## Problem to solve As part of our goal to have our customers rely on GitLab for dependency management, we must support a wide variety of formats. [Cargo](https://github.com/rust-lang/cargo) is the package manager for Rust, allowing developers to download, compile, and publish their Rust dependencies (called "crates"). Rust adoption continues to grow rapidly across the industry, and a native Cargo registry in GitLab is one of the most requested package manager features. ## Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ## Proposal Add support for Cargo to the GitLab Package Registry, enabling Rust developers to publish, download, and manage crates directly within their GitLab projects. ### MVC Scope The MVC delivers the core Cargo registry functionality: - **Publish crates** via `cargo publish` with authentication (PAT, deploy token, CI/CD job token) - **Download crates** via `cargo install` or as dependencies in `Cargo.toml` - **Sparse index** support (RFC 2789) for efficient dependency resolution - **Metadata extraction** from `.crate` files (version, dependencies, features, etc.) - **CI/CD integration** with native `CI_JOB_TOKEN` support ### How Cargo registries work Cargo registries consist of three main components: 1. **Index**: A listing of all crate metadata (name, version, dependencies, checksums). GitLab implements the [sparse index protocol](https://rust-lang.github.io/rfcs/2789-sparse-index.html) (RFC 2789), which fetches metadata on-demand via HTTP rather than cloning a full git repository. 2. **API**: A web API for publishing new crates (`PUT /api/v1/crates/new`) and other operations. 3. **Download endpoint**: Serves `.crate` files for dependency resolution and installation. Reference: [Cargo Registry Documentation](https://doc.rust-lang.org/stable/cargo/reference/registries.html#running-a-registry) ## Implementation progress ### Merged MRs - [x] !181281 - Implement `config.json` endpoint (registry configuration) - [x] !197846 - Database and schema changes (crate metadata storage) - [x] !207060 - Package creation services and background worker - [x] !236631 - Crate download endpoint ### In Progress - [ ] !238211 - Sparse index endpoint - [ ] !240512 - Upload authorize endpoint ### Remaining work - [ ] End-to-end `cargo publish` flow - [ ] End-to-end `cargo install` / dependency resolution flow - [ ] Feature flag rollout on GitLab.com - [ ] Documentation for the Cargo Package Registry - [ ] Beta program launch (see #603050) ## Permissions and Security Authentication follows the standard Package Registry model: - Personal access tokens (scope: `api`) - Deploy tokens (scope: `read_package_registry` and/or `write_package_registry`) - CI/CD job tokens ## Documentation - [Cargo Registry Documentation (Rust)](https://doc.rust-lang.org/stable/cargo/reference/registries.html#running-a-registry) - [Cargo API Documentation (Rust)](https://doc.rust-lang.org/stable/cargo/reference/registries.html#web-api) - [Sparse Index RFC 2789](https://rust-lang.github.io/rfcs/2789-sparse-index.html) - [GitLab Package Registry development guide](https://docs.gitlab.com/ee/development/packages.html) ## What does success look like, and how can we measure that? - Rust developers can use `cargo publish` and `cargo install` with their GitLab projects - CI/CD pipelines can publish crates automatically using job tokens - Adoption metrics: number of unique users publishing/downloading crates, month-over-month growth - Successful graduation from Beta to GA based on criteria defined in #603050 ## Links / references - [Cargo Registry Documentation](https://doc.rust-lang.org/stable/cargo/reference/registries.html#running-a-registry) - [Cargo API docs](https://doc.rust-lang.org/stable/cargo/reference/registries.html#web-api) - [Sparse Index RFC 2789](https://rust-lang.github.io/rfcs/2789-sparse-index.html) - [Cargo (Rust) Package Registry Beta Program: Feedback & Graduation Criteria](https://gitlab.com/gitlab-org/gitlab/-/issues/603050) - [RubyGems Package Registry Beta Program](https://gitlab.com/gitlab-org/gitlab/-/issues/601973) (reference)