feat: Add CMake FetchContent support to updater (#104)

* feat: Add CMake FetchContent support to updater

Implements support for updating CMake FetchContent_Declare() statements
in addition to existing submodules, properties files, and scripts.

Key features:
- Support for path.cmake#DepName and auto-detection syntax
- Hash vs tag detection with hash format preservation
- Hash-to-tag resolution for version comparison
- GitHub Actions output integration
- Comprehensive test coverage (23 tests)

Resolves: #91

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Complete CMake FetchContent implementation

Critical fixes and improvements:
- Fix GitHub Actions workflow validation to allow # character in paths
- Update documentation with CMake examples and usage
- Improve comment handling in hash updates
- Implement proper ancestry validation for hash updates
- Test with real console SDK CMake files

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: Fix CMake examples to be more logical

- sentry-native.cmake now uses auto-detection (single dependency)
- dependencies.cmake now shows explicit dependency name syntax
- Better reflects real-world usage patterns

* docs: Refactor path input description into cleaner sublist

- Split long bullet point into structured sublist
- Clear separation of different path format types
- Better readability for CMake file options

* fix: cleanup CMake file handling in update-dependency script

* fix: ensure newline at end of file in Update-CMakeFile function

* refactor: Use cross-platform temp directory approach

- Replace $env:TEMP with [System.IO.Path]::GetTempPath()
- Use [System.Guid]::NewGuid() for unique directory names
- More robust cross-platform compatibility

* security: Fix ancestry validation to fail safely

- Return false instead of true when ancestry validation fails
- Change warning to error message for clarity
- Prevents potentially incorrect updates when validation is uncertain
- Follows fail-safe principle for security-critical operations

* refactor: Simplify GIT_TAG line replacement logic

- Always replace entire line content after GIT_TAG
- Removes potentially outdated version-specific comments
- Simplifies regex pattern (no separate hash/tag logic needed)
- Cleaner and more predictable behavior

* fix: Add proper error handling for git ls-remote commands

- Check $LASTEXITCODE after git ls-remote calls
- Prevent parsing error messages as commit hashes
- Fixes potential corruption of CMake files with 'fatal:' etc.
- Applies to both Update-CMakeFile and Find-TagForHash functions

Fixes critical bug where network failures could corrupt dependency files.

* test: Add missing hash-to-hash update test case

- Tests updating from one git hash to a newer tag's hash
- Covers important scenario of hash-to-hash updates
- Verifies hash format preservation and comment replacement
- Ensures old hash and comments are properly removed

* refactor: Inline test data and group related test cases

- Move CMake test data from external files to inline here-strings
- Group related test scenarios into single test cases for better readability
- Reduce test count from 16 to 6 while maintaining same coverage
- Remove external testdata/cmake/ directory (no longer needed)
- Improve test maintainability - all test input/output visible in one place

Test groupings:
- Parse scenarios: basic, auto-detect, hash, complex formatting
- Multiple deps: auto-detection errors, explicit selection
- Error scenarios: missing deps, missing repo/tag
- Hash resolution: null results, network failures
- Update scenarios: tag-to-tag, hash-to-hash, complex formatting
- Update errors: missing dependency updates

* refactor: Improve test structure with shared data and individual cases

- Move test data creation to Context BeforeAll level
- Restore individual test cases (16 total) for focused testing
- Eliminate data duplication while keeping inline visibility
- Best of both worlds: shared setup + granular test cases

Structure:
- Context BeforeAll: Creates shared test files with inline data
- Individual It blocks: Reference shared files for specific scenarios
- Clear test names and focused assertions per test case

* refactor: Reorganize test hierarchy for better clarity

- Promote function names to Describe level (Parse-CMakeFetchContent, Find-TagForHash, Update-CMakeFile)
- Group tests by CMake file type at Context level
- Each Context has its own test data (no duplication)
- Clear logical organization: function -> file type -> specific tests

