Possibility to resolve Tags/Branches to a commit hash when generating the package-lock.cmake #676
Description
We are currently looking for a way to manage our dependencies within CMake. Initially we switched to FetchContent with fixed hashes to ensure a consistent build across different machines and independent of when the build is done. This has been working fine for our smaller projects, but as we are trying to switch to modernizing bigger projects, manually setting up the FetchContent calls is becoming unscalable.
From what I can tell it seems like CPM would be quite the step up in terms of convenience to setup and extra features such as warning on version mismatch, CPMUsePackageLock and CPM_SOURCE_CACHE.
After initial testing it seems like using CPMUsePackageLock and CPM_SOURCE_CACHE still allow for offline builds even when using a GIT_TAG pointing to a branch. However it seems like the package lock does not store the resolved commit hash from the time the cpm-update-package-lock target was executed, rather it resolves the tag/branch when the cache directory needs to be created.
From #263 (comment), It seems like the assumption is made that tags should be immutable and branches should be avoided when specifying a GIT_TAG. Unfortunatly I do not feel comfortable making these assumptions in the context of modernizing our projects across our various teams.
Hence my question, Would it be possible to resolve the GIT_TAG and embed the resolved commit hash when the cpm-update-package-lock target is run? I believe #315 is similar, altough it asks to included as a comment rather than a binding a dependency to a specific hash.
If this fits within the scope of CPM, I'm willing to fork and (attempt to) implement it myself. But I'm not fully familiar with the full scope of CPM and if there are any potential caveats to this enhancement.