cargo-dist does not warn or error on unrecognized keys in dist-workspace.toml. This caused a typo to silently disable a security feature for every release of a project.
Example
[dist]
github-attestions = true # typo: should be "github-attestations"
dist generate-ci, dist plan, and dist build all succeed without any warning. The generated release.yml simply omits the attestation step and permissions, as if the key was never set. We shipped multiple releases before discovering the issue by manually diffing against another project's workflow.
Expected behavior
cargo-dist should warn (or error) when it encounters an unrecognized key in dist-workspace.toml. Something like:
WARN unknown key `github-attestions` in [dist] — did you mean `github-attestations`?
Context
cargo-dist does not warn or error on unrecognized keys in
dist-workspace.toml. This caused a typo to silently disable a security feature for every release of a project.Example
dist generate-ci,dist plan, anddist buildall succeed without any warning. The generatedrelease.ymlsimply omits the attestation step and permissions, as if the key was never set. We shipped multiple releases before discovering the issue by manually diffing against another project's workflow.Expected behavior
cargo-dist should warn (or error) when it encounters an unrecognized key in
dist-workspace.toml. Something like:Context
dist planCI check (as used by some projects to validate their release config) also does not catch this