diff --git a/scripts/get b/scripts/get
index 25fd08e76..933cfcd3e 100755
--- a/scripts/get
+++ b/scripts/get
@@ -20,13 +20,13 @@
 PROJECT_NAME="helm"
 TILLER_NAME="tiller"
 
-: ${USE_SUDO:="true"}
-: ${HELM_INSTALL_DIR:="/usr/local/bin"}
+: "${USE_SUDO:=true}"
+: "${HELM_INSTALL_DIR:=/usr/local/bin}"
 
 # initArch discovers the architecture for this system.
 initArch() {
   ARCH=$(uname -m)
-  case $ARCH in
+  case "$ARCH" in
     armv5*) ARCH="armv5";;
     armv6*) ARCH="armv6";;
     armv7*) ARCH="arm";;
@@ -40,7 +40,7 @@ initArch() {
 
 # initOS discovers the operating system for this system.
 initOS() {
-  OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+  OS=$(uname | tr '[:upper:]' '[:lower:]')
 
   case "$OS" in
     # Minimalist GNU for Windows
@@ -50,7 +50,7 @@ initOS() {
 
 # runs the given command as root (detects if we are root already)
 runAsRoot() {
-  if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then
+  if [ $EUID -ne 0 ] && [ "$USE_SUDO" = "true" ]; then
     sudo "${@}"
   else
     "${@}"
@@ -75,7 +75,7 @@ verifySupported() {
 
 # checkDesiredVersion checks if the desired version is available.
 checkDesiredVersion() {
-  if [ "x$DESIRED_VERSION" == "x" ]; then
+  if [ -z "$DESIRED_VERSION" ]; then
     # Pinning tag to v2.17.0 as per https://github.com/helm/helm/issues/9607
     TAG=v2.17.0
   else
@@ -87,7 +87,8 @@ checkDesiredVersion() {
 # if it needs to be changed.
 checkHelmInstalledVersion() {
   if [[ -f "${HELM_INSTALL_DIR}/${PROJECT_NAME}" ]]; then
-    local version=$("${HELM_INSTALL_DIR}/${PROJECT_NAME}" version -c | grep '^Client' | cut -d'"' -f2)
+    local version
+    version=$("${HELM_INSTALL_DIR}/${PROJECT_NAME}" version -c | grep '^Client' | cut -d'"' -f2)
     if [[ "$version" == "$TAG" ]]; then
       echo "Helm ${version} is already ${DESIRED_VERSION:-latest}"
       return 0
@@ -126,8 +127,10 @@ downloadFile() {
 # installs it.
 installFile() {
   HELM_TMP="$HELM_TMP_ROOT/$PROJECT_NAME"
-  local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
-  local expected_sum=$(cat ${HELM_SUM_FILE})
+  local sum
+  sum=$(openssl sha1 -sha256 "${HELM_TMP_FILE}" | awk '{print $2}')
+  local expected_sum
+  expected_sum=$(cat "${HELM_SUM_FILE}")
   if [ "$sum" != "$expected_sum" ]; then
     echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting."
     exit 1
@@ -166,13 +169,11 @@ fail_trap() {
 
 # testVersion tests the installed client to make sure it is working.
 testVersion() {
-  set +e
-  HELM="$(command -v $PROJECT_NAME)"
-  if [ "$?" = "1" ]; then
-    echo "$PROJECT_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?'
+  if ! command -v "$PROJECT_NAME" &> /dev/null; then
+    # shellcheck disable=SC2016
+    echo "$PROJECT_NAME not found. Is $HELM_INSTALL_DIR on your "'\$PATH?'
     exit 1
   fi
-  set -e
   echo "Run '$PROJECT_NAME init' to configure $PROJECT_NAME."
 }
 
@@ -195,11 +196,11 @@ cleanup() {
 # Execution
 
 #Stop execution on any error
-trap "fail_trap" EXIT
+trap 'fail_trap' EXIT
 set -e
 
 # Parsing input arguments (if any)
-export INPUT_ARGUMENTS="${@}"
+export INPUT_ARGUMENTS="$*"
 set -u
 while [[ $# -gt 0 ]]; do
   case $1 in
diff --git a/scripts/get-helm-3 b/scripts/get-helm-3
index 5f265a52f..d2ad4982b 100755
--- a/scripts/get-helm-3
+++ b/scripts/get-helm-3
@@ -17,13 +17,13 @@
 # The install script is based off of the MIT-licensed script from glide,
 # the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get
 
