[story] Lock dependencies

[UncleGoogle]

Extracted from discussion: https://github.com/GOG-Nebula/galaxy-integration-steam/pull/1#discussion_r1230899364

As a devs we want to ensure that plugin builds are deterministic and does not depends on time passed
so that we have less problems

Acceptance criteria:

• dependencies (with their inner dependencies) are locked and committed for all plugins we support

TODOs:

• [ ] research if it is possible to have one cross-platform lock
  • probably not in pip-tools: https://github.com/jazzband/pip-tools/issues/585
  • but maybe in poetry? https://discuss.python.org/t/insights-into-how-poetry-lock-works-cross-platform/17846/2
  • source packages / wheels may be easier managable, but there will be problem with binary packages if they require compilation
• [ ] think about new security policy so that we require only pinned, flatten dependencies in requirement file
  • currently we take requirements file and build action compilies it on runtime. Maybe just we can require have such file already prepared? It may be possible to have locks from 2 machines combined into one file with proper OS marks , but probably eaiser for devs would be to maintain 2 separate files?)
• [ ] add support for lock files in build action (let say for now in form of compiled requirements file produced by pip-tools)
  • probably multiple different lock files