[oblt-aw][security] Fix SEC-032 actionlint installer verification

[github-actions]

Closes #822

Summary

This change remediates SEC-032 in the security detector tooling installer by adding cryptographic verification of the downloaded actionlint installer script before execution.

Plan checklist

• Identify the SEC-032 download/execute path in scripts/install_security_detector_tools.sh
• Add integrity verification for the downloaded installer script
• Keep installer behavior and pinned source commit intact
• Run repository tests and targeted scan verification

Changes

• Updated scripts/install_security_detector_tools.sh:
  • added ACTIONLINT_DOWNLOAD_SCRIPT_SHA256 for the pinned installer script content,
  • replaced bash <(curl ...) with explicit download to file,
  • added sha256sum -c - verification,
  • execute installer script only after successful verification.

Validation evidence

/tmp/gh-aw/agent/venv/bin/python -m pytest tests/  -> 89 passed
npm test                                           -> 6 passed
bash scripts/security-scan.sh . | grep -n 'SEC-032' || true
  -> no SEC-032 findings emitted for this script path

Security requirements confirmation

• Least-privilege: No workflow permissions were broadened; change is limited to installer script behavior.
• Env-indirection: No secrets/tokens were added or interpolated into command strings; this remediation introduces no secret-handling path.

Note

🔒 Integrity filter blocked 16 items

The following items were blocked because they don't meet the GitHub integrity level.

• #822 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-08) #822 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #106 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #108 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #107 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #109 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #822 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #814 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #803 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #792 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #780 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #771 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #764 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #753 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #741 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #730 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.