Harden crates.io release publishing

[Alb3e3]

Summary:

• reduce the release workflow GITHUB_TOKEN permissions from read-all to contents: read
• replace the archived/third-party Rust publishing actions with rustup plus cargo publish
• keep the crates.io token in Cargo's standard CARGO_REGISTRY_TOKEN environment variable, scoped to each publish step

Security rationale:
The release workflow has access to package registry credentials. Publishing the Rust crates directly with Cargo removes third-party GitHub Actions from the crates.io credential path and reduces the default GitHub token permissions used by the workflow.

Validation:

• /tmp/actionlint-bin/actionlint .github/workflows/release.yml
• CARGO_REGISTRY_TOKEN=dummy cargo publish --dry-run --manifest-path ./rust/flatbuffers/Cargo.toml
• CARGO_REGISTRY_TOKEN=dummy cargo publish --dry-run --manifest-path ./rust/flexbuffers/Cargo.toml

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.