`convert python`: fallback to `git-checkout` if possible and omit SHA in `uri`

[Dentrax]

By default behavior, convert python uses fetch pipeline to download source code from the upstream. One of downside of this is that it puts SHA digest in the uri field. Means that the Wolfi bot won't be able to auto-update the package.

[vaikas]

FYI, convert python now has a flag (off by default until we run it through it's paces): https://github.com/chainguard-dev/melange/pull/643

That uses the git-checkout and also sets up the update (--use-relmon) for checking the release monitor if possible, otherwise github.