edc1beb69a
Moves from a crates.io API key to trusted publishing. Setup of trusted publishing is automated via a script which creates the trust relationship and disables publish by API key. The main breakage here is that now, when we add a new crate, a release will fail. The script is invoked during `release.sh` to catch this case and supports creating a stub crate so the release can subsequently succeed — but this will require the release author to have a local crates.io API key with permissions to create projects and configure publishing. I tested this script a few times end-to-end, but would not be surprised if it bites us in the future.