ci: switch to fg-labs-bot App token and crates.io Trusted Publishing

[nh13]

Summary

Swap the two long-lived secrets used for releases with modern, token-less alternatives:

• RELEASE_PLZ_TOKEN → short-lived GitHub App token minted from the fg-labs-bot app via actions/create-github-app-token
• CARGO_REGISTRY_TOKEN → crates.io Trusted Publishing (OIDC) via rust-lang/crates-io-auth-action

Also updates User-Agent URLs in the crates.io polling curl calls from fulcrumgenomics/ → fg-labs/.

Context

Part of the fulcrumgenomics → fg-labs org migration. Related changes:

• FG_LABS_BOT_APP_ID and FG_LABS_BOT_PRIVATE_KEY org secrets are in place, scoped to all repos
• crates.io Trusted Publishers are configured for all workspace crates, pointing at fg-labs/<repo>/publish.yml
• The old CARGO_REGISTRY_TOKEN org secret will be removed after this PR lands and the first trusted-publishing release succeeds

Actions pinned by SHA

• actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 (v3.0.0)
• rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe (v1.0.4)

Test plan

• Merge and verify the release PR job still fires on the next push to main
• On the next version bump, verify all workspace crates publish via OIDC (no token required)
• Verify the GitHub release + tag are created by the App-minted token