Structure:
├── Describe 'Parse-CMakeFetchContent'
│   ├── Context 'Basic single dependency file' (3 tests)
│   ├── Context 'Hash-based dependency file' (1 test)
│   ├── Context 'Complex formatting file' (1 test)
│   ├── Context 'Multiple dependencies file' (2 tests)
│   └── Context 'Malformed files' (2 tests)
├── Describe 'Find-TagForHash'
│   └── Context 'Hash resolution scenarios' (2 tests)
└── Describe 'Update-CMakeFile'
    ├── Context 'Basic tag updates' (3 tests)
    ├── Context 'Hash updates' (1 test)
    └── Context 'Complex formatting' (1 test)

* test: Use exact hash instead of regex pattern in assertion

- Replace generic pattern [a-f0-9]{40} with actual 0.11.0 hash
- More precise assertion: 3bd091313ae97be90be62696a2babe591a988eb8
- Consistent with integration test data expectations
- Eliminates ambiguity in test validation

* test: Use exact hash in integration test assertion

- Replace generic pattern [a-f0-9]{40} # \d+\.\d+\.\d+ with exact values
- More precise assertion: 3bd091313ae97be90be62696a2babe591a988eb8 # 0\.11\.0
- Matches unit test precision and validates exact expected output
- Eliminates ambiguity in hash-to-tag update validation

* test: Use exact version in remaining integration test assertions

- Replace generic \d+\.\d+\.\d+ patterns with exact 0\.11\.0
- More precise assertions for explicit dependency and auto-detection tests
- Completes migration from generic patterns to exact expected values
- Ensures deterministic test validation across all CMake tests

* revert: Use generic patterns in integration tests without version constraints

- Revert exact version assertions where UpdateDependency gets latest version
- Keep generic patterns \d+\.\d+\.\d+ and [a-f0-9]{40} for future-proof tests
- Integration tests call UpdateDependency without pattern constraints
- Latest version will change over time (0.11.0 → 0.12.0, etc.)
- Unit tests can keep exact values since they specify exact versions

* docs: Add changelog entry for CMake FetchContent support

- Document new CMake FetchContent functionality in CHANGELOG.md
- References PR #104 for automated dependency updates
- Follows existing changelog format and conventions

* Add parameter validation to CMake helper functions

Added robust parameter validation with type constraints to all CMake helper functions:
- Parse-CMakeFetchContent: Validates file path exists and dependency name format
- Find-TagForHash: Validates repository URL and 40-char hash format
- Test-HashAncestry: Validates repository URL and hash formats
- Update-CMakeFile: Validates file path, dependency name, and new value

This prevents misuse, improves error handling, and addresses security concerns around parameter injection attacks.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add dependency name validation in update-dependency.ps1

Added validation to ensure CMake dependency names follow proper naming conventions and prevent potential regex injection attacks. Dependency names must start with a letter and contain only alphanumeric characters, underscores, dots, or hyphens.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: vaind

.github/workflows/updater.yml

@@ -3,7 +3,7 @@ on:
   workflow_call:
     inputs:
       path:
-        description: Dependency path in the source repository, this can be either a submodule, a .properties file or a shell script.
+        description: Dependency path in the source repository, this can be either a submodule, a .properties file, a shell script, or a CMake file with FetchContent.
         type: string
         required: true
       name:
@@ -87,9 +87,9 @@ jobs:
       - name: Validate dependency path
         shell: pwsh
         run: |
-          # Validate that inputs.path contains only safe characters
-          if ('${{ inputs.path }}' -notmatch '^[a-zA-Z0-9_\./-]+$') {
-            Write-Output "::error::Invalid dependency path: '${{ inputs.path }}'. Only alphanumeric characters and _-./ are allowed."
+          # Validate that inputs.path contains only safe characters (including # for CMake dependencies)
+          if ('${{ inputs.path }}' -notmatch '^[a-zA-Z0-9_\./#-]+$') {
+            Write-Output "::error::Invalid dependency path: '${{ inputs.path }}'. Only alphanumeric characters and _-./#  are allowed."
             exit 1
           }
           Write-Output "✓ Dependency path '${{ inputs.path }}' is valid"

