Add CI test for yarn.lock origin whitelist to protect against backdoor attacks

[emanuelb]

It's easy to attack the yarn.lock file with typo squat attack (accepting malicious PR which look legit) see:
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

to defend against it use tool like lockfile-lint in CI enviroment
https://github.com/lirantal/lockfile-lint

for example to allow only yarn registry (registry.yarnpkg.com) over https, run:

npx lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https

Result:

detected invalid host(s) for package: @tmcw/togeojson@https://github.com/tmcw/togeojson.git
    expected: registry.yarnpkg.com
    actual: github.com

detected invalid host(s) for package: react-native-extra-dimensions-android@https://github.com/greenyossi/react-native-extra-dimensions-android.git
    expected: registry.yarnpkg.com
    actual: github.com

detected invalid host(s) for package: react-native-splash-screen@https://github.com/greenyossi/react-native-splash-screen.git
    expected: registry.yarnpkg.com
    actual: github.com

first result need to be fixed by #199
second result need to be fixed by #158
third result need to be fixed by #198

[emanuelb]

2 new related issues for new results below:

#261 for react-native-bluetooth-state-manager
#260 for rn-contact-tracing

detected invalid host(s) for package: react-native-bluetooth-state-manager@https://github.com/greenyossi/react-native-bluetooth-state-manager.git
    expected: registry.yarnpkg.com
    actual: github.com

detected invalid host(s) for package: rn-contact-tracing@https://github.com/MohGovIL/rn-contact-tracing.git#IOS_battery_opt
    expected: registry.yarnpkg.com
    actual: github.com