CI: check added URL/SHA1

[turuslan]

Possible checks:

• Added package version URL contains tag (not commit hash).
• Added package version URL can be downloaded and matches SHA1.

[Harrm]

As far as I understand, we're gonna need to parse changed project config files with a script, after this checking is trivial.