Harden Rust crate releasing against human errors

[tgeoghegan]

Currently, to release new versions of the janus_core and janus_client crates, you have to do the following:

1. bump version in janus_core/Cargo.toml
2. bump version in janus_client/Cargo.toml
3. bump version of janus_core dependency in janus_client/Cargo.toml
4. run a build to update Cargo.lock
5. Make a PR with all that
6. Merge PR to main
7. Make a GitHub release

It's very easy to forget to do any of steps 1-4 (I have at least once, #292). We could do better here. Some ideas (which may exclude each other);

• run cargo publish --dry-run in CI to prove that the crates aren't busted (though I'm not sure how to make this work if janus_client depends on an unpublished janus_core)
• run cargo publish with --locked in CI and/or release workflows to guarantee that Cargo.lock is up to date (or run a cargo build and assert that Cargo.lock is unchanged)
• write a much more elaborate release workflow that would handle rewriting versions in Cargo.toml based on the git tag

[divergentdave]

The set-version subcommand from the cargo-edit project can streamline step 3, FWIW. Running cargo set-version --bump patch -p janus_core does both step 1 and step 3 in one go.

[branlwyd]

(3) is no longer necessary for non-major version updates: we now specify "internal" crate dependencies as major versions, so we should get the new version automatically.

The Cargo.lock update in (4) can be done by cargo update --workspace.

[tgeoghegan]

@inahga, you're working on this currently, right?

[inahga]

Accidentally, yes! Didn't realize this issue existed.