet_args --version-suffix $project_suffix"
         fi
-        dotnet build $dotnet_args
-        dotnet pack  $dotnet_args
+        dotnet build "$dotnet_args"
+        dotnet pack "$dotnet_args"
     - name: push
       if: github.event_name != 'pull_request'
       run: |
@@ -55,6 +55,6 @@ jobs:
       working-directory: ./out
     - name: Upload S3
       run: aws s3 cp ${{ matrix.runtime }}.zip s3://9c-dx/lib9c-stateservices/${{ github.sha }}/
-      with:
+      env:
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/validate-github-actions-workflows.yml b/.github/workflows/validate-github-actions-workflows.yml
new file mode 100644
index 000000000..bd0fc58f8
--- /dev/null
+++ b/.github/workflows/validate-github-actions-workflows.yml
@@ -0,0 +1,18 @@
+name: validate GitHub Actions workflows
+on:
+  push:
+    paths:
+      - .github/workflows/*
+
+  pull_request:
+    paths:
+      - .github/workflows/*
+
+jobs:
+  validate-github-actions-workflows:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint