Consider pinning versions of build and deploy tools (including tooling like pip)

[hwine]

We just experienced an unexpected production breakage when a CI build may have used the new pip resolver. (i.e. broken by upstream software upgrade)

Currently, none of the build tooling is pinned. As we spread to more users, the blast radius of sudden failures expands.

One way to address only bump versions as part of a new release (that's been tested)

[g-k]

The python version is specified at https://github.com/mozilla/frost/blob/master/setup.py#L31

[hwine]

N.B. the original problem was not caused by any of the setup files -- it's this line in the Makefile.

Which isn't to say that poetry & lock files aren't a good thing :D they just wouldn't have prevented this issue.