The last four links I have shared above all get automated by a simple QL:QUICKLOAD call if we're using Quicklisp, and that's one of the reasons Quicklisp has become almost a de facto standard in the community.
You can achieve roughly the same by writing down the SHA256 hash the first time you download and then comparing when you download the next time.
But, yeah, while I do not like submodules, for vendoring stuff it seems a reasonable approach. There's also https://github.com/fosskers/vend if you lean that way.
https://susam.net/lisp-in-vim.html
https://github.com/susam/emacs4cl
However, for my personal projects, I usually just download the package versions I need from GitHub with curl within a simple while loop:
https://github.com/susam/susam.net/blob/0.4.0/Makefile#L83-L...
https://github.com/susam/susam.net/blob/0.4.0/meta/cldeps/fo...
Then I point ASDF to the download directory with CL_SOURCE_REGISTRY and load it in my Lisp program using good old ASDF:LOAD-SYSTEM:
https://github.com/susam/susam.net/blob/0.4.0/etc/form.servi...
https://github.com/susam/susam.net/blob/0.4.0/form.lisp#L5
The last four links I have shared above all get automated by a simple QL:QUICKLOAD call if we're using Quicklisp, and that's one of the reasons Quicklisp has become almost a de facto standard in the community.