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Danger - Improve conventional commit scope handling, and non-conventional PR title support ([#105](https://github.com/getsentry/github-workflows/pull/105))
 - Add Proguard artifact endpoint for Android builds in sentry-server ([#100](https://github.com/getsentry/github-workflows/pull/100))
+- Updater - Add CMake FetchContent support for automated dependency updates ([#104](https://github.com/getsentry/github-workflows/pull/104))
 
 ### Security
 

README.md

@@ -46,11 +46,35 @@ jobs:
       name: Gradle Plugin
     secrets:
       api-token: ${{ secrets.CI_DEPLOY_KEY }}
+
+  # Update a CMake FetchContent dependency with auto-detection (single dependency only)
+  sentry-native:
+    uses: getsentry/github-workflows/.github/workflows/updater.yml@v2
+    with:
+      path: vendor/sentry-native.cmake
+      name: Sentry Native SDK
+    secrets:
+      api-token: ${{ secrets.CI_DEPLOY_KEY }}
+
+  # Update a CMake FetchContent dependency with explicit dependency name
+  deps:
+    uses: getsentry/github-workflows/.github/workflows/updater.yml@v2
+    with:
+      path: vendor/dependencies.cmake#googletest
+      name: GoogleTest
+    secrets:
+      api-token: ${{ secrets.CI_DEPLOY_KEY }}
 ```
 
 ### Inputs
 
-* `path`: Dependency path in the source repository, this can be either a submodule, a .properties file or a shell script.
+* `path`: Dependency path in the source repository. Supported formats:
+  * Submodule path
+  * Properties file (`.properties`)
+  * Shell script (`.ps1`, `.sh`)
+  * CMake file with FetchContent:
+    * `path/to/file.cmake#DepName` - specify dependency name
+    * `path/to/file.cmake` - auto-detection (single dependency only)
   * type: string
   * required: true
 * `name`: Name used in the PR title and the changelog entry.

updater/scripts/cmake-functions.ps1

@@ -0,0 +1,187 @@
+# CMake FetchContent helper functions for update-dependency.ps1
+
+function Parse-CMakeFetchContent {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateScript({Test-Path $_ -PathType Leaf})]
+        [string]$filePath,
+
+        [Parameter(Mandatory=$false)]
+        [ValidateScript({[string]::IsNullOrEmpty($_) -or $_ -match '^[a-zA-Z][a-zA-Z0-9_.-]*$'})]
+        [string]$depName
+    )
+    $content = Get-Content $filePath -Raw
+
+    if ($depName) {
+        $pattern = "FetchContent_Declare\s*\(\s*$depName\s+([^)]+)\)"
+    } else {
+        # Find all FetchContent_Declare blocks
+        $allMatches = [regex]::Matches($content, "FetchContent_Declare\s*\(\s*([a-zA-Z0-9_-]+)", 'Singleline')
+        if ($allMatches.Count -eq 1) {
+            $depName = $allMatches[0].Groups[1].Value
+            $pattern = "FetchContent_Declare\s*\(\s*$depName\s+([^)]+)\)"
+        } else {
+            throw "Multiple FetchContent declarations found. Use #DepName syntax."
+        }
+    }
+
+    $match = [regex]::Match($content, $pattern, 'Singleline,IgnoreCase')
+    if (-not $match.Success) {
+        throw "FetchContent_Declare for '$depName' not found in $filePath"
+    }
+    $block = $match.Groups[1].Value
+
+    # Look for GIT_REPOSITORY and GIT_TAG patterns specifically
+    # Exclude matches that are in comments (lines starting with #)
+    $repoMatch = [regex]::Match($block, '(?m)^\s*GIT_REPOSITORY\s+(\S+)')
+    $tagMatch = [regex]::Match($block, '(?m)^\s*GIT_TAG\s+(\S+)')
+
+    $repo = if ($repoMatch.Success) { $repoMatch.Groups[1].Value } else { "" }
+    $tag = if ($tagMatch.Success) { $tagMatch.Groups[1].Value } else { "" }
+
+    if ([string]::IsNullOrEmpty($repo) -or [string]::IsNullOrEmpty($tag)) {
+        throw "Could not parse GIT_REPOSITORY or GIT_TAG from FetchContent_Declare block"
+    }
+
+    return @{ GitRepository = $repo; GitTag = $tag; DepName = $depName }
