cargo-dist
Releases
Version 0.31.0 (2026-02-23)
This release includes several new features, including the major introduction of mirrors that installers can fallback to.
Simple hosting (aka mirrors)
This release adds a new hosting method, simple, which supports static file hosting. This allows you to host your artifacts on the hosting provider of your choice so long as it follows a similar URL structure to GitHub Releases hosting. It can also be used alongside GitHub hosting; if you specify more than one hosting provider, the secondary hosting source will be used as a mirror. The priority is determined by the order of the keys in your config. For example, this will use GitHub first and fall back to your static host if GitHub is unavailable:
hosting = ["github", "simple"] simple-download-url = "https://static.myapp.com/{tag}"
And this will use your static host first and fall back to GitHub if necessary:
hosting = ["simple", "github"] simple-download-url = "https://static.myapp.com/{tag}"
For more information, see the docs.
Note: currently, dist won't upload artifacts to static hosts; it expects you to handle that, either manually or via writing a custom job.
- impl @Gankra Add "simple" hosting style
- impl @mistydemeo feat(homebrew): mirror support with multi-urls
Disabling npm-shrinkwrap.json for npm installers
Currently, the npm installer includes an npm-shrinkwrap.json to specify the exact versions of its runtime dependencies as used at the time dist was released. Since some users would prefer looser dependency specification, this release provides an option to disable this. For more information, see the docs.
npm-shrinkwrap = false
- impl @mistydemeo feat: option to skip npm-shrinkwrap.json generation
Configurable build directory for generic projects
Until now, generic (non-Rust) project support has assumed that artifacts are always written to the root of the project directory. This path is now configurable using the out-dir setting in your dist.toml. For example, if your project generates a binary named example in a subdirectory called build, you can specify:
binaries = ["example"] out-dir = "build"
- impl @CatBraaain support out_dir in config
Fixes
- impl @EliteTK + @gankra Reduce risk of an interrupted installation leading to a partial installation
Version 0.30.4 (2026-02-16)
This release contains a few minor bugfixes. It also updates dependencies, including a rimraf upgrade that resolves a CVE in @isaacs/brace-expansion. This vulnerability was not exploitable in the way dist used rimraf.
Fixes
- impl @eegli fix: installer receipt for windows with posix shell
- impl @kazutoiris fix: prevent unintended escaping of multiline run
- impl @20jasper fix: typo in variable name
- impl @OpenSauce chore(actions): bump default github actions
Version 0.30.3 (2025-12-14)
This release contains a few minor bugfixes. It also updates dependencies, including a rimraf upgrade that resolves a CVE in glob. This vulnerability was not exploitable in the way dist used rimraf.
Fixes
- impl @AThePeanut4 fix: invalid file permissions when running the shell installer under
sudo - impl @ryanobjc fix: macOS codesigning configuration not being respected
Thanks to @zachstence for handling the rimraf/glob upgrade!
Version 0.30.2 (2025-10-31)
- When customizing when artifacts are attested, you can now use the
announcephase.
Version 0.30.1 (2025-10-29)
- Bump default x64 macos runners to macos-15-intel (macos-13 is deprecated)
- In order to avoid overly broad permissions, GitHub attestations permissions scope is moved to the job level.
- Don't run host job if plan fails
Version 0.30.0 (2025-09-07)
This release contains several improvements to ZIP archives, the installers and additional build workflow customization options.
ZIP archive improvements
Previous versions of dist produced uncompressed ZIP archives which meant that they were much larger than necessary. ZIP archives are now compressed.
- impl @trim21 feat: enable compression on zip
In previous versions, ZIP archives were only suitable for Windows binaries because they didn't preserve executable permissions. ZIP archives now correctly preserve extended Unix permissions.
- impl @mistydemeo fix: preserve Unix permissions in ZIPs
The npm installer previously used the unzip commandline utility to unpack ZIP archives on Windows. This isn't available in all installations, so some users would experience errors at install time. We've improved this by switching to the builtin PowerShell Expand-Archive cmdlet.
Additional installer configuration environment variables
dist's installers are configurable using a variety of different environment variables, but in previous versions only some of these would be branded with your app's name. We now provide branded versions of all of the other environment variables as well. The previous unbranded environment variables will continue to work. The new variables are:
${APP_NAME}_DOWNLOAD_URL${APP_NAME}_PRINT_QUIET${APP_NAME}_PRINT_VERBOSE
- impl @Gankra
This feature previously appeared in version 0.28.7 of Astral's fork.
Shell installer refuses to use Snap-installed curl
The shell installers will now refuse to fetch archives using a copy of curl installed via the Snap package manager for Ubuntu. Snap-installed copies of curl have limitations on their ability to write downloaded files to disk which makes them unsuitable for dist's installers. If a Snap-installed curl is detected, the installer will try to fall back to using another download tool; if no other tool is present, a message will be shown to the user and the installation will abort.
- impl @konstin Avoid snap curl
This feature previously appeared in version 0.28.5 of Astral's fork.
