Add `.cargo_vcs_info.json` (with git commit hash) to crates uploaded to crates.io

[jakoblell]

Most crates on crates.io contain a .cargo_vcs_info.json file (see https://doc.rust-lang.org/cargo/commands/cargo-package.html#cargo_vcs_infojson-format for a documentation on the format) containing the git commit hash (and location within the repository) corresponding to the released version. This allows automated tools to verify crates on crates.io against the source code on github and can therefore reduce the risk of having undetected backdoors in uploaded crates if the machine used for running parity-publish and doing the official uploads is ever compromised.

Additionally to that, having this mapping between the released version and the commit hash can also be useful for software engineers (or security auditors) trying to understand which version of the code is actually used in a given runtime configuration.

[Morganamilo]

Interesting, I did not know this was a thing. Sounds good to me.

[patriciobcs]

Quick reminder to add the repository to the crates. Maybe a broad review is necessary. Some of them still have no reference to the repository nor the commit where it originated from.

Example Polkadot SDK crate without repository: https://crates.io/crates/polkadot-runtime-common

Example Polkadot SDK crate with repository: https://crates.io/crates/bp-polkadot