Update pyo3 to 0.29

[vaibhavatlan]

What was changed

Bumped pyo3, pyo3-async-runtimes, and pythonize from 0.25 to 0.29, and
updated the bridge for the pyo3 0.26+ API changes:

• Python::with_gil → Python::attach
• PyObject → Py<PyAny> (the alias was removed)
• implemented the now-required Runtime::spawn_blocking on TokioRuntime
• added the Send + 'static bound now required by future_into_py
• opted the Clone pyclasses (MetricAttributesRef, CustomSlotSupplier)
  back into the FromPyObject derive via #[pyclass(from_py_object)]
• TaskLocals::clone_ref → clone

Why?

pyo3 < 0.29.0 is affected by RUSTSEC-2026-0176 / GHSA-36hh-v3qg-5jq4 (HIGH) —
an out-of-bounds read in the nth/nth_back iterators for PyList/PyTuple.
The fix landed in pyo3 0.29.0 with no backport to the 0.25.x line, so the bridge
needs the version bump to clear the advisory. Matching pyo3-async-runtimes and
pythonize 0.29 releases are already published.

Checklist

1. Closes: n/a — addresses advisory RUSTSEC-2026-0176

2. How was this tested:
   cargo clippy -- -D warnings (the bridge-lint CI task) and cargo fmt --check
   both pass cleanly on the migrated bridge.

3. Any docs updates needed? No.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}