ci: Do not persist credentials after checkout (#112)

See actions/checkout#485 and
https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/

In short, it is a terrible idea to persist even our default credentials
after checkout. There's no call for that, so we will now set
`persist-credentials: false` on all checkout actions.

Author: joeyparrish

.github/workflows/release-please.yaml

@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: refs/tags/${{ steps.release.outputs.tag_name }}
+          persist-credentials: false
         if: steps.release.outputs.releases_created
 
       - name: Setup Node.js

.github/workflows/test.yaml

@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
+          persist-credentials: false
 
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4