[oblt-aw][security] Fix SEC-032 actionlint installer integrity verification

[github-actions]

Closes #832

Summary

This PR remediates SEC-032 in scripts/install_security_detector_tools.sh by replacing streamed remote execution with explicit download + SHA-256 verification + execution.

What changed

• Added ACTIONLINT_DOWNLOAD_SCRIPT_SHA256 for the pinned installer script.
• Replaced bash <(curl ...) with:
  • curl -fsSLo download-actionlint.bash ...
  • echo "<sha256> download-actionlint.bash" | sha256sum -c -
  • bash download-actionlint.bash "\$\{ACTIONLINT_VERSION}"

Resolution plan checklist

• Reproduce and confirm SEC-032 finding.
• Implement integrity verification for downloaded artifact/script.
• Keep changes minimal and scoped to the flagged path.
• Re-run security and shell validation checks.

Validation evidence

$ ./scripts/security-scan.sh
# no findings

$ bash -n scripts/install_security_detector_tools.sh
# exit 0

$ shellcheck scripts/install_security_detector_tools.sh
# exit 0

Security requirements confirmation

• Least-privilege: No workflow permission expansion was introduced; this change is limited to installer script behavior.
• Env-indirection: No secrets/tokens were introduced or interpolated in command strings; this script does not handle credential material.

Note

🔒 Integrity filter blocked 12 items

The following items were blocked because they don't meet the GitHub integrity level.

• #832 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #832 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #822 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #814 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #803 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #792 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #780 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #771 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #764 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #753 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #741 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-09) #832 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.