feat: Configure Trusted Publishing for crates.io

Replace manual CARGO_REGISTRY_TOKEN secret with OIDC-based Trusted Publishing.

Changes:
- Add permissions.id-token: write for OIDC token generation
- Add permissions.contents: read for checkout access
- Configure 'crates' environment with crates.io URL
- Use rust-lang/crates-io-auth-action@v1 for authentication
- Update CARGO_REGISTRY_TOKEN to use ephemeral token from auth action

This matches the existing PyPI and npm Trusted Publishing configurations.

Co-authored-by: bug-ops <[email protected]>

Author: Copilot

.github/workflows/release.yml

@@ -32,14 +32,23 @@ jobs:
     runs-on: ubuntu-latest
     needs: crates-verify
     timeout-minutes: 15
+    permissions:
+      id-token: write
+      contents: read
+    environment:
+      name: crates
+      url: https://crates.io/crates/feedparser-rs
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
+      - name: Authenticate with crates.io
+        uses: rust-lang/crates-io-auth-action@v1
+        id: auth
       - name: Publish to crates.io
         run: cargo publish -p feedparser-rs
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
 
   # ============================================================================
   # PYPI