Update GitHub Actions workflow for artifact handling

[GrantBirki]

Use artifact-id instead of (default assumed) name with Actions Artifacts 🔒

This pull updates the publish workflow to use artifact-id instead of the default assumed name (in this case the literal word artifact) when downloading artifacts that have been previously published in prior workflow steps. This is important because artifacts produced by GitHub Actions can be completely overwritten by other workflow runs if they use the same name under very unique circumstances (like passing the run-id value to the download-artifact action to point to an entirely different workflow run - don't do that). To avoid potential TOCTOU issues/vulnerabilities where an artifact might be replaced between upload and download, the new artifact-ids input allows you to download artifacts by their specific ID rather than by name. This is safer but also helps lead to more deterministic workflow builds by referencing the artifact you wish to download by its exact id.

This PR also hardens the workflow a bit by adding persist-credentials: false to the checkout step.

---

I recently did some work to land these exact changes in the urllib3/urllib3 and wanted to contribute those same changes here as well! Also recently made updates to Python's requests library to do the same.

[davidism]

I don't understand why this change is needed. We're not doing the thing you say is a vulnerability (and as you say, passing run-id would itself be the problem, not this).

[davidism]

Going to merge this since you work for GitHub security, but I'd still like to understand what vulnerability we're actually preventing here.