Don't persist credentials when not needed, and save verbose test results

persist-credentials defaults to true (see
actions/checkout#485).  It looks like
pull_request workflows run without token access, but it's not clear from
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
if that means persist-credentials doesn't leave a secret in the .git
directory where a malicious PR could access it.

.github/workflows/ci.yaml

@@ -38,12 +38,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
       - name: Test
-        run: go test ./...
+        run: go test -v ./... | tee "${RUNNER_TEMP}/go-test-results.txt"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: go-test-results
+          path: "${{ env.RUNNER_TEMP }}/go-test-results.txt"
 
   build:
     needs: test
@@ -62,6 +68,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true
       - uses: actions/setup-go@v5

.github/workflows/release.yaml

@@ -33,12 +33,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'
           cache: true
       - name: Test
-        run: go test ./...
+        run: go test -v ./...
 
   build:
     needs: test
@@ -56,6 +58,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '>=1.18'