[AAASM-3878] 🔧 (ci): Harden aggregate.yml perms + verify downloads

[Chisanan232]

Description

Hardens .github/workflows/aggregate.yml (docs-hub aggregation) against two MEDIUM-severity supply-chain/permission issues flagged in AAASM-3878:

1. Least-privilege token — the build job had no permissions: block, so it inherited the over-broad org-default GITHUB_TOKEN. Added a top-level permissions: contents: read (all the build job needs — it clones public repos and builds). The deploy job retains its own pages: write / id-token: write scope at the job level, overriding the default for that job alone.
2. Verified binary downloads — the pinned mdBook 0.5.2 and mdbook-mermaid 0.17.0 release tarballs were curl'd and sudo mv'd into /usr/local/bin with no integrity check. Now each tarball is verified with sha256sum -c against a pinned checksum before extraction, with set -euo pipefail, so a tampered/MITM'd asset fails the step closed. Upstream ships no .sha256 sidecar assets, so the checksums were computed from the exact pinned tarballs and pinned with an explanatory comment.

Type of Change

• 🔧 Configuration / CI change

Related Issues

• Related Jira ticket: AAASM-3878

Closes AAASM-3878

Documentation Checklist

• cd docs && mdbook build passes locally with no warnings
• All internal cross-links verified
• Page registered in docs/src/SUMMARY.md
• Self-hosted instructions not included (SaaS-only scope)
• "Last reviewed" footer updated with today's date
• Commits follow GitEmoji convention and are small / atomic

CI-only change (no doc content touched). Validated with actionlint (clean) and a fail-closed check confirming sha256sum -c exits non-zero on a mismatched checksum.

🤖 Generated with Claude Code

https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE