Ensure that if a bare version number is on `main` it's what's published to crates.io

[anp]

The dry-run publish step on CI needs to check if the version of the crate in the PR is on crates.io. If it is, the scripts should download the tarball, package a local crate tarball, and assert they're the same.

If they're not the same, fail CI with a recommendation to run cargo ofl versions locally.

[anp]

Roadblock: the checksums in the cargo index include .cargo_vcs_info.json, which itself includes the git commit when the package was made (handy!).

If we still want to do checksum verification (probably?) then I see two paths to making the checksum reproducible in later builds:

1. download the crate tarball, unpack it, and validate cargo package output file-by-file
2. reproduce the already-published checksums with locally-known metadata

I'm inclined towards (2) because it relies on less network activity. Now that ofl tags commits on publish, (2) should be possible without too much more work.

Approach:

1. run cargo package
2. find files in CARGO_TARGET_DIR/package/NAME-VERSION/**
3. find the git tag at which the version in question was published
4. modify the .cargo_vcs_info.json file to point at the SHA1 of the git tag
5. manually re-tar the files to get a "backdated" NAME-VERSION.crate file
6. checksum the backdated file