Moves from a crates.io API key to trusted publishing.
Setup of trusted publishing is automated via a script which creates the
trust relationship and disables publish by API key. The main breakage
here is that now, when we add a new crate, a release will fail. The
script is invoked during `release.sh` to catch this case and supports
creating a stub crate so the release can subsequently succeed — but this
will require the release author to have a local crates.io API key with
permissions to create projects and configure publishing. I tested this
script a few times end-to-end, but would not be surprised if it bites us
in the future.
It'd be nice to avoid churn for contributors. This is a pretty frequent
cause of CI failures and I don't think we really need to have the
reference documentation committed.
## Summary
Given `bump-workspace-crate-versions.py` will bump all crates, we also
need to update uv-trampoline lockfile references to those new versions
(for uv-static, uv-macros) after
https://github.com/astral-sh/uv/pull/16950.
## Test Plan
Ran release script manually and verify uv-trampoline lockfile is up to
date after the changes from bump-workspace-crate-versions.py
## Summary
This PR deprecates the `--isolated` flag. The treatment varies across
the APIs:
- For non-preview APIs, we warn but treat it as equivalent to
`--no-config`.
- For preview APIs, we warn and ignore it, with two exceptions...
- For `tool run` and `run` specifically, we don't even warn, because we
can't differentiate the command-specific `--isolated` from the global
`--isolated`.
I tweaked rooster to allow sections to be overridden from the CLI so we
can generate a separate preview changelog
See https://github.com/zanieb/rooster/pull/43 for the rooster changes
needed
I tested `./scripts/release.sh` as well.