Add --locked to installation instructions of our tooling

[amousset]

The installation instructions (especially for cargo-audit) do not use the lockfile of the repository, but use the latest compatible versions of the dependencies. This has lead to breaking new installations of cargo-audit for one day due to incompatible gix dependencies (Byron/gitoxide#1328).
The main drawback if this switch is that it would make us responsible for releasing security upgrades when one of our dependencies is affected by a vulnerability, but we already have to tooling in place to detect and fix vulnerabilities.

The practices regarding cargo install are not well established in the ecosystem yet (recent RFC opened to change cargo's default behavior), but I think --locked is what makes more sense now in our context.

[tarcieri]

Seems ok as a stopgap given recent breakages

[tarcieri]

Separately it'd probably be good for gix/tame-index to adopt a tool like cargo-semver-checks to detect these sorts of breakages automatically?

[Shnatsel]

gix has already adopted it, but the tool is far from complete. It did not catch the recent reqwest issue that only surfaced at runtime. I believe it also doesn't catch version changes in re-exports, which is what broke semver for tame-index.