-: ${BINARY_NAME:="helm"}
-: ${USE_SUDO:="true"}
-: ${DEBUG:="false"}
-: ${VERIFY_CHECKSUM:="true"}
-: ${VERIFY_SIGNATURES:="false"}
-: ${HELM_INSTALL_DIR:="/usr/local/bin"}
-: ${GPG_PUBRING:="pubring.kbx"}
+: "${BINARY_NAME:=helm}"
+: "${USE_SUDO:=true}"
+: "${DEBUG:=false}"
+: "${VERIFY_CHECKSUM:=true}"
+: "${VERIFY_SIGNATURES:=false}"
+: "${HELM_INSTALL_DIR:=/usr/local/bin}"
+: "${GPG_PUBRING:=pubring.kbx}"
 
 HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)"
 HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)"
@@ -35,7 +35,7 @@ HAS_TAR="$(type "tar" &> /dev/null && echo true || echo false)"
 # initArch discovers the architecture for this system.
 initArch() {
   ARCH=$(uname -m)
-  case $ARCH in
+  case "$ARCH" in
     armv5*) ARCH="armv5";;
     armv6*) ARCH="armv6";;
     armv7*) ARCH="arm";;
@@ -49,7 +49,7 @@ initArch() {
 
 # initOS discovers the operating system for this system.
 initOS() {
-  OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+  OS=$(uname | tr '[:upper:]' '[:lower:]')
 
   case "$OS" in
     # Minimalist GNU for Windows
@@ -59,7 +59,7 @@ initOS() {
 
 # runs the given command as root (detects if we are root already)
 runAsRoot() {
-  if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then
+  if [ $EUID -ne 0 ] && [ "$USE_SUDO" = "true" ]; then
     sudo "${@}"
   else
     "${@}"
@@ -112,7 +112,7 @@ verifySupported() {
 
 # checkDesiredVersion checks if the desired version is available.
 checkDesiredVersion() {
-  if [ "x$DESIRED_VERSION" == "x" ]; then
+  if [ -z "$DESIRED_VERSION" ]; then
     # Get tag from release URL
     local latest_release_url="https://get.helm.sh/helm3-latest-version"
     local latest_release_response=""
@@ -122,7 +122,7 @@ checkDesiredVersion() {
       latest_release_response=$( wget "$latest_release_url" -q -O - 2>&1 || true )
     fi
     TAG=$( echo "$latest_release_response" | grep '^v[0-9]' )
-    if [ "x$TAG" == "x" ]; then
+    if [ -z "$TAG" ]; then
       printf "Could not retrieve the latest release tag information from %s: %s\n" "${latest_release_url}" "${latest_release_response}"
       exit 1
     fi
@@ -135,7 +135,8 @@ checkDesiredVersion() {
 # if it needs to be changed.
 checkHelmInstalledVersion() {
   if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then
-    local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
+    local version
+    version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
     if [[ "$version" == "$TAG" ]]; then
       echo "Helm ${version} is already ${DESIRED_VERSION:-latest}"
       return 0
@@ -193,8 +194,10 @@ installFile() {
 # verifyChecksum verifies the SHA256 checksum of the binary package.
 verifyChecksum() {
   printf "Verifying checksum... "
-  local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
-  local expected_sum=$(cat ${HELM_SUM_FILE})
+  local sum
+  sum=$(openssl sha1 -sha256 "${HELM_TMP_FILE}" | awk '{print $2}')
+  local expected_sum
+  expected_sum=$(cat "${HELM_SUM_FILE}")
   if [ "$sum" != "$expected_sum" ]; then
     echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting."
     exit 1
@@ -216,7 +219,8 @@ verifySignatures() {
   fi
   local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
   local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
-  mkdir -p -m 0700 "${gpg_homedir}"
+  mkdir -p "${gpg_homedir}"
+  chmod 0700 "${gpg_homedir}"
   local gpg_stderr_device="/dev/null"
   if [ "${DEBUG}" == "true" ]; then
     gpg_stderr_device="/dev/stderr"
@@ -233,13 +237,15 @@ verifySignatures() {
   fi
   local error_text="If you think this might be a potential security issue,"
   error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
-  local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  local num_goodlines_sha
+  num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
   if [[ ${num_goodlines_sha} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
     echo -e "${error_text}"
     exit 1
   fi
-  local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  local num_goodlines_tar
+  num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
   if [[ ${num_goodlines_tar} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
     echo -e "${error_text}"
@@ -266,13 +272,11 @@ fail_trap() {
 