+}
+
+function Find-TagForHash {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$repo,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$hash
+    )
+    try {
+        $refs = git ls-remote --tags $repo
+        if ($LASTEXITCODE -ne 0) {
+            throw "Failed to fetch tags from repository $repo (git ls-remote failed with exit code $LASTEXITCODE)"
+        }
+        foreach ($ref in $refs) {
+            $commit, $tagRef = $ref -split '\s+', 2
+            if ($commit -eq $hash) {
+                return $tagRef -replace '^refs/tags/', ''
+            }
+        }
+        return $null
+    }
+    catch {
+        Write-Host "Warning: Could not resolve hash $hash to tag name: $_"
+        return $null
+    }
+}
+
+function Test-HashAncestry {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$repo,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$oldHash,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$newHash
+    )
+    try {
+        # Create a temporary directory for git operations
+        $tempDir = Join-Path ([System.IO.Path]::GetTempPath()) ([System.Guid]::NewGuid())
+        New-Item -ItemType Directory -Path $tempDir -Force | Out-Null
+
+        try {
+            Push-Location $tempDir
+
+            # Initialize a bare repository and add the remote
+            git init --bare 2>$null | Out-Null
+            git remote add origin $repo 2>$null | Out-Null
+
+            # Fetch both commits
+            git fetch origin $oldHash 2>$null | Out-Null
+            git fetch origin $newHash 2>$null | Out-Null
+
+            # Check if old hash is ancestor of new hash
+            git merge-base --is-ancestor $oldHash $newHash 2>$null
+            $isAncestor = $LastExitCode -eq 0
+
+            return $isAncestor
+        }
+        finally {
+            Pop-Location
+            Remove-Item $tempDir -Recurse -Force -ErrorAction SilentlyContinue
+        }
+    }
+    catch {
+        Write-Host "Error: Could not validate ancestry for $oldHash -> $newHash : $_"
+        # When in doubt, fail safely to prevent incorrect updates
+        return $false
+    }
+}
+
+function Update-CMakeFile {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateScript({Test-Path $_ -PathType Leaf})]
+        [string]$filePath,
+
+        [Parameter(Mandatory=$false)]
+        [ValidateScript({[string]::IsNullOrEmpty($_) -or $_ -match '^[a-zA-Z][a-zA-Z0-9_.-]*$'})]
+        [string]$depName,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$newValue
+    )
+    $content = Get-Content $filePath -Raw
+    $fetchContent = Parse-CMakeFetchContent $filePath $depName
+    $originalValue = $fetchContent.GitTag
+    $repo = $fetchContent.GitRepository
+    $wasHash = $originalValue -match '^[a-f0-9]{40}$'
+
+    if ($wasHash) {
+        # Convert tag to hash and add comment
+        $newHashRefs = git ls-remote $repo "refs/tags/$newValue"
+        if ($LASTEXITCODE -ne 0) {
+            throw "Failed to fetch tag $newValue from repository $repo (git ls-remote failed with exit code $LASTEXITCODE)"
+        }
+        if (-not $newHashRefs) {
+            throw "Tag $newValue not found in repository $repo"
+        }
+        $newHash = ($newHashRefs -split '\s+')[0]
+        $replacement = "$newHash # $newValue"
+
+        # Validate ancestry: ensure old hash is reachable from new tag
+        if (-not (Test-HashAncestry $repo $originalValue $newHash)) {
+            throw "Cannot update: hash $originalValue is not in history of tag $newValue"
+        }
+    } else {
+        $replacement = $newValue
+    }
+
+    # Update GIT_TAG value, replacing entire line content after GIT_TAG
+    # This removes potentially outdated version-specific comments
+    $pattern = "(FetchContent_Declare\s*\(\s*$depName\s+[^)]*GIT_TAG\s+)[^\r\n]+(\r?\n[^)]*\))"
