Restrict imported GitHub Actions to an allowlist

GitHub allows restricting imported GitHub Actions at either the GitHub Repository and/or GitHub Organisation level, with the latter taking precedence.

Currently, there's no org-wide allowlist that's being enforced.

This issue is to track creating that allowlist, so as to enforce use of known-good GitHub Actions.

Blocked by: https://github.com/loopbackio/security/issues/27