 # testVersion tests the installed client to make sure it is working.
 testVersion() {
-  set +e
-  HELM="$(command -v $BINARY_NAME)"
-  if [ "$?" = "1" ]; then
-    echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?'
+  if ! command -v "$BINARY_NAME" &> /dev/null; then
+    # shellcheck disable=SC2016
+    echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'\$PATH?'
     exit 1
   fi
-  set -e
 }
 
 # help provides possible cli installation arguments
@@ -294,7 +298,7 @@ cleanup() {
 # Execution
 
 #Stop execution on any error
-trap "fail_trap" EXIT
+trap 'fail_trap' EXIT
 set -e
 
 # Set debug if desired
@@ -303,7 +307,7 @@ if [ "${DEBUG}" == "true" ]; then
 fi
 
 # Parsing input arguments (if any)
-export INPUT_ARGUMENTS="${@}"
+export INPUT_ARGUMENTS="$*"
 set -u
 while [[ $# -gt 0 ]]; do
   case $1 in
diff --git a/scripts/get-helm-4 b/scripts/get-helm-4
index 1c90bbad5..d9777a1b8 100644
--- a/scripts/get-helm-4
+++ b/scripts/get-helm-4
@@ -17,13 +17,13 @@
 # The install script is based off of the MIT-licensed script from glide,
 # the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get
 
-: ${BINARY_NAME:="helm"}
-: ${USE_SUDO:="true"}
-: ${DEBUG:="false"}
-: ${VERIFY_CHECKSUM:="true"}
-: ${VERIFY_SIGNATURES:="false"}
-: ${HELM_INSTALL_DIR:="/usr/local/bin"}
-: ${GPG_PUBRING:="pubring.kbx"}
+: "${BINARY_NAME:=helm}"
+: "${USE_SUDO:=true}"
+: "${DEBUG:=false}"
+: "${VERIFY_CHECKSUM:=true}"
+: "${VERIFY_SIGNATURES:=false}"
+: "${HELM_INSTALL_DIR:=/usr/local/bin}"
+: "${GPG_PUBRING:=pubring.kbx}"
 
 HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)"
 HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)"
@@ -35,7 +35,7 @@ HAS_TAR="$(type "tar" &> /dev/null && echo true || echo false)"
 # initArch discovers the architecture for this system.
 initArch() {
   ARCH=$(uname -m)
-  case $ARCH in
+  case "$ARCH" in
     armv5*) ARCH="armv5";;
     armv6*) ARCH="armv6";;
     armv7*) ARCH="arm";;
@@ -49,7 +49,7 @@ initArch() {
 
 # initOS discovers the operating system for this system.
 initOS() {
-  OS=$(echo `uname`|tr '[:upper:]' '[:lower:]')
+  OS=$(uname | tr '[:upper:]' '[:lower:]')
 
   case "$OS" in
     # Minimalist GNU for Windows
@@ -59,7 +59,7 @@ initOS() {
 
 # runs the given command as root (detects if we are root already)
 runAsRoot() {
-  if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then
+  if [ $EUID -ne 0 ] && [ "$USE_SUDO" = "true" ]; then
     sudo "${@}"
   else
     "${@}"
@@ -112,7 +112,7 @@ verifySupported() {
 
