apacheGH-49728: [CI] Set persist-credentials: false in checkout actions (apache#49734)

### Rationale for this change

Some CI jobs didn't have persist-credential set to false, which presents potential risks

### What changes are included in this PR?

Set persist-credentials to false

### Are these changes tested?

Run CI jobs

### Are there any user-facing changes?

No

* GitHub Issue: apache#49728

Authored-by: Nic Crane <[email protected]>
Signed-off-by: Nic Crane <[email protected]>

Author: thisisnic

.github/workflows/archery.yml

@@ -60,6 +60,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Git Fixup
         shell: bash

.github/workflows/check_labels.yml

@@ -48,6 +48,8 @@ jobs:
       - name: Checkout Arrow
         if: github.event_name == 'pull_request'
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Check
         id: check
         env:

.github/workflows/comment_bot.yml

@@ -38,6 +38,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           path: arrow
           # fetch the tags for version number generation
           fetch-depth: 0

.github/workflows/cpp.yml

@@ -116,6 +116,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Cache Docker Volumes
@@ -169,6 +170,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Check CMake presets
@@ -224,6 +226,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Install Dependencies
@@ -353,6 +356,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - uses: msys2/setup-msys2@v2

.github/workflows/cpp_extra.yml

@@ -139,6 +139,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Cache Docker Volumes
@@ -221,6 +222,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Free up disk space
@@ -273,6 +275,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Install dependencies
@@ -367,6 +370,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Cache Docker Volumes
@@ -431,6 +435,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/[email protected]
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Install Dependencies
@@ -552,6 +557,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Download Timezone Database
@@ -579,6 +585,7 @@ jobs:
       - name: Checkout vcpkg
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           path: vcpkg
           repository: microsoft/vcpkg
@@ -706,6 +713,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 1
           path: arrow
           repository: apache/arrow
@@ -736,6 +744,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Download the artifacts

.github/workflows/cpp_windows.yml

@@ -84,6 +84,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Install msys2 (for tzdata for ORC tests)

.github/workflows/cuda_extra.yml

@@ -85,6 +85,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
           submodules: recursive
       - name: Cache Docker Volumes

.github/workflows/dev.yml

@@ -49,6 +49,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Install pre-commit
         run: |
@@ -88,6 +89,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Install Python
         uses: actions/setup-python@v6

.github/workflows/docs.yml

@@ -51,6 +51,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Free up disk space
         run: |

.github/workflows/docs_light.yml

@@ -52,6 +52,7 @@ jobs:
       - name: Checkout Arrow
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Cache Docker Volumes
         uses: actions/cache@v5