[oblt-aw][security] Fix SEC-032 installer integrity verification

[github-actions]

Closes #1023

This remediates SEC-032 in scripts/obs/install_security_detector_tools.sh by removing remote script process-substitution execution and enforcing SHA-256 integrity verification before execution.

Completed plan steps

• Identify SEC-032 finding in the installer path
• Replace bash <(curl ...) with explicit file download
• Add cryptographic integrity check before execution
• Run validation and confirm scanner no longer reports this path

Changes made

• Added pinned SHA-256 value (ACTIONLINT_DOWNLOAD_SCRIPT_SHA256) for the pinned actionlint installer script commit.
• Downloaded installer to download-actionlint.bash with curl -fsSL ... -o.
• Added checksum verification gate: sha256sum -c -.
• Executed installer only after successful verification.

Validation evidence

• npm ci --no-audit --no-fund && npm test → 15 passed, 0 failed.
• bash scripts/obs/security-scan.sh . | grep -E "SEC-032|install_security_detector_tools.sh" || true → no output.

Security controls confirmation

• Least-privilege: No workflow permissions were broadened; this fix is script-scoped and does not add token scopes.
• Env-indirection: No secrets/tokens are interpolated into command strings; this change introduces no secret handling.

Note

🔒 Integrity filter blocked 49 items

The following items were blocked because they don't meet the GitHub integrity level.

• #1023 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-24) #1023 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1023 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-043 — findings (2026-05-24) #1024 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-24) #1023 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-031 — findings (2026-05-24) #1022 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-030 — findings (2026-05-24) #1021 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-022 — findings (2026-05-24) #1020 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-24) #1019 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-043 — findings (2026-05-23) #1015 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-23) #1014 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-031 — findings (2026-05-23) #1013 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-030 — findings (2026-05-23) #1012 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-022 — findings (2026-05-23) #1011 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-23) #1010 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• Autodoc prevents internal Helm files modification #1008 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 33 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.