 # checkDesiredVersion checks if the desired version is available.
 checkDesiredVersion() {
-  if [ "x$DESIRED_VERSION" == "x" ]; then
+  if [ -z "$DESIRED_VERSION" ]; then
     # Get tag from release URL
     local latest_release_url="https://get.helm.sh/helm4-latest-version"
     local latest_release_response=""
@@ -122,7 +122,7 @@ checkDesiredVersion() {
       latest_release_response=$( wget "$latest_release_url" -q -O - 2>&1 || true )
     fi
     TAG=$( echo "$latest_release_response" | grep '^v[0-9]' )
-    if [ "x$TAG" == "x" ]; then
+    if [ -z "$TAG" ]; then
       printf "Could not retrieve the latest release tag information from %s: %s\n" "${latest_release_url}" "${latest_release_response}"
       exit 1
     fi
@@ -135,7 +135,8 @@ checkDesiredVersion() {
 # if it needs to be changed.
 checkHelmInstalledVersion() {
   if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then
-    local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
+    local version
+    version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}")
     if [[ "$version" == "$TAG" ]]; then
       echo "Helm ${version} is already ${DESIRED_VERSION:-latest}"
       return 0
@@ -193,8 +194,10 @@ installFile() {
 # verifyChecksum verifies the SHA256 checksum of the binary package.
 verifyChecksum() {
   printf "Verifying checksum... "
-  local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}')
-  local expected_sum=$(cat ${HELM_SUM_FILE})
+  local sum
+  sum=$(openssl sha1 -sha256 "${HELM_TMP_FILE}" | awk '{print $2}')
+  local expected_sum
+  expected_sum=$(cat "${HELM_SUM_FILE}")
   if [ "$sum" != "$expected_sum" ]; then
     echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting."
     exit 1
@@ -216,7 +219,8 @@ verifySignatures() {
   fi
   local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg"
   local gpg_homedir="${HELM_TMP_ROOT}/gnupg"
-  mkdir -p -m 0700 "${gpg_homedir}"
+  mkdir -p "${gpg_homedir}"
+  chmod 0700 "${gpg_homedir}"
   local gpg_stderr_device="/dev/null"
   if [ "${DEBUG}" == "true" ]; then
     gpg_stderr_device="/dev/stderr"
@@ -233,13 +237,15 @@ verifySignatures() {
   fi
   local error_text="If you think this might be a potential security issue,"
   error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md"
-  local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  local num_goodlines_sha
+  num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
   if [[ ${num_goodlines_sha} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!"
     echo -e "${error_text}"
     exit 1
   fi
-  local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
+  local num_goodlines_tar
+  num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
   if [[ ${num_goodlines_tar} -lt 2 ]]; then
     echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!"
     echo -e "${error_text}"
@@ -266,13 +272,11 @@ fail_trap() {
 
 # testVersion tests the installed client to make sure it is working.
 testVersion() {
-  set +e
-  HELM="$(command -v $BINARY_NAME)"
-  if [ "$?" = "1" ]; then
-    echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?'
+  if ! command -v "$BINARY_NAME" &> /dev/null; then
+    # shellcheck disable=SC2016
+    echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'\$PATH?'
     exit 1
   fi
-  set -e
 }
 
 # help provides possible cli installation arguments
@@ -294,7 +298,7 @@ cleanup() {
 # Execution
 
 #Stop execution on any error
-trap "fail_trap" EXIT
+trap 'fail_trap' EXIT
 set -e
 
 # Set debug if desired
@@ -303,7 +307,7 @@ if [ "${DEBUG}" == "true" ]; then
 fi
 
 # Parsing input arguments (if any)
-export INPUT_ARGUMENTS="${@}"
+export INPUT_ARGUMENTS="$*"
 set -u
 while [[ $# -gt 0 ]]; do
   case $1 in
diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh
index 48328cb38..f8907d6f8 100755
--- a/scripts/release-notes.sh
+++ b/scripts/release-notes.sh
@@ -29,10 +29,10 @@ if [[ -z "${PREVIOUS_RELEASE}" || -z "${RELEASE}" ]]; then
 fi
 
 ## validate git tags
-for tag in $RELEASE $PREVIOUS_RELEASE; do
-  OK=$(git tag -l ${tag} | wc -l)
+for tag in "$RELEASE" "$PREVIOUS_RELEASE"; do
+  OK=$(git tag -l "${tag}" | wc -l)
   if [[ "$OK" == "0" ]]; then
-    echo ${tag} is not a valid release version
+    echo "${tag} is not a valid release version"
     exit 1
   fi
 done
@@ -46,17 +46,16 @@ if [[ ! -e "./_dist/helm-${RELEASE}-darwin-amd64.tar.gz.sha256sum" ]]; then
 fi
 
