Add opt-in hash-locked installs for Python hooks

[bc-lee]

Summary

Add opt-in python_lockfile support for language: python hooks.

When set, pre-commit installs Python hook environments by:

1. installing a pip-compatible, hash-pinned requirements file:
   python -mpip install --require-hashes -r <python_lockfile>
2. installing the hook package without dependency resolution:
   python -mpip install --no-deps --no-build-isolation .

The lockfile path is resolved relative to the config file, and its content SHA256 is included in the hook/cache identity. Default Python hook behavior is unchanged.

Why

additional_dependencies is appended to the normal pip install . hook install. It can reference extra packages or a requirements file, but it does not provide the same behavior:

• lockfile contents are not part of the cache key
• the hook package can still trigger runtime/build dependency resolution
• pip hash-checking requires the full dependency closure to be pinned and hashed

This gives users an opt-in deterministic, hash-checked install path.

Fixes #3679

[bc-lee]

Just leaving a short comment and closing the issue does not seem right to me, even though this is your repository. I believe this is a legitimate use case, and I hope we can discuss it here.