chore(ci): migrate to trusted publishing

[dannycjones]

Which issue does this PR close?

This implements trusted publishing with crates.io, which closes #1539. I'd propose to close that issue after the first successful release.

What changes are included in this PR?

This simply migrates the release workflow to use credentials obtained using trusted publishing.

This is the guide followed for the change: https://crates.io/docs/trusted-publishing

This change does not include the required changes on crates.io, which will need a committer to perform. I will add the remaining steps to #1539.

Are these changes tested?

No. The changes will be verified with the first public release.

[kevinjqliu]

thanks!

looks like we'd have to add trusted publishing to each crate separately. @blackmwk is the common owner for all the crates https://crates.io/users/liurenjie1024

[kevinjqliu]

nit: could we keep this? it looks redundant but it sets the default permission for all the blocks.

we can add more permissions by explicitly overriding each job

[blackmwk]

+1

[dannycjones]

I'll restore for now.

I think the other thing we could consider is permissions: {} such that every job must have its list of permissions required.

[blackmwk]

Thanks @dannycjones for this pr, just one same comment as @kevinjqliu .

[blackmwk]

+1

[blackmwk]

I've finished crates.io side changes, let's see if it works.

[dannycjones]

I've finished crates.io side changes, let's see if it works.

I'd recommend we create a GH team for the Apache Iceberg committers, as the team can be added to all the crates. You do still need an active committer as the owner, as team members cannot change crate ownership themselves, but it would make it easier to grant permissions across the broad list of crates.

[dannycjones]

Thanks both, updated to restore the default content: read permission.