Keep git credentials in safe_outputs job checkouts (#40161)

The safe_outputs job reuses the agent job's checkout generators, which emit
persist-credentials: false so actions/checkout strips the credential
http.extraheader in its post-checkout "Removing auth" step. That default is
correct for the untrusted agent job, but the safe_outputs job legitimately runs
git fetch/push (create_pull_request, push_to_pull_request_branch), so stripping
auth leaves it relying on a fragile re-auth dance and can break bundle/branch
fetches.

Add a keepCredentialsForPush mode to CheckoutManager that the safe_outputs path
enables. In that mode the default and additional checkout generators emit
persist-credentials: true and skip the credential-cleanup step, leaving the
push-capable token on disk for the handlers. The agent job is unchanged.

Fixes #40159

Author: dsyme