How to Handle Private GitLab Dependencies in Cargo

Effectively make even proprietary Rust crates work at your company

Oliver Jumpertz

--

How to Handle Private GitLab Dependencies in Cargo
Photo by Christian Wiediger on Unsplash

Cargo is an incredible package manager for Rust. It only takes a *.toml file, and a few entries, and Cargo handles everything from downloading your packages to compiling your binary. Additionally, unlike other package managers, you don’t need any artifact repository to upload your libraries or artifacts to. It is perfectly fine just to define git dependencies, and Cargo takes care of cloning a specific tag or branch and building your own package based on the source code at hand.

Cargo git dependencies work incredibly well with artifacts hosted on GitHub because the platform is easy to use and open. Other GitHub alternatives also work pretty well as long as the repository is public. Many companies, however, don’t open-source everything they do. They often use self-hosted versions of GitLab or at least their cloud offer for various reasons, like your employer probably does. This is when you quickly begin to ask yourself how to handle private GitLab dependencies in Cargo because they can become an issue.

Things that work locally don’t tend to work as well in your GitLab pipelines. Add Docker to the mix, and you end up with many issues that you first need to solve. Gladly, there is a straightforward solution, which you will learn about in this article.

Handling Private GitLab Dependencies in Cargo

As you probably already know, Cargo allows you to specify dependencies as git dependencies. Instead of using crates.io to pull in the dependency and its metadata, Cargo uses git to clone the repository and check out specific branches or tags. There are no drawbacks to using this method at all because the Rust compiler wants source code, nevertheless. Rust builds are always platform-specific, so the compiler always compiles everything for you to create the best binary for the platform at hand.

The most common git dependency is probably one pointing at a public GitHub repository directly, as you see below:

--

--