getsentry · vaind · Sep 19, 2025 · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml
@@ -3,7 +3,7 @@ on:
   workflow_call:
     inputs:
       path:
-        description: Dependency path in the source repository, this can be either a submodule, a .properties file or a shell script.
+        description: Dependency path in the source repository, this can be either a submodule, a .properties file, a shell script, or a CMake file with FetchContent.
         type: string
         required: true
       name:
@@ -87,9 +87,9 @@ jobs:
       - name: Validate dependency path
         shell: pwsh
         run: |
-          # Validate that inputs.path contains only safe characters
-          if ('${{ inputs.path }}' -notmatch '^[a-zA-Z0-9_\./-]+$') {
-            Write-Output "::error::Invalid dependency path: '${{ inputs.path }}'. Only alphanumeric characters and _-./ are allowed."
+          # Validate that inputs.path contains only safe characters (including # for CMake dependencies)
+          if ('${{ inputs.path }}' -notmatch '^[a-zA-Z0-9_\./#-]+$') {
+            Write-Output "::error::Invalid dependency path: '${{ inputs.path }}'. Only alphanumeric characters and _-./#  are allowed."
             exit 1
           }
           Write-Output "✓ Dependency path '${{ inputs.path }}' is valid"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features
 
 - Add Proguard artifact endpoint for Android builds in sentry-server ([#100](https://github.com/getsentry/github-workflows/pull/100))
+- Updater - Add CMake FetchContent support for automated dependency updates ([#104](https://github.com/getsentry/github-workflows/pull/104))
 
 ### Security
 

diff --git a/README.md b/README.md
@@ -46,11 +46,35 @@ jobs:
       name: Gradle Plugin
     secrets:
       api-token: ${{ secrets.CI_DEPLOY_KEY }}
+
+  # Update a CMake FetchContent dependency with auto-detection (single dependency only)
+  sentry-native:
+    uses: getsentry/github-workflows/.github/workflows/updater.yml@v2
+    with:
+      path: vendor/sentry-native.cmake
+      name: Sentry Native SDK
+    secrets:
+      api-token: ${{ secrets.CI_DEPLOY_KEY }}
+
+  # Update a CMake FetchContent dependency with explicit dependency name
+  deps:
+    uses: getsentry/github-workflows/.github/workflows/updater.yml@v2
+    with:
+      path: vendor/dependencies.cmake#googletest
+      name: GoogleTest
+    secrets:
+      api-token: ${{ secrets.CI_DEPLOY_KEY }}
 ```
 
 ### Inputs
 
-* `path`: Dependency path in the source repository, this can be either a submodule, a .properties file or a shell script.
+* `path`: Dependency path in the source repository. Supported formats:
+  * Submodule path
+  * Properties file (`.properties`)
+  * Shell script (`.ps1`, `.sh`)
+  * CMake file with FetchContent:
+    * `path/to/file.cmake#DepName` - specify dependency name
+    * `path/to/file.cmake` - auto-detection (single dependency only)
   * type: string
   * required: true
 * `name`: Name used in the PR title and the changelog entry.

diff --git a/updater/scripts/cmake-functions.ps1 b/updater/scripts/cmake-functions.ps1
@@ -0,0 +1,187 @@
+# CMake FetchContent helper functions for update-dependency.ps1
+
+function Parse-CMakeFetchContent {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateScript({Test-Path $_ -PathType Leaf})]
+        [string]$filePath,
+
+        [Parameter(Mandatory=$false)]
+        [ValidateScript({[string]::IsNullOrEmpty($_) -or $_ -match '^[a-zA-Z][a-zA-Z0-9_.-]*$'})]
+        [string]$depName
+    )
+    $content = Get-Content $filePath -Raw
+
+    if ($depName) {
+        $pattern = "FetchContent_Declare\s*\(\s*$depName\s+([^)]+)\)"
+    } else {
+        # Find all FetchContent_Declare blocks
+        $allMatches = [regex]::Matches($content, "FetchContent_Declare\s*\(\s*([a-zA-Z0-9_-]+)", 'Singleline')
+        if ($allMatches.Count -eq 1) {
+            $depName = $allMatches[0].Groups[1].Value
+            $pattern = "FetchContent_Declare\s*\(\s*$depName\s+([^)]+)\)"
+        } else {
+            throw "Multiple FetchContent declarations found. Use #DepName syntax."
