/cmake-dependency-submission

Identifies dependencies for a CMake project that uses FetchContent and submits the results to the Dependency Submission API

Primary LanguageTypeScriptMIT LicenseMIT

C++ Logo

CMake Dependency Submission

This GitHub Action identifies dependencies for a CMake project that uses FetchContent, and submits the results to the Dependency Submission API. Dependencies then appear in your repository's dependency graph and can, for example, be exported to an SBOM file.

Usage

This Action can be used in two different modes, depending on how the list of CMake files to scan should be determined:

  • Glob mode (default); CMakeLists.txt and *.cmake files will be found by recursively globbing from the optionally provided sourcePath.
  • Configure mode; CMake files will be found by querying the CMake File API. In configure mode it is mandatory to run the CMake configure step before this action is ran.

Glob mode is faster, but configure mode is more accurate. Configure mode will recursively detect FetchContent dependencies. Configure mode will not include CMake files that are part of the source tree, but not included in the configured build.

See action.yml for all valid inputs. See dependency-submission.yml for an example scan on this repository.

please note that the Dependency Submission API requires contents: write persmissions.

Glob mode

name: CMake Dependency Submission

on:
  push:
    branches:
      - main

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v3
      - uses: philips-forks/cmake-dependency-submission@main

Configure mode

name: CMake Dependency Submission

on:
  push:
    branches:
      - main

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v3
      - run: cmake -S example -B build
      - uses: philips-forks/cmake-dependency-submission@main
        with:
          scanMode: 'configure'
          buildPath: 'build'

Non-FetchContent dependencies

When an external dependency is not FetchContent-compatible, or there is another reason to consume a dependency without using FetchContent, the dependency can still be detected by this Action using an annotation in a CMake file.

The annotation should be in the following format:

# cmake-dependency-scan [package-url]

Where [package-url] should be a valid Package URL like pkg:github/google/googletest@v1.13.0

License

This project is licensed under the MIT license. See LICENSE for details.