Write worker token atomically

https://salsa.debian.org/cjwatson/debusine/-/jobs/7779008 shows a failure in integration-tests-task-signing, and the attached debusine/signing/signing.log shows that the signing worker's token was never enabled. I can't think of many reasons why this could happen, but one is a race between the signing worker and the integration test scripts as follows:

• debusine.worker.config.ConfigHandler.write_token opens the token file, creating it.
• debian/tests/utils/integration-tests-setup-debusine-signing.sh notices that [ ! -f "$debusine_signing_token_file" ] now returns false, and gets its contents which are currently empty.
• debusine.worker.config.ConfigHandler.write_token writes the new token to the token file and closes it.
• debian/tests/integration-tests-task-signing runs manage_worker --worker-type signing enable "$signing_token", where $signing_token is empty because it read the token file before it was fully written.

A similar race seems possible with integration tests involving the normal worker. Moving the token file into place atomically should help.