PowerShell installer now supports proxies
The PowerShell installer now respects the HTTPS_PROXY and ANY_PROXY environment variables and uses them to configure a proxy when fetching artifacts. These were already supported by the shell installer.
- impl @zanieb and @zsol Powershell installer: respect HTTPS_PROXY and ANY_PROXY env vars
macOS code signing now supports the --options flag
When using the experimental macOS codesigning feature, users can now specify a value to be passed to the --options flag using the CODESIGN_OPTIONS environment variable.
- impl @jackkleeman Support --options in mac code signing
Linux arm64 GitHub Actions builds now use native arm64 runners by default
In previous versions of dist, we used cross-compilation to build arm64 Linux binaries from an x86_64 host. GitHub now provides free native arm64 runners, so we've switched to using these by default. Users can still use cross-compilation if they prefer by specifying the x86_64 runners using the custom runners feature in the dist config.
GitHub Actions artifact attestations can now be customized
It's now possible to customize exactly which artifacts are attested, and which phase of the build process to perform the attestations in. Currently, customizing which artifacts to attest requires the attestation to happen during the host phase; this restriction may be lifted in the future.
To specify which artifacts to attest, you can use a list of globs; any artifacts matching any of those globs will receive an attestation. For example:
github-attestations-phase = "host" github-attestations-filters = ["*.json", "*.sh", "*.ps1", "*.zip", "*.tar.gz"]
- impl @samypr100 Add support for attestations in the host phase
Version 0.29.0 (2025-07-31)
This is a big release! 0.29.0 includes all of the new features from Astral's fork of dist along with some new bugfixes. It also removes support for Axo Releases.
Pinning GitHub Actions to commits
By default, dist uses Actions via floating versioned tags such as actions/checkout@v4. Users with specific security requirements may instead want to pin these to specific commits so that they know exactly which version will be run. This release provides configuration to allow users to specify which commit to use for a given action. For more information, see the docs.
- impl @Gankra feat: add github-action-commits config
Recursive source tarballs, including the contents of submodules
While we've had support for source tarballs since 0.5.0, those tarballs have been limited to the contents of the base repository and didn't contain the contents of submodules. (This is a limitation of the git archive tool that we use to generate them.) This release adds support for recursive tarballs that include the contents of submodules as well. This feature is opt-in and can be enabled with the recursive-tarballs = true setting. For more information, see the docs.
- impl @Gankra feat: add recursive-tarballs
Support cross-compiling from Windows to Windows
In previous versions, dist would refuse to cross-compile from one Windows architecture to another. This release fixes that and allows the build to be attempted. We still default to cross-compiling via cargo-xwin; users who would like to try this will need to configure their builds to use a Windows runner. For example:
[dist.github-custom-runners.aarch64-pc-windows-msvc] runner = "windows-2025"
- impl @baszalmstra fix: allow cross compiling from windows to windows
Installer improvements
We've improved compatibility for the shell installer by bringing in newer changes from the Rustup installer it was originally based on. We've also improved compatibility with Linux distributions that don't use the $HOME environment variable.
- impl @Gankra feat: improve installer.sh with changes from rustup
- impl @konstin feat: support Linux distros that don't set HOME
BYO GitHub bearer token for installers
In addition to the above, we now allow users to bring their own GitHub token to be used when fetching tarballs from GitHub. This is useful for users who are often rate-limited when downloading artifacts or who need to fetch artifacts from private repositories. Like our other environment variables, this is branded with your application's name in the format {APP_NAME}_GITHUB_TOKEN. This environment variable is supported in both the shell and PowerShell installers. For more information, see the docs.
- impl @Gankra feat: add
{APP_NAME}_GITHUB_TOKENinstall env-var
Reduce unnecessary credentials persistence in Actions config
This release includes some tweaks to generated Actions config in order to reduce the risk of accidentally persisting credentials longer in the run than necessary. This is always enabled and doesn't require configuration to opt into.
- impl @Gankra feat: add persist-credentials: false to checkouts
Allow overriding binaries per-platform
It's now possible to override the set of binaries to install on a per-platform basis. For example, a project with three binaries may choose to only install two of them on Windows, or may choose to provide an extra binary on other platforms. For more information, see the docs.
- impl @Gankra feat: allow overriding per-platform binaries
New setting for overriding packages to dist
A new top-level option, packages, allows specifying a list of exactly which packages should be disted. This overrides any individual dist = true or dist = false set in individual packages, and can be easier to reason about. For more information, see the docs.
Overriding package versions
The new top-level version option overrides the individually-configuredversions for every package and instead causes dist to assume every package has the specified version. For more information, see the docs.
- impl @Gankra feat: add workspace.version override
Fixes
Version 0.28.2 (2025-07-22)
This release updates dependencies and contains no substantive code changes.
Version 0.28.1 (2025-07-20)
This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.
Fixes
- impl @mistydemeo
- impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
- impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
- impl @geofft fix: Do not report shadowed binaries when no binary exists
- impl @rdbisme Fix typo for installer base url override
- impl @CramBL fix ignored configuration key 'msvc-crt-static'
- impl @gtema update version of github provenance action