Add CI workflow for checking submodules

[locker]

With private forks and multiple submodules, it's quite easy to slip up and merge a commit that updates a submodule to a commit from someone's private fork. We need a workflow that checks that all submodules point to commits from original repositories, not from forks.

Note: There's a similar ticket for checkpatch tarantool/checkpatch#9. However, checking submodules should probably be done in a separate workflow so that we can differentiate a malformed patch case from the situation when the submodule is intentionally set to a private fork, because the submodule commit hasn't been merged yet (i.e. it's okay to review the pull request, but it shouldn't be merged until the submodule repository is updated; this is especially actual for the enterprise repository, where submodule updates happen regularly). It still makes sense to require a separate tag in the commit message, indicating that a submodule update is intentional though.

Note: We have a script that implements a similar check, but it doesn't check all submodules so it should be fixed before it can be used in the new workflow.

[NickVolynkin]

That's a good idea!