search

fortran-lang / fpm

Fortran Package Manager (fpm)
https://fpm.fortran-lang.org
MIT License
876 stars 99 forks source link

Get GitHub to recognize FPM dependencies #647

Open jacobwilliams opened 2 years ago

jacobwilliams commented 2 years ago

GitHub has a feature that can track dependencies by reading a supported manifest file in the project.

See: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph

At some point, we should try to get them to support the FPM fpm.toml. Then projects that are used via fpm would be visible in a "Used by" section of the main page.

awvwgk commented 2 years ago

I found that fossa supports dependency scanning from fpm package manifests (https://github.com/fortran-lang/fpm/discussions/640), meaning it is actually recognized already.

Having other tools, like GitHub's dependabot, recognize the fpm package manifest might be a possibility. However, I wonder whether we should be actively push for this or just continue working on establishing fpm as defacto standard in the Fortran ecosystem.

gnikit commented 2 years ago

I think this is a great idea, especially if we can make github to recognise fpm.toml as a manifest file, as it would be an active demonstration of how widely used fpm is.

Here is an additional resource that could get us started: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api

As mentioned at the bottom of the page @jacobwilliams provided

You can use the Dependency submission API (beta) to add dependencies from the package manager or ecosystem of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. You will only get Dependabot alerts for dependencies that are from one of the supported ecosystems of the GitHub Advisory Database. For more information on the Dependency submission API, see "Using the Dependency submission API."

So we won't be getting dependabot alerts just yet, but this is definitely a start.

I think at this stage we care more about Dependency Graph > Dependents, rather than Dependencies since it would showcase all the repos using fpm. I am curious if the REST API would crawl GitHub to detect the fpm.toml manifests in other repos (from a quick read, I think it wouldn't).

Maybe we can reach out to github and see at what would it take for them to include fpm manifests in dependabot.