Remove tokens from manifest before rendering to file

This breaks some of the manifest purpose, as with this change you cannot replicate a build with just its manifest. But we never use that at GitLab anyways.

This is a quick fix to keep tokens out of the manifest. The fetchers don't use to_hash on the manifests, but rather call the locked_sources directly. So fetching still works, but anything that tries to output the manifest will have the tokens stripped.

A proper upstreamable fix would likely need more thought. (Maybe just an option to turn off the default manifest output, and we can build our own replacement in our existing version-manifest software piece).