add CVE updates for compiled and precompiled ubuntu images#629
add CVE updates for compiled and precompiled ubuntu images#629rahulait wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions image-build workflows to apply additional CVE-related package upgrades for Ubuntu-based images, aligning compiled and precompiled builds with a consistent set of security updates.
Changes:
- Add
libssl3to UbuntuCVE_UPDATESfor the compiled image workflow. - Introduce Ubuntu
CVE_UPDATESexport for precompiled image build jobs in both workflows.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/image.yaml | Expands Ubuntu CVE update package list and applies it to the pre-compiled job as well. |
| .github/workflows/precompiled.yaml | Adds Ubuntu CVE update package list for the scheduled precompiled image workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
use composite action so that future package list changes only need to happen in one file Signed-off-by: Rahul Sharma <rahulsharm@nvidia.com>
rahulait
force-pushed
the
add-cve-updates
branch
from
3f0e1e9 to
98c5357
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Rahul Sharma <rahulsharm@nvidia.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [[ "${{ inputs.dist }}" =~ ^(rhel|rocky) ]]; then | ||
| echo "CVE_UPDATES=openssl python3-urllib3 libarchive libxml2 pam python3 sqlite-libs gnupg2" >> $GITHUB_ENV | ||
| elif [[ "${{ inputs.dist }}" =~ "ubuntu" ]]; then | ||
| echo "CVE_UPDATES=gnupg libssl3" >> $GITHUB_ENV |
There was a problem hiding this comment.
I'll review and update this list once #636 is merged as I need to experiment and update it as required.
Updates GitHub Actions image-build workflows to apply additional CVE-related package upgrades for Ubuntu-based images, aligning compiled and precompiled builds with a consistent set of security updates.
Changes:
Add libssl3 to Ubuntu CVE_UPDATES.
Introduce Ubuntu CVE_UPDATES export for precompiled image build jobs in both workflows.