+        }
+    }
+
+    $match = [regex]::Match($content, $pattern, 'Singleline,IgnoreCase')
+    if (-not $match.Success) {
+        throw "FetchContent_Declare for '$depName' not found in $filePath"
+    }
+    $block = $match.Groups[1].Value
+
+    # Look for GIT_REPOSITORY and GIT_TAG patterns specifically
+    # Exclude matches that are in comments (lines starting with #)
+    $repoMatch = [regex]::Match($block, '(?m)^\s*GIT_REPOSITORY\s+(\S+)')
+    $tagMatch = [regex]::Match($block, '(?m)^\s*GIT_TAG\s+(\S+)')
+
+    $repo = if ($repoMatch.Success) { $repoMatch.Groups[1].Value } else { "" }
+    $tag = if ($tagMatch.Success) { $tagMatch.Groups[1].Value } else { "" }
+
+    if ([string]::IsNullOrEmpty($repo) -or [string]::IsNullOrEmpty($tag)) {
+        throw "Could not parse GIT_REPOSITORY or GIT_TAG from FetchContent_Declare block"
+    }
+
+    return @{ GitRepository = $repo; GitTag = $tag; DepName = $depName }
+}
+
+function Find-TagForHash {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$repo,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$hash
+    )
+    try {
+        $refs = git ls-remote --tags $repo
+        if ($LASTEXITCODE -ne 0) {
+            throw "Failed to fetch tags from repository $repo (git ls-remote failed with exit code $LASTEXITCODE)"
+        }
+        foreach ($ref in $refs) {
+            $commit, $tagRef = $ref -split '\s+', 2
+            if ($commit -eq $hash) {
+                return $tagRef -replace '^refs/tags/', ''
+            }
+        }
+        return $null
+    }
+    catch {
+        Write-Host "Warning: Could not resolve hash $hash to tag name: $_"
+        return $null
+    }
+}
+
+function Test-HashAncestry {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$repo,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$oldHash,
+
+        [Parameter(Mandatory=$true)]
+        [ValidatePattern('^[a-f0-9]{40}$')]
+        [string]$newHash
+    )
+    try {
+        # Create a temporary directory for git operations
+        $tempDir = Join-Path ([System.IO.Path]::GetTempPath()) ([System.Guid]::NewGuid())
+        New-Item -ItemType Directory -Path $tempDir -Force | Out-Null
+
+        try {
+            Push-Location $tempDir
+
+            # Initialize a bare repository and add the remote
+            git init --bare 2>$null | Out-Null
+            git remote add origin $repo 2>$null | Out-Null
+
+            # Fetch both commits
+            git fetch origin $oldHash 2>$null | Out-Null
+            git fetch origin $newHash 2>$null | Out-Null
+
+            # Check if old hash is ancestor of new hash
+            git merge-base --is-ancestor $oldHash $newHash 2>$null
+            $isAncestor = $LastExitCode -eq 0
+
+            return $isAncestor
+        }
+        finally {
+            Pop-Location
+            Remove-Item $tempDir -Recurse -Force -ErrorAction SilentlyContinue
+        }
+    }
+    catch {
+        Write-Host "Error: Could not validate ancestry for $oldHash -> $newHash : $_"
+        # When in doubt, fail safely to prevent incorrect updates
+        return $false
+    }
+}
+
+function Update-CMakeFile {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)]
+        [ValidateScript({Test-Path $_ -PathType Leaf})]
+        [string]$filePath,
+
+        [Parameter(Mandatory=$false)]
+        [ValidateScript({[string]::IsNullOrEmpty($_) -or $_ -match '^[a-zA-Z][a-zA-Z0-9_.-]*$'})]
+        [string]$depName,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string]$newValue
+    )
+    $content = Get-Content $filePath -Raw
+    $fetchContent = Parse-CMakeFetchContent $filePath $depName
+    $originalValue = $fetchContent.GitTag
+    $repo = $fetchContent.GitRepository
+    $wasHash = $originalValue -match '^[a-f0-9]{40}$'
+
+    if ($wasHash) {
+        # Convert tag to hash and add comment
+        $newHashRefs = git ls-remote $repo "refs/tags/$newValue"
+        if ($LASTEXITCODE -ne 0) {
+            throw "Failed to fetch tag $newValue from repository $repo (git ls-remote failed with exit code $LASTEXITCODE)"
+        }
+        if (-not $newHashRefs) {
+            throw "Tag $newValue not found in repository $repo"
+        }
+        $newHash = ($newHashRefs -split '\s+')[0]
+        $replacement = "$newHash # $newValue"
+