+    $newContent = [regex]::Replace($content, $pattern, "`${1}$replacement`${2}", 'Singleline')
+
+    if ($newContent -eq $content) {
+        throw "Failed to update GIT_TAG in $filePath - pattern may not have matched"
+    }
+
+    $newContent | Out-File $filePath -NoNewline
+
+    # Verify the update worked
+    $verifyContent = Parse-CMakeFetchContent $filePath $depName
+    $expectedValue = $wasHash ? $newHash : $newValue
+    if ($verifyContent.GitTag -notmatch [regex]::Escape($expectedValue)) {
+        throw "Update verification failed - read-after-write did not match expected value"
+    }
+}

updater/scripts/update-dependency.ps1

@@ -6,6 +6,9 @@ param(
     #    * `get-version` - return the currently specified dependency version
     #    * `get-repo` - return the repository url (e.g.  https://github.com/getsentry/dependency)
     #    * `set-version` - update the dependency version (passed as another string argument after this one)
+    #  - a CMake file (.cmake) with FetchContent_Declare statements:
+    #    * Use `path/to/file.cmake#DepName` to specify dependency name
+    #    * Or just `path/to/file.cmake` if file contains single FetchContent_Declare
     [Parameter(Mandatory = $true)][string] $Path,
     # RegEx pattern that will be matched against available versions when picking the latest one
     [string] $Pattern = '',
@@ -16,6 +19,24 @@ param(
 Set-StrictMode -Version latest
 . "$PSScriptRoot/common.ps1"
 
+# Parse CMake file with dependency name
+if ($Path -match '^(.+\.cmake)(#(.+))?$') {
+    $Path = $Matches[1]  # Set Path to file for existing logic
+    if ($Matches[3]) {
+        $cmakeDep = $Matches[3]
+        # Validate dependency name follows CMake naming conventions
+        if ($cmakeDep -notmatch '^[a-zA-Z][a-zA-Z0-9_.-]*$') {
+            throw "Invalid CMake dependency name: '$cmakeDep'. Must start with letter and contain only alphanumeric, underscore, dot, or hyphen."
+        }
+    } else {
+        $cmakeDep = $null  # Will auto-detect
+    }
+    $isCMakeFile = $true
+} else {
+    $cmakeDep = $null
+    $isCMakeFile = $false
+}
+
 if (-not (Test-Path $Path ))
 {
     throw "Dependency $Path doesn't exit";
@@ -41,7 +62,32 @@ if (-not $isSubmodule)
     $isScript = $Path -match '\.(ps1|sh)$'
     function DependencyConfig ([Parameter(Mandatory = $true)][string] $action, [string] $value = $null)
     {
-        if ($isScript)
+        if ($isCMakeFile) {
+            # CMake file handling
+            switch ($action) {
+                'get-version' {
+                    $fetchContent = Parse-CMakeFetchContent $Path $cmakeDep
+                    $currentValue = $fetchContent.GitTag
+                    if ($currentValue -match '^[a-f0-9]{40}$') {
+                        # Try to resolve hash to tag for version comparison
+                        $repo = $fetchContent.GitRepository
+                        $tagForHash = Find-TagForHash $repo $currentValue
+                        return $tagForHash ?? $currentValue
+                    }
+                    return $currentValue
+                }
+                'get-repo' {
+                    return (Parse-CMakeFetchContent $Path $cmakeDep).GitRepository
+                }
+                'set-version' {
+                    Update-CMakeFile $Path $cmakeDep $value
+                }
+                Default {
+                    throw "Unknown action $action"
+                }
+            }
+        }
+        elseif ($isScript)
         {
             if (Get-Command 'chmod' -ErrorAction SilentlyContinue)
             {
@@ -99,6 +145,9 @@ if (-not $isSubmodule)
             }
         }
     }
+
+    # Load CMake helper functions
+    . "$PSScriptRoot/cmake-functions.ps1"
 }
 
 if ("$Tag" -eq '')