[oblt-aw][security] Fix SEC-032 actionlint download integrity

[github-actions]

Closes #803

Summary

This change remediates SEC-032 in the security detector tooling installer by removing remote script execution and enforcing artifact integrity verification for actionlint downloads.

Resolution plan checklist

• Identify the SEC-032 exposure in scripts/install_security_detector_tools.sh
• Replace dynamic remote-script execution with release artifact downloads
• Add checksum verification before extraction/install
• Keep behavior compatible for supported Linux runner architectures (amd64, arm64)
• Update directly related workflow documentation
• Run validation checks

Implemented changes

• Updated scripts/install_security_detector_tools.sh:
  • removed bash <(curl ...) usage,
  • added arch mapping with explicit unsupported-arch failure,
  • downloads actionlint_<version>_linux_<arch>.tar.gz and checksums.txt from GitHub Releases,
  • verifies downloaded archive via sha256sum -c,
  • extracts only after verification and cleans up downloaded files.
• Updated docs/workflows/gh-aw-security-detector.md to document checksum-verified actionlint installation.

Validation evidence

• npm test --silent → pass (6/6)
• . /tmp/gh-aw/agent/venv/bin/activate && python -m pytest tests/ → pass (89/89)
• bash -n scripts/install_security_detector_tools.sh → pass
• Targeted SEC-032 heuristic check for scripts/install_security_detector_tools.sh → no finding emitted

Security controls confirmation

• Least-privilege: No workflow/job permissions were broadened; remediation is limited to install script behavior.
• Env-indirection: No secrets/tokens were interpolated into command strings; this change does not add secret handling paths.

Note

🔒 Integrity filter blocked 49 items

The following items were blocked because they don't meet the GitHub integrity level.

• #803 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-06) #803 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #803 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #792 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #780 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #771 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #764 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #753 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #741 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #730 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #790 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #776 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #750 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #749 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #802 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #106 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 33 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.