[oblt-aw][security] Fix SEC-032 actionlint installer integrity verification

[github-actions]

Closes #992

This change remediates a SEC-032 finding in the detector bootstrap installer flow by removing direct execution of network-fetched script content and enforcing integrity verification before execution.

What changed

• Updated scripts/obs/install_security_detector_tools.sh:
  • kept pinned installer source commit (ACTIONLINT_DOWNLOAD_SCRIPT_SHA)
  • added ACTIONLINT_DOWNLOAD_SCRIPT_SHA256
  • replaced bash <(curl ...) with explicit curl -o download to download-actionlint.bash
  • added sha256sum -c - verification gate
  • execute installer only after checksum passes
  • remove temporary installer script after execution

Plan checklist

• Read and execute SEC-032 remediation steps in order
• Remove remote process-substitution execution
• Add cryptographic integrity verification before execution
• Re-run validations

Validation evidence

• npm test passes (6/6)
• SEC-032 detector heuristic check for shell scripts (curl|wget without integrity tokens) reports no remaining findings

Security requirements confirmation

• Least privilege: No workflow/job permissions were expanded; this fix is confined to a shell script installer path.
• Env indirection: No secrets/tokens are interpolated into command strings in this change; commands operate on non-secret constants and local files only.

Note

🔒 Integrity filter blocked 12 items

The following items were blocked because they don't meet the GitHub integrity level.

• #992 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-21) #992 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-043 — findings (2026-05-21) #993 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-21) #992 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-031 — findings (2026-05-21) #991 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-030 — findings (2026-05-21) #990 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-022 — findings (2026-05-21) #989 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-21) #988 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #992 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #993 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #989 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #991 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.