ci: publish to crates.io via trusted publishing

Replace the static CRATE_AUTH_TOKEN secret with OIDC-based Trusted
Publishing using rust-lang/crates-io-auth-action, which exchanges a
short-lived token at publish time instead of storing a long-lived
credential in the repository.

https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m

Author: claude

.github/workflows/deploy.yaml

@@ -469,6 +469,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write # needed for crates.io Trusted Publishing
+
     steps:
       - uses: actions/checkout@v6
 
@@ -479,11 +482,14 @@ jobs:
           curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > $installer
           bash $installer --default-toolchain $(cat rust-toolchain) -y
 
-      - name: Login
-        run: cargo login ${{ secrets.CRATE_AUTH_TOKEN }}
+      - name: Authenticate with crates.io
+        id: auth
+        uses: rust-lang/crates-io-auth-action@v1
 
       - name: Publish
         run: cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
 
   competing_benchmark:
     name: Benchmark