chore: use publish to bcr reusable workflow for bcr mirroring (#3775)

Migrate rules_rust off of the deprecated Publish to BCR GitHub app to
the newer reusable workflow. The reusable workflow has a number of
benefits over the app:
* It supports build attestations which can be enabled at a later time.
* Gives finer grain control over running the publish process—if it
fails, you can manually re-run the workflow.
* It's more secure—you control the PAT rather than giving the app write
permissions.

Some actions that maintainer for this ruleset will need to take:
* [x] Add a classic PAT named `BCR_PUBLISH_TOKEN` for the repository or
org (see
[steps](https://github.com/bazel-contrib/publish-to-bcr?tab=readme-ov-file#setup)).
I recommend creating a "machine" user for bazelbuild and generating a
classic PAT for that user rather than using an individual's PAT. For
example, in bazel-contrib we use the
[bazel-contrib-bot](https://github.com/bazel-contrib-bot) user to do
publishes.
* [ ] Uninstall the GitHub app for this repo.
* [ ] Test a publish after landing, or wait for the next release. I'll
be available to help debug any issues that come up if the workflow
fails.

---------

Co-authored-by: UebelAndre <github@uebelandre.com>

Author: kormide

.bcr/config.yml

@@ -1,6 +1,3 @@
-fixedReleaser:
-  login: scentini
-  email: 11149636+scentini@users.noreply.github.com
 moduleRoots:
   - "."
   - "extensions/bindgen"

.github/workflows/publish.yaml

@@ -0,0 +1,44 @@
+# See https://github.com/bazel-contrib/publish-to-bcr
+name: Publish to BCR
+
+on:
+  # Allow the publish workflow to be called from another workflow.
+  # In this case, we trigger it from the release.yaml workflow.
+  workflow_call:
+    inputs:
+      release_version:
+        required: true
+        type: string
+    secrets:
+      BCR_PUBLISH_TOKEN:
+        required: true
+  # In case of problems, let release engineers retry by manually dispatching
+  # the workflow from the GitHub UI.
+  workflow_dispatch:
+    inputs:
+      release_version:
+        required: true
+        type: string
+        description: Release version to publish to the Bazel Central Registry
+      templates_ref:
+        default: ''
+        type: string
+        description: Override the ref to read .bcr templates from
+jobs:
+  publish:
+    uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.1.0
+    with:
+      author_name: bazel-io
+      author_email: 5028808+bazel-io@users.noreply.github.com
+      attest: false
+      draft: false
+      tag_name: ${{ inputs.release_version }}
+      # Tags don't include a "v" prefix
+      tag_prefix: ""
+      # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
+      registry_fork: bazel-io/bazel-central-registry
+      templates_ref: ${{ inputs.templates_ref || inputs.release_version }}
+    permissions:
+      contents: write
+    secrets:
+      publish_token: ${{ secrets.publish_token || secrets.BCR_PUBLISH_TOKEN }}

.github/workflows/release.yaml

@@ -315,3 +315,10 @@ jobs:
           asset_name: cargo-bazel-aarch64-unknown-linux-musl
           asset_path: ${{ github.workspace }}/artifacts/aarch64-unknown-linux-musl/cargo-bazel
           asset_content_type: application/octet-stream
+  publish:
+    needs: [archive, release]
+    uses: ./.github/workflows/publish.yaml
+    with:
+      release_version: ${{ needs.archive.outputs.release_version }}
+    secrets:
+      BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }}