allowlist: add carabiner-dev install/{download-and-verify,ampel-bootstrap} (levels 2-3)

[potiuk]

Summary

Follow-up to #831 — that PR added the level-1 transitive siblings install/{ampel,bnd}@v1.1.7, but the sibling-call chain rooted at carabiner-dev/actions/ampel/verify@v1.2.0 is actually four levels deep:

ampel/verify @ v1.2.0 (e0e3b81…)
  └── install/{ampel,bnd} @ v1.1.7 (2a11d59…)             [added by #831]
        └── install/download-and-verify (6022a06…)        [this PR]
              └── install/ampel-bootstrap (0a075bb…)      [this PR]

ampel-bootstrap is a leaf — no further sibling refs.

The hourly check-for-transitive-failures workflow has continued to fail post-#831 with carabiner-dev/actions/install/download-and-verify@6022a065d6420de5d86333ecfb2b25c57f84b699 is not allowed (e.g. run 26062684716). After this PR the next failure (if any) would be on ampel-bootstrap, which is also pre-emptively added here.

Test plan

• On merge, update_composite_action.yml regenerates approved_patterns.yml + the dependabot composite from actions.yml.
• ASF Infra's allowlist sync picks up the two new SHAs; the next hourly check-for-transitive-failures run is green.

Related

• allowlist: add carabiner-dev install/{ampel,bnd} transitive deps #831 — original (level-1) fix
• Investigate tag-based pinning for sibling-calling actions (immutable releases) #852 — tracking issue for the underlying sibling-chain pattern-explosion (pp's scaling concern, also see his comment)
• Enable immutable releases and pin sibling actions by tag carabiner-dev/actions#57 — upstream ask to enable immutable releases + tag-pin siblings

[ppkarwasz]

I had a feeling, there were more than one level of indirection…