Cargo (Rust) Package Manager MVC

Problem to solve

As part of our goal to have our customers rely on GitLab for dependency management, we must support a wide variety of formats. Cargo is the package manager for Rust, allowing developers to download, compile, and publish their Rust dependencies (called "crates"). Rust adoption continues to grow rapidly across the industry, and a native Cargo registry in GitLab is one of the most requested package manager features.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Proposal

Add support for Cargo to the GitLab Package Registry, enabling Rust developers to publish, download, and manage crates directly within their GitLab projects.

MVC Scope

The MVC delivers the core Cargo registry functionality:

• Publish crates via cargo publish with authentication (PAT, deploy token, CI/CD job token)
• Download crates via cargo install or as dependencies in Cargo.toml
• Sparse index support (RFC 2789) for efficient dependency resolution
• Metadata extraction from .crate files (version, dependencies, features, etc.)
• CI/CD integration with native CI_JOB_TOKEN support

How Cargo registries work

Cargo registries consist of three main components:

1. Index: A listing of all crate metadata (name, version, dependencies, checksums). GitLab implements the sparse index protocol (RFC 2789), which fetches metadata on-demand via HTTP rather than cloning a full git repository.
2. API: A web API for publishing new crates (PUT /api/v1/crates/new) and other operations.
3. Download endpoint: Serves .crate files for dependency resolution and installation.

Reference: Cargo Registry Documentation

Implementation progress

Merged MRs

• !181281 (merged) - Implement config.json endpoint (registry configuration)
• !197846 (merged) - Database and schema changes (crate metadata storage)
• !207060 (merged) - Package creation services and background worker
• !236631 (merged) - Crate download endpoint

In Progress

• !238211 (merged) - Sparse index endpoint
• !240512 - Upload authorize endpoint

Remaining work

• End-to-end cargo publish flow
• End-to-end cargo install / dependency resolution flow
• Feature flag rollout on GitLab.com
• Documentation for the Cargo Package Registry
• Beta program launch (see #603050)

Permissions and Security

Authentication follows the standard Package Registry model:

• Personal access tokens (scope: api)
• Deploy tokens (scope: read_package_registry and/or write_package_registry)
• CI/CD job tokens

Documentation

• Cargo Registry Documentation (Rust)
• Cargo API Documentation (Rust)
• Sparse Index RFC 2789
• GitLab Package Registry development guide

What does success look like, and how can we measure that?

• Rust developers can use cargo publish and cargo install with their GitLab projects
• CI/CD pipelines can publish crates automatically using job tokens
• Adoption metrics: number of unique users publishing/downloading crates, month-over-month growth
• Successful graduation from Beta to GA based on criteria defined in #603050

Links / references

• Cargo Registry Documentation
• Cargo API docs
• Sparse Index RFC 2789
• Cargo (Rust) Package Registry Beta Program: Feedback & Graduation Criteria
• RubyGems Package Registry Beta Program (reference)