Pin the actions/setup-python for the externally used action.yml

[cgravill]

Minimal variation on #2744 by @agriyakhetarpal

I'm working on a project that has "Require actions to be pinned to a full-length commit SHA" enabled. I've used cibuildwheel on other projects and it's been really useful, thanks! Unfortunately the requirement for SHA pining then blocks using the cibuildwheel.

I saw on #2744 there's concerns about pinning everything, but potentially willing to pin the release part.

While I can use my fork in the project it'd be great to get this focused change in to reduce complications for folks with that setting on.

[agriyakhetarpal]

Thanks for splitting this off my PR, @cgravill! I will approve this, but will ask either @henryiii or @joerick to sign it off and press merge.

[henryiii]

I still would like to get our CI fixed :)

Yes, I'm fine with this, certainly.

[henryiii]

@mhsmith We are getting spam-0.1.0-cp313-cp313-android_6_11_0_1018_azure_x86_64.whl is not a valid wheel on this platform in CI for Android.

[mhsmith]

This was fixed a few days ago in maturin 1.12.4, so CI has passed on a rerun.

[joerick]

Yeah this seems fine to me. Actually I prefer the human-readable pins but if this is causing issues for people downstream this is fine.