 ## Generate CHANGELOG from git log
-CHANGELOG=$(git log --no-merges --pretty=format:'- %s %H (%aN)' ${PREVIOUS_RELEASE}..${RELEASE})
-if [[ ! $? -eq 0 ]]; then
+if ! CHANGELOG=$(git log --no-merges --pretty=format:'- %s %H (%aN)' "${PREVIOUS_RELEASE}".."${RELEASE}"); then
   echo "Error creating changelog"
   echo "try running \`git log --no-merges --pretty=format:'- %s %H (%aN)' ${PREVIOUS_RELEASE}..${RELEASE}\`"
   exit 1
 fi
 
 ## guess at MAJOR / MINOR / PATCH versions
-MAJOR=$(echo ${RELEASE} | sed 's/^v//' | cut -f1 -d.)
-MINOR=$(echo ${RELEASE} | sed 's/^v//' | cut -f2 -d.)
-PATCH=$(echo ${RELEASE} | sed 's/^v//' | cut -f3 -d.)
+MAJOR=$(echo "${RELEASE}" | sed 's/^v//' | cut -f1 -d.)
+MINOR=$(echo "${RELEASE}" | sed 's/^v//' | cut -f2 -d.)
+PATCH=$(echo "${RELEASE}" | sed 's/^v//' | cut -f3 -d.)
 
 ## Print release notes to stdout
 cat <<EOF
@@ -81,25 +80,25 @@ The community keeps growing, and we'd love to see you there!
 
 Download Helm ${RELEASE}. The common platform binaries are here:
 
-- [MacOS amd64](https://get.helm.sh/helm-${RELEASE}-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-darwin-amd64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-darwin-amd64.tar.gz.sha256))
-- [MacOS arm64](https://get.helm.sh/helm-${RELEASE}-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-darwin-arm64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-darwin-arm64.tar.gz.sha256))
-- [Linux amd64](https://get.helm.sh/helm-${RELEASE}-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-amd64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-amd64.tar.gz.sha256))
-- [Linux arm](https://get.helm.sh/helm-${RELEASE}-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-arm.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-arm.tar.gz.sha256))
-- [Linux arm64](https://get.helm.sh/helm-${RELEASE}-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-arm64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-arm64.tar.gz.sha256))
-- [Linux i386](https://get.helm.sh/helm-${RELEASE}-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-386.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-386.tar.gz.sha256))
-- [Linux loong64](https://get.helm.sh/helm-${RELEASE}-linux-loong64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-loong64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-loong64.tar.gz.sha256))
-- [Linux ppc64le](https://get.helm.sh/helm-${RELEASE}-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-ppc64le.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-ppc64le.tar.gz.sha256))
-- [Linux s390x](https://get.helm.sh/helm-${RELEASE}-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-s390x.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-s390x.tar.gz.sha256))
-- [Linux riscv64](https://get.helm.sh/helm-${RELEASE}-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-riscv64.tar.gz.sha256sum) / $(cat _dist/helm-${RELEASE}-linux-riscv64.tar.gz.sha256))
-- [Windows amd64](https://get.helm.sh/helm-${RELEASE}-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-${RELEASE}-windows-amd64.zip.sha256sum) / $(cat _dist/helm-${RELEASE}-windows-amd64.zip.sha256))
-- [Windows arm64](https://get.helm.sh/helm-${RELEASE}-windows-arm64.zip) ([checksum](https://get.helm.sh/helm-${RELEASE}-windows-arm64.zip.sha256sum) / $(cat _dist/helm-${RELEASE}-windows-arm64.zip.sha256))
+- [MacOS amd64](https://get.helm.sh/helm-${RELEASE}-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-darwin-amd64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-darwin-amd64.tar.gz.sha256"))
+- [MacOS arm64](https://get.helm.sh/helm-${RELEASE}-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-darwin-arm64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-darwin-arm64.tar.gz.sha256"))
+- [Linux amd64](https://get.helm.sh/helm-${RELEASE}-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-amd64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-amd64.tar.gz.sha256"))
+- [Linux arm](https://get.helm.sh/helm-${RELEASE}-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-arm.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-arm.tar.gz.sha256"))
+- [Linux arm64](https://get.helm.sh/helm-${RELEASE}-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-arm64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-arm64.tar.gz.sha256"))
+- [Linux i386](https://get.helm.sh/helm-${RELEASE}-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-386.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-386.tar.gz.sha256"))
+- [Linux loong64](https://get.helm.sh/helm-${RELEASE}-linux-loong64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-loong64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-loong64.tar.gz.sha256"))
+- [Linux ppc64le](https://get.helm.sh/helm-${RELEASE}-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-ppc64le.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-ppc64le.tar.gz.sha256"))
+- [Linux s390x](https://get.helm.sh/helm-${RELEASE}-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-s390x.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-s390x.tar.gz.sha256"))
+- [Linux riscv64](https://get.helm.sh/helm-${RELEASE}-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-${RELEASE}-linux-riscv64.tar.gz.sha256sum) / $(cat "_dist/helm-${RELEASE}-linux-riscv64.tar.gz.sha256"))
+- [Windows amd64](https://get.helm.sh/helm-${RELEASE}-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-${RELEASE}-windows-amd64.zip.sha256sum) / $(cat "_dist/helm-${RELEASE}-windows-amd64.zip.sha256"))
+- [Windows arm64](https://get.helm.sh/helm-${RELEASE}-windows-arm64.zip) ([checksum](https://get.helm.sh/helm-${RELEASE}-windows-arm64.zip.sha256sum) / $(cat "_dist/helm-${RELEASE}-windows-arm64.zip.sha256"))
 
