Skip to content
/ cmake-dependency-submission Public
forked from brenocq/cmake-dependency-submission

Identifies dependencies for a CMake project that uses FetchContent and submits the results to the Dependency Submission API

License

MIT license
2 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

philips-forks/cmake-dependency-submission

BranchesTags
 
 

Repository files navigation

C++ Logo

CMake Dependency Submission

This GitHub Action identifies dependencies for a CMake project that uses FetchContent, and submits the results to the Dependency Submission API. Dependencies then appear in your repository's dependency graph and can, for example, be exported to an SBOM file.

Usage

This Action can be used in two different modes, depending on how the list of CMake files to scan should be determined:

  • Glob mode (default); CMakeLists.txt and *.cmake files will be found by recursively globbing from the optionally provided sourcePath.
  • Configure mode; CMake files will be found by querying the CMake File API. In configure mode it is mandatory to run the CMake configure step before this action is ran.

Glob mode is faster, but configure mode is more accurate. Configure mode will recursively detect FetchContent dependencies. Configure mode will not include CMake files that are part of the source tree, but not included in the configured build.

See action.yml for all valid inputs. See dependency-submission.yml for an example scan on this repository.

please note that the Dependency Submission API requires contents: write persmissions.

Glob mode

name: CMake Dependency Submission

on:
  push:
    branches:
      - main

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v3
      - uses: philips-forks/cmake-dependency-submission@main

Configure mode

name: CMake Dependency Submission

on:
  push:
    branches:
      - main

jobs:
  dependency-submission:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v3
      - run: cmake -S example -B build
      - uses: philips-forks/cmake-dependency-submission@main
        with:
          scanMode: 'configure'
          buildPath: 'build'

Non-FetchContent dependencies

When an external dependency is not FetchContent-compatible, or there is another reason to consume a dependency without using FetchContent, the dependency can still be detected by this Action using an annotation in a CMake file.

The annotation should be in the following format:

# cmake-dependency-scan [package-url]

Where [package-url] should be a valid Package URL like pkg:github/google/[email protected]

License

This project is licensed under the MIT license. See LICENSE for details.

About

Identifies dependencies for a CMake project that uses FetchContent and submits the results to the Dependency Submission API

Topics

cmake cplusplus cpp ci dependency-analysis actions action sbom

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Languages

  • TypeScript 94.1%
  • CMake 4.4%
  • Other 1.5%