[oblt-aw][security] Fix SEC-032 installer script integrity verification

[github-actions]

Closes #1200

This PR remediates SEC-032 in detector tooling bootstrap by adding explicit cryptographic verification before executing a downloaded script.

What changed

• Updated scripts/obs/install_security_detector_tools.sh to:
  • pin ACTIONLINT_DOWNLOAD_SCRIPT_SHA256
  • download download-actionlint.bash to disk
  • verify hash with sha256sum -c -
  • execute only after successful verification
  • remove the temporary script afterward
• Replaced process-substitution execution (bash <(curl ...)) with verified file-based execution.

Plan checklist

• Read and execute SEC-032 remediation steps for download integrity
• Implemented fix in the impacted script path
• Ran validation commands and confirmed detector finding is cleared
• Kept change minimal and focused to the identified finding

Validation evidence

• ./scripts/obs/security-scan.sh | grep 'SEC-032' (before):
  • scripts/obs/install_security_detector_tools.sh|21|SEC-032|high|Download via curl/wget without obvious checksum/signature verification in this script.
• ./scripts/obs/security-scan.sh | grep 'SEC-032' (after): no matches
• /tmp/gh-aw/agent/venv/bin/pytest tests/: 136 passed
• npm test: 17 passed

Security controls confirmation

• Least privilege: No workflow permission expansions were introduced; this is a script-only remediation.
• Env indirection: No secrets/tokens were added or interpolated in commands; remediation uses a constant SHA256 and local file verification.

Note

🔒 Integrity filter blocked 22 items

The following items were blocked because they don't meet the GitHub integrity level.

• #1200 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-06-14) #1200 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1200 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1191 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1178 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1172 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1163 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1157 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1149 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1143 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1135 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1125 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1107 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1066 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1055 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1038 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 6 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow — Issues

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.