 The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with \`bash\`.
 
 ## What's Next
 
-- ${MAJOR}.${MINOR}.$(expr ${PATCH} + 1) will contain only bug fixes.
-- ${MAJOR}.$(expr ${MINOR} + 1).${PATCH} is the next feature release. This release will focus on ...
+- ${MAJOR}.${MINOR}.$((PATCH + 1)) will contain only bug fixes.
+- ${MAJOR}.$((MINOR + 1)).${PATCH} is the next feature release. This release will focus on ...
 
 ## Changelog
 
diff --git a/scripts/util.sh b/scripts/util.sh
index c1e6c3751..a423380ff 100644
--- a/scripts/util.sh
+++ b/scripts/util.sh
@@ -28,7 +28,7 @@ kube::util::trap_add() {
     local new_cmd
 
     # Grab the currently defined trap commands for this trap
-    existing_cmd=`trap -p "${trap_add_name}" |  awk -F"'" '{print $2}'`
+    existing_cmd=$(trap -p "${trap_add_name}" | awk -F"'" '{print $2}')
 
     if [[ -z "${existing_cmd}" ]]; then
       new_cmd="${trap_add_cmd}"
@@ -36,7 +36,8 @@ kube::util::trap_add() {
       new_cmd="${existing_cmd};${trap_add_cmd}"
     fi
 
-    # Assign the test
+    # Assign the test - expand now is intentional as we're building the command dynamically
+    # shellcheck disable=SC2064
     trap "${new_cmd}" "${trap_add_name}"
   done
 }
diff --git a/scripts/validate-license.sh b/scripts/validate-license.sh
index f67812ca5..b1f5af5f5 100755
--- a/scripts/validate-license.sh
+++ b/scripts/validate-license.sh
@@ -28,7 +28,7 @@ find_files() {
 }
 
 # Use "|| :" to ignore the error code when grep returns empty
-failed_license_header=($(find_files | xargs grep -L 'Licensed under the Apache License, Version 2.0 (the "License")' || :))
+mapfile -t failed_license_header < <(find_files | xargs grep -L 'Licensed under the Apache License, Version 2.0 (the "License")' || :)
 if (( ${#failed_license_header[@]} > 0 )); then
   echo "Some source files are missing license headers."
   printf '%s\n' "${failed_license_header[@]}"
@@ -36,7 +36,7 @@ if (( ${#failed_license_header[@]} > 0 )); then
 fi
 
 # Use "|| :" to ignore the error code when grep returns empty
-failed_copyright_header=($(find_files | xargs grep -L 'Copyright The Helm Authors.' || :))
+mapfile -t failed_copyright_header < <(find_files | xargs grep -L 'Copyright The Helm Authors.' || :)
 if (( ${#failed_copyright_header[@]} > 0 )); then
   echo "Some source files are missing the copyright header."
   printf '%s\n' "${failed_copyright_header[@]}"