Add "Externally Managed Environments" support to block global package installations via pip

[ccosby]

Description:
To prevent system package breakage, many Linux distributions are now restricting pip install to virtual environments or uv environments (something private either way). In self-hosted environments, especially when using ephemeral runners, the hosted tools cache functionality is critical for scaling.

The current methodology allows a pip install to install directly to the cached directory for a given Python after installation, which leads to potentially broken dependency trees and all other kinds of errors if developers are not careful with their package installs. It can also lead to weird race conditions in the same way.

I propose a new input for actions/setup-python that creates the EXTERNALLY-MANAGED file right before a version of Python is marked as available (e.g. creation of the x64.complete file) that would block global pip installs.

https://packaging.python.org/en/latest/specifications/externally-managed-environments/#externally-managed-environments

Justification:
Did all of this in the above. Didn't read the template first.

Are you willing to submit a PR?
Absolutely. This is more of a RFC to gauge the level of interest here.

[priya-kinthali]

Hello @ccosby👋,
Thank you for this feature request. We will investigate it and get back to you as soon as we have some feedback.