[codex] use crates.io trusted publishing

[zxch3n]

Summary

• Switch the Rust crates publish workflow from a long-lived CARGO_REGISTRY_TOKEN secret to crates.io Trusted Publishing.
• Add the GitHub OIDC permission and release environment required for trusted publisher matching.
• Keep contents: write because the publish job still pushes cargo-release tags after publishing.

Why

The current workflow fails at crates.io with 403 Forbidden: authentication failed because the stored CARGO_REGISTRY_TOKEN is invalid or no longer has the required publish permissions. loro-ffi already uses rust-lang/crates-io-auth-action@v1 successfully, so this aligns loro with that approach and removes the need for a long-lived crates.io token in GitHub Secrets.

Validation

• Parsed .github/workflows/publish-crates.yml with Ruby YAML.
• Reviewed the staged diff; only publish-crates.yml changed.

Follow-up

Before the next Rust release, configure Trusted Publishing on crates.io for each crate this workflow publishes:

• repository: loro-dev/loro
• workflow: .github/workflows/publish-crates.yml
• environment: release

[github-actions]

WASM Size Report

• Original size: 3029.88 KB
• Gzipped size: 999.17 KB
• Brotli size: 701.74 KB