Verify URLs and digests as part of PR CI

As an additional safety measure, it might be nice if for new/update plugin PRs the CI could:

* Verify that the URLs are reachable
* Verify that the blobs at those URLs have the claimed digest

(I dunno if this creates risk though that a malicious submitter could point us at an infinite stream and do awful things to our ingress.)
