Soft-deprecate the `--token` flag everywhere

[weihanglo]

Problem

In #15057 and #16046 , we deprecated cargo login <token> and cargo publish --token to avoid tokens being in shell history. There are still places we accept or even require --token.

• feat (publish): deprecate --token option #16046 (comment) pointed out that cargo yank and cargo owner still accepts --token.
• @omskscream also pointed outs the --index option requires --token to be specified. I personally forgot the reason:

  cargo/src/cargo/ops/registry/mod.rs

  Lines 132 to 134 in 029de48

  	if is_index && token_required.is_some() && token_from_cmdline.is_none() {
  	bail!("command-line argument --index requires --token to be specified");
  	}

Proposed Solution

Soft-Deprecate them

• For cargo yank and cargo owner, hide them from doc and help manual. When being used, print a warning.
• For --index requiring --token, figure out why we needed it, and suggest an alternative if possible See Soft-deprecate the --token flag everywhere #16049 (comment) and Soft-deprecate the --token flag everywhere #16049 (comment)

[omskscream]

the --index option requires --token to be specified

I actually dug it up a bit, and it seems that the intention was to make a safeguard against leaking crates.io token to other servers (initial commit b4c37403).
Not sure if the issue still persists, though, the code is from 2020.

[0xPoe]

Not sure if the issue still persists, though, the code is from 2020.

I think it still persists, at least we have the index_requires_token test case to cover this behavior.

From #7973 design, I think the goal is that we should never fall back to reading the [registry.token] value with the --index flag.
So if we want to deprecate the --token flag here, we need to find another way to fix this issue.

[epage]

--registry is a name that refers back to the config for additional information.

--index is a URL without any other context. We could try to infer a registry from an index but that may not be correct and there could be multiple matches.

So it kind of makes sense if you only have --index that we would require the user to manually specify all other required fields for communicating with that Registry.