diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 52dec73148e91..878a1ecea9efa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -48,6 +48,10 @@ on:
         default: dry-run
         type: string
 
+env:
+  CARGO_DIST_VERSION: "0.31.0"
+  CARGO_DIST_CHECKSUM: "cd355dab0b4c02fb59038fef87655550021d07f45f1d82f947a34ef98560abb8"
+
 jobs:
   # Run 'dist plan' (or host) to determine what tasks we need to do
   plan:
@@ -65,10 +69,12 @@ jobs:
           persist-credentials: false
           submodules: recursive
       - name: Install dist
-        # we specify bash to get pipefail; it guards against the `curl` command
-        # failing. otherwise `sh` won't catch that `curl` returned non-0
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.31.0/cargo-dist-installer.sh | sh"
+        run: |
+          curl --proto '=https' --tlsv1.2 -LsSf "https://github.com/axodotdev/cargo-dist/releases/download/v${CARGO_DIST_VERSION}/cargo-dist-x86_64-unknown-linux-gnu.tar.xz" -o /tmp/cargo-dist.tar.xz
+          echo "${CARGO_DIST_CHECKSUM}  /tmp/cargo-dist.tar.xz" | sha256sum -c -
+          tar -xf /tmp/cargo-dist.tar.xz -C /tmp
+          install /tmp/cargo-dist-x86_64-unknown-linux-gnu/dist ~/.cargo/bin/
       - name: Cache dist
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
diff --git a/dist-workspace.toml b/dist-workspace.toml
index aef264ed91ab6..4d3b7781e104f 100644
--- a/dist-workspace.toml
+++ b/dist-workspace.toml
@@ -4,6 +4,8 @@ packages = ["ruff"]
 
 # Config for 'dist'
 [dist]
+# We customize installation of `cargo-dist` in `release.yml` to avoid `curl | sh`
+allow-dirty = ["ci"]
 # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
 cargo-dist-version = "0.31.0"
 # Whether to consider the binaries in a package for distribution (defaults true)