Enforce "-I" in Python shebang

This issue will be made public a few weeks after the 6.11 release.

In tails/tails-private!2 we added -I all over the place to avoid a whole class of security vulnerabilities.

Is there a way to ensure we don't forget to add -I to the shebang in newly added Python scripts in the future?

Scope:

• scripts that are included in Tails

Out of scope:

• scripts meant to be run by developers on their own trusted system
• Python library files that are not meant to be executed directly (they are never used, on their own, in any of our privilege raising/dropping code paths)

Note: we already have heuristics, in our GitLab CI setup, to identify Python code (e.g. git ls-files | ./bin/test-utils/is-file-type filter python should list all Python files but actually if the new check is written in Python, it should probably use is-file-type as a library).