fix: replace archived actions-rs/toolchain with dtolnay/rust-toolchain (supply chain hardening)

[XananasX7]

Replaces the archived actions-rs/toolchain@v1 action (actions-rs org was abandoned in 2023, mutable tag) with the actively-maintained dtolnay/rust-toolchain@stable in the publish-crates job.

This job has simultaneous access to CARGO_TOKEN, NPM_TOKEN, TWINE_TOKEN, NUGET_API_KEY, OSSRH_USER_V2, OSSRH_TOKEN_V2, MAVEN_GPG_PRIVATE_KEY, and MAVEN_GPG_PASSPHRASE. A compromised action tag could exfiltrate all 8 secrets in a single workflow run.

[XananasX7]

@google-cla-bot check

[XananasX7]

Hi @dbaileychess

Could you please review and merge this patch? It addresses the security concerns regarding the unpinned actions and the unmaintained actions-rs/toolchain which pose a supply chain risk.

Getting this merged is a requirement for the final validation of the security report I submitted. Thank you for your time!"

[XananasX7]

Update: Branch Rebased on Latest Master

This branch has been rebased on top of the current master (commit 1f438bd) to resolve the "branch is behind" state.

What this PR fixes

The publish-crates job in release.yml used actions-rs/toolchain@v1, an action from an organization that was abandoned in 2023. The actions-rs GitHub org is archived and unmaintained, meaning the @v1 tag is a mutable pointer that could be hijacked or silently broken.

This job has simultaneous access to 8 high-value secrets:
CARGO_TOKEN, NPM_TOKEN, TWINE_TOKEN, NUGET_API_KEY, OSSRH_USER_V2, OSSRH_TOKEN_V2, MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE

A compromised action tag could exfiltrate all 8 secrets in a single workflow run.

Fix

Replaced with dtolnay/rust-toolchain@stable — the actively maintained, community-standard replacement for installing Rust in CI.

The branch is now up to date and ready for review. Tagging @dbaileychess for awareness.