docs: mark items 2 and 4 complete

docs/org-audit-2026-06-04.md

@@ -24,18 +24,16 @@
 
 ## High
 
-- [ ] **2. Revoke Travis CI GitHub App** — Settings → GitHub Apps → Travis CI → Revoke
-  - _Zero repos use it. No breakage risk. Do before Saturday._
+- [x] **2. Revoke Travis CI GitHub App** — already gone from installations (2026-06-04)
 
 - [ ] **3. Scope Slack app permissions** — Must be done via UI
   - _Currently: `repository_selection: all` with `contents: write` + `workflows: write`_
   - _Go to: github.com/organizations/CivicTechWR/settings/installations → Slack → Configure_
   - _Change to "Only select repositories" — run `/github subscriptions` in Slack to see what's active_
   - _Table for Saturday (needs coordination)_
 
-- [ ] **4. Restrict GitHub Actions to trusted sources** — Settings → Actions → General
-  - _Target: GitHub-owned + Marketplace-verified + `peaceiris/*`, `ruby/*`_
-  - _Can do before Saturday — no breakage_
+- [x] **4. Restrict GitHub Actions to trusted sources** — done 2026-06-04
+  - _`allowed_actions: selected` — GitHub-owned ✅, Marketplace-verified ✅, `peaceiris/*`, `ruby/*`_
 
 - ⏳ **5. Enable secret scanning + push protection org-wide** — Settings → Code security and analysis → "Enable all"
   - _Announce in Slack first (#general), then enable after notice period_