Deprecate `cargo publish --token`?

[epage]

Problem

#15273 highlighted that cargo publish --token exists. In #15057, we deprecated cargo login <token> to avoid tokens being in shell history (see also #13623).

This is also incomplete: cargo publish supports one-off token authentication but not other methods.

Proposed Solution

Deprecate it

Alternatively, add warnings as we may want to keep this for plumbing purposes.

Notes

No response

[weihanglo]

Second. Should we do an FCP as a straw poll?

[epage]

Eh, will happen now or in the PR. Either way.

[tbu-]

I'm using this flag to support multiple different identities. I'm using cargo publish --token=$(command). This is on a single-user machine.

It'd be nice if there continues to be an alternative I can use.

[weihanglo]

@tbu-
The situation is pretty much like this: #15057 (comment).

To clarify, because of the stability guarantee Cargo cannot remove the flag (see #13623 (comment)). Deprecation here means, well, a big warning 😆.