[#11819] fix(ci): Use approved setup actions and add ASF actions allowlist check

[mchades]

What changes were proposed in this pull request?

1. Update .github/workflows/chart-release.yaml and .github/workflows/chart-test.yaml to use the secure, approved commit SHA 9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 (corresponding to release tag v5.0.1) for azure/setup-helm.
2. Roll back helm/chart-testing-action in .github/workflows/chart-test.yaml to commit 2fe8321ec9b8d234608c02c67623a886b72d7335 to avoid invoking the unapproved setup-uv action in its latest version.
3. Update .github/workflows/chart-test.yaml to use the secure, approved commit SHA 829323503d1be3d00ca8346e5391ca0b07a9ab0d (corresponding to release tag v5.1.0) for azure/setup-kubectl.
4. Update .github/workflows/trino-multi-version-test.yml to use the secure, approved commit SHA ce360397dd3f832beb865e1373c09c0e9f86d70a (corresponding to release tag v4.0.0) for docker/setup-qemu-action.
5. Add a new .github/workflows/asf-allowlist-check.yml workflow to automatically check the allowlist compliance of GitHub Actions on pull requests modifying .github/ directory.

Why are the changes needed?

1. The manual trigger of the Publish Helm Charts workflow failed because the Apache foundation security policy restricts third-party actions using version tags like @v4.3.0.
2. The latest commit of helm/chart-testing-action transitively invokes astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c which is not on the ASF Infrastructure allowed actions list. Rolling it back to the commit before introducing setup-uv resolves the issue.
3. The old commit SHA 15650b3ad78fff148532a140b8a4c821796b2d7b used for azure/setup-kubectl is scheduled to expire on 2026-07-11 according to the allowed list, which requires an upgrade.
4. The tag version v3 for docker/setup-qemu-action used in trino-multi-version-test.yml violates the security policy.
5. Adding the asf-allowlist-check workflow helps prevent similar silent "startup failure" issues in the future at the PR phase.

Fix: #11819

Does this PR introduce any user-facing change?

No.

How was this patch tested?

This is a GitHub Actions workflow configuration change. The commit SHAs are verified against the ASF Actions allowed list.

[github-actions]

Code Coverage Report

Overall Project	67.23%	🟢
Files changed	No Java source files changed	-

Module	Coverage
aliyun	1.72%	🔴
api	46.82%	🟢
authorization-common	85.96%	🟢
aws	26.5%	🔴
azure	2.47%	🔴
catalog-common	10.4%	🔴
catalog-fileset	80.23%	🟢
catalog-glue	66.91%	🟢
catalog-hive	79.42%	🟢
catalog-jdbc-clickhouse	80.02%	🟢
catalog-jdbc-common	44.22%	🟢
catalog-jdbc-doris	80.28%	🟢
catalog-jdbc-hologres	54.03%	🟢
catalog-jdbc-mysql	79.23%	🟢
catalog-jdbc-oceanbase	80.91%	🟢
catalog-jdbc-postgresql	82.29%	🟢
catalog-jdbc-starrocks	78.51%	🟢
catalog-kafka	77.01%	🟢
catalog-lakehouse-generic	58.53%	🟢
catalog-lakehouse-hudi	79.1%	🟢
catalog-lakehouse-iceberg	85.94%	🟢
catalog-lakehouse-paimon	82.14%	🟢
catalog-model	77.72%	🟢
cli	44.51%	🟢
client-java	78.01%	🟢
common	50.17%	🟢
core	82.58%	🟢
filesystem-hadoop3	77.3%	🟢
flink	0.0%	🔴
flink-common	47.12%	🟢
flink-runtime	0.0%	🔴
gcp	14.12%	🔴
hadoop-common	10.88%	🔴
hive-metastore-common	53.77%	🟢
iceberg-common	58.15%	🟢
iceberg-rest-server	73.9%	🟢
idp-basic	85.71%	🟢
integration-test-common	0.0%	🔴
jobs	66.17%	🟢
lance-common	20.83%	🔴
lance-rest-server	60.13%	🟢
lineage	53.02%	🟢
optimizer	82.95%	🟢
optimizer-api	21.95%	🔴
server	86.09%	🟢
server-common	74.18%	🟢
spark	28.57%	🔴
spark-common	41.66%	🟢
trino-connector	40.29%	🟢