Better diagnostics for un-allowlisted transitive actions

[raboof]

Since #279, the dummy.yml workflow is regularly invoked.

The goal of that was to detect the scenario where one of the listed actions is a composite action that depends on another action that has not been allowlisted yet (or is not allowlisted anymore). This is useful, but has a number of shortcomings:

• In case of new actions, this validation only occurs after the addition of an action with this problem has been merged. It would be great if we could perform this check as part of PR validation of new actions (and action updates). This is not a trivial matter of enabling the workflow on PRs, because it checks the listed actions against the allowlist actually configured in GitHub, which would not have the new action yet.
• If this workflow identifies a transitive non-allowlisted action, it's not always obvious to tell which action it's a transitive dependency of.
• Only the 'latest' version of each action is included in dummy.yml, so earlier still-allowlisted actions are not validated against their dependencies expiring

It would be really cool if we had our own script to check this, which could work for PRs and provide better diagnostics.