ci: specify persist-credentials for actions/checkout

Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>