feat(publish): Stabilize multi-package publishing

[epage]

What does this PR try to resolve?

A user will now be able to use flags like --workspace with cargo publish.
cargo package will now also work with those flags without having to pass --no-verify --exclude-lockfile.

Many release tools have come out that solve this problem. They will still need a lot of the logic that went into that for other parts of the release process.
However, a cargo-native solution allows for:

• Verification during dry-run
• Better strategies for waiting for the publish timeout

cargo publish is non-atomic at this time.
If there is a server side error, network error, or rate limit during the publish, the workspace will be left in a partially published state. Verification is done before any publishing so that won't affect things. There are multiple strategies we can employ for improving this over time, including

• atomic publish
• --idempotent (Want cargo publish --idempotent #13397)
• leave this to release tools to manage

This includes support for --dry-run verification. As release tools didn't have a way to do this before, users may be surprised at how slow this is because a cargo build is done instead of a cargo check. This is being tracked in #14941.

This adds to cargo package the --registry and --index flags to help with resolving dependencies when depending on a package being packaged at that moment.
These flags are only needed when a cargo package --workspace operation would have failed before due to inability to find a locally created dependency.

Regarding the publish timeout, cargo publish --workspace publishes packages in batches and we only timeout if nothing in the batch has finished being published within the timeout, deferring the rest to the next wait-for-publish. So for example, if you have packages a, b, c then we'll wait up to 60 seconds and if only a and b were ready in that time, we'll then wait another 60 seconds for c.

During testing, users ran into issues with .crate checksums that we've not been able to reproduce since:

• cargo publish multiple packages at once #1169 (comment)
• "no hash listed" error with -Zpackage-workspace #14396

Fixes #1169
Fixes #10948

How to test and review this PR?

By stabilizing this, Cargo's behavior becomes dependent on an overlay registry.
When generating a lockfile or verifying a package, we overlay the locally generated .crate files on top of the registry so the registry appears as it would and everything works.
If there is a conflict with a version, the local version wins which is important for the dry-run mode of release tools as they won't have bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks. Considering this is not accessible for general user operations, this should be fine.

[rustbot]

r? @weihanglo

rustbot has assigned @weihanglo.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[epage]

@rfcbot fcp merge

See the PR description for details

[rfcbot]

Team member @epage has proposed to merge this. The next step is review by the rest of the tagged team members:

• @0xPoe
• @Eh2406
• @Muscraft
• @arlosi
• @ehuss
• @epage
• @joshtriplett
• @weihanglo

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

[weihanglo]

Code change has no issues