+        # Validate ancestry: ensure old hash is reachable from new tag
+        if (-not (Test-HashAncestry $repo $originalValue $newHash)) {
+            throw "Cannot update: hash $originalValue is not in history of tag $newValue"
+        }
+    } else {
+        $replacement = $newValue
+    }
+
+    # Update GIT_TAG value, replacing entire line content after GIT_TAG
+    # This removes potentially outdated version-specific comments
+    $pattern = "(FetchContent_Declare\s*\(\s*$depName\s+[^)]*GIT_TAG\s+)[^\r\n]+(\r?\n[^)]*\))"
+    $newContent = [regex]::Replace($content, $pattern, "`${1}$replacement`${2}", 'Singleline')
+
+    if ($newContent -eq $content) {
+        throw "Failed to update GIT_TAG in $filePath - pattern may not have matched"
+    }
+
+    $newContent | Out-File $filePath -NoNewline
+
+    # Verify the update worked
+    $verifyContent = Parse-CMakeFetchContent $filePath $depName
+    $expectedValue = $wasHash ? $newHash : $newValue
+    if ($verifyContent.GitTag -notmatch [regex]::Escape($expectedValue)) {
+        throw "Update verification failed - read-after-write did not match expected value"
+    }
+}
diff --git a/updater/scripts/update-dependency.ps1 b/updater/scripts/update-dependency.ps1
@@ -6,6 +6,9 @@ param(
     #    * `get-version` - return the currently specified dependency version
     #    * `get-repo` - return the repository url (e.g.  https://github.com/getsentry/dependency)
     #    * `set-version` - update the dependency version (passed as another string argument after this one)
+    #  - a CMake file (.cmake) with FetchContent_Declare statements:
+    #    * Use `path/to/file.cmake#DepName` to specify dependency name
+    #    * Or just `path/to/file.cmake` if file contains single FetchContent_Declare
     [Parameter(Mandatory = $true)][string] $Path,
     # RegEx pattern that will be matched against available versions when picking the latest one
     [string] $Pattern = '',
@@ -16,6 +19,24 @@ param(
 Set-StrictMode -Version latest
 . "$PSScriptRoot/common.ps1"
 
+# Parse CMake file with dependency name
+if ($Path -match '^(.+\.cmake)(#(.+))?$') {
+    $Path = $Matches[1]  # Set Path to file for existing logic
+    if ($Matches[3]) {
+        $cmakeDep = $Matches[3]
+        # Validate dependency name follows CMake naming conventions
+        if ($cmakeDep -notmatch '^[a-zA-Z][a-zA-Z0-9_.-]*$') {
+            throw "Invalid CMake dependency name: '$cmakeDep'. Must start with letter and contain only alphanumeric, underscore, dot, or hyphen."
+        }
+    } else {
+        $cmakeDep = $null  # Will auto-detect
+    }
+    $isCMakeFile = $true
+} else {
+    $cmakeDep = $null
+    $isCMakeFile = $false
+}
+
 if (-not (Test-Path $Path ))
 {
     throw "Dependency $Path doesn't exit";
@@ -41,7 +62,32 @@ if (-not $isSubmodule)
     $isScript = $Path -match '\.(ps1|sh)$'
     function DependencyConfig ([Parameter(Mandatory = $true)][string] $action, [string] $value = $null)
     {
-        if ($isScript)
+        if ($isCMakeFile) {
+            # CMake file handling
+            switch ($action) {
+                'get-version' {
+                    $fetchContent = Parse-CMakeFetchContent $Path $cmakeDep
+                    $currentValue = $fetchContent.GitTag
+                    if ($currentValue -match '^[a-f0-9]{40}$') {
+                        # Try to resolve hash to tag for version comparison
+                        $repo = $fetchContent.GitRepository
+                        $tagForHash = Find-TagForHash $repo $currentValue
+                        return $tagForHash ?? $currentValue
+                    }
+                    return $currentValue
+                }
+                'get-repo' {
+                    return (Parse-CMakeFetchContent $Path $cmakeDep).GitRepository
+                }
+                'set-version' {
+                    Update-CMakeFile $Path $cmakeDep $value
+                }
+                Default {
+                    throw "Unknown action $action"
+                }
+            }
+        }
+        elseif ($isScript)
         {
             if (Get-Command 'chmod' -ErrorAction SilentlyContinue)
             {
@@ -99,6 +145,9 @@ if (-not $isSubmodule)
             }
         }
     }
+
+    # Load CMake helper functions
+    . "$PSScriptRoot/cmake-functions.ps1"
 }
 
 if ("$Tag" -eq '')