Continuously validate ghasum checksums

Add a GitHub Actions workflows that continuously validates the ghasum
checksums for this project. This workflow is triggered whenever code has
been changed and validates all actions used in all workflows. This will
only result in a failed job when there is a problem, it won't prevent
running any action with a checksum mismatch.

This is implemented for two reasons. First it's another kind of
dogfeeding to gain experience with the tool. Second it's aimed towards
enforcing updating the checksums when Dependabot creates a Pull Request
to update an action. Because of the limitation noted above this is NOT
implemented to avoid running potentially compromised actions.

.github/workflows/ghasum.yml

@@ -0,0 +1,22 @@
+name: ghasum
+on:
+  pull_request: ~
+  push:
+    branches:
+    - main
+
+permissions: read-all
+
+jobs:
+  verify:
+    name: Verify
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/[email protected]
+    - name: Install Go
+      uses: actions/[email protected]
+      with:
+        go-version-file: go.mod
+    - name: Verify checksums
+      run: go run ./cmd/ghasum verify -cache /home/runner/work/_actions