[oblt-aw][security] Fix SEC-032 actionlint installer integrity verification

[github-actions]

Closes #1066

Summary

This remediates SEC-032 in scripts/obs/install_security_detector_tools.sh by verifying the integrity of the downloaded actionlint installer script before executing it.

What changed

• Replaced process-substitution execution (bash <(curl ...)) with an explicit download to download-actionlint.bash.
• Added pinned SHA-256 (ACTIONLINT_DOWNLOAD_SCRIPT_SHA256) for the pinned installer script commit.
• Added cryptographic verification via sha256sum -c - before script execution.
• Removed temporary downloaded script after successful run.
• Updated detector workflow docs to reflect checksum verification behavior.

Plan steps completed

• Identify the SEC-032 finding source and affected code path.
• Implement integrity verification for downloaded artifact before execution.
• Keep actionlint source pinning intact (commit-pinned URL).
• Validate that SEC-032 no longer reports on this script.
• Update related workflow documentation.

Validation evidence

• ./scripts/obs/security-scan.sh | grep -E 'SEC-032|install_security_detector_tools.sh' || true produced no matches.
• shellcheck scripts/obs/install_security_detector_tools.sh passed with no findings.
• npm test -- --runInBand passed (15/15).

Security requirements confirmation

• Least-privilege: No workflow permissions were broadened; no additional token scopes were introduced.
• Env-indirection: No secrets/tokens were interpolated into command strings; this change does not add any secret handling.

Note

🔒 Integrity filter blocked 42 items

The following items were blocked because they don't meet the GitHub integrity level.

• [oblt-aw][security] SEC-032 — findings (2026-05-27) #1066 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1066 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1066 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1055 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1038 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1023 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1014 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1001 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #992 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #978 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #966 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #951 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #937 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #928 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #916 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #903 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 26 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.