Add option to verify against the cache (for verification in CI)

[ericcornelissen]

Currently, the suggested verification approach for CI is to read a workflow file and verify the checksums of the current job. However, as mentioned in the description of #229, this means the repository must be checked out first, in all likelihood with actions/checkout. However, anything ran before ghasum can't be pinned to a version tag safely, meaning all actions except actions/checkout have a version tag, which is not ideal.

An idea I had to mitigate this is to implement dedicated CI verification strategy where instead of validating the actions used in the repository we validate the actions present in the cache. Since the cache during a CI run contains only the actions that job needs we will be verifying the correct set of actions. We can error if there's a checksum mismatch or if there's an entry in the cache for which there's no checksum (this is why it would be CI specific, because that won't make sense in other settings).

[ericcornelissen]

One problem remains with this approach: how do we get the gha.sum file? Can we just fetch it separately from the rest of a repository as part of the ghasum step?

[ericcornelissen]

This would also allow usage of ghasum in jobs that don't need to actions/checkout the repository.

[ericcornelissen]

Another benefit could be that it is no longer necessary to specify the workflow and job in CI, simplifying the integration logic.