From 98c53572c400b81e53c8b080a0c83c496831028d Mon Sep 17 00:00:00 2001
From: Rahul Sharma <rahulsharm@nvidia.com>
Date: Mon, 2 Mar 2026 15:22:18 -0800
Subject: [PATCH 1/2] add CVE updates for compiled and precompiled ubuntu
 images

use composite action so that future package list changes only need to happen in one file

Signed-off-by: Rahul Sharma <rahulsharm@nvidia.com>
---
 .github/actions/set-cve-updates/action.yml | 35 ++++++++++++++++++++++
 .github/workflows/image.yaml               | 14 +++++----
 .github/workflows/precompiled.yaml         |  4 +++
 3 files changed, 47 insertions(+), 6 deletions(-)
 create mode 100644 .github/actions/set-cve-updates/action.yml

diff --git a/.github/actions/set-cve-updates/action.yml b/.github/actions/set-cve-updates/action.yml
new file mode 100644
index 000000000..b8ff0b2b8
--- /dev/null
+++ b/.github/actions/set-cve-updates/action.yml
@@ -0,0 +1,35 @@
+# Copyright NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Set CVE Updates
+description: >
+  Sets the CVE_UPDATES environment variable with the list of packages to
+  upgrade for CVE remediation, based on the target distribution family.
+inputs:
+  dist:
+    description: >
+      Target distribution string (e.g. ubuntu22.04, ubuntu24.04, rhel8,
+      rhel9, rhel10, rocky9). The action matches on the family prefix.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set CVE_UPDATES
+      shell: bash
+      run: |
+        if [[ "${{ inputs.dist }}" =~ "rhel" || "${{ inputs.dist }}" =~ "rocky" ]]; then
+          echo "CVE_UPDATES=openssl python3-urllib3 libarchive libxml2 pam python3 sqlite-libs gnupg2" >> $GITHUB_ENV
+        elif [[ "${{ inputs.dist }}" =~ "ubuntu" ]]; then
+          echo "CVE_UPDATES=gnupg2 libssl3" >> $GITHUB_ENV
+        fi
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 1aa10dc18..1c183fb90 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -67,13 +67,11 @@ jobs:
           fi
           echo "PUSH_ON_BUILD=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
           echo "BUILD_MULTI_ARCH_IMAGES=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
-          
-          if [[ "${{ matrix.dist }}" =~ "rhel" || "${{ matrix.dist }}" =~ "rocky" ]]; then
-            echo "CVE_UPDATES=openssl python3-urllib3 libarchive libxml2 pam python3 sqlite-libs gnupg2" >> $GITHUB_ENV
-          elif [[ "${{ matrix.dist }}" =~ "ubuntu" ]]; then
-            echo "CVE_UPDATES=gnupg2" >> $GITHUB_ENV
-          fi
 
+      - name: Set CVE updates
+        uses: ./.github/actions/set-cve-updates
+        with:
+          dist: ${{ matrix.dist }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
@@ -157,6 +155,10 @@ jobs:
           echo "PUSH_ON_BUILD=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
           echo "BUILD_MULTI_ARCH_IMAGES=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
 
+      - name: Set CVE updates
+        uses: ./.github/actions/set-cve-updates
+        with:
+          dist: ${{ matrix.dist }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
diff --git a/.github/workflows/precompiled.yaml b/.github/workflows/precompiled.yaml
index ddf17633c..1fbf6acc5 100644
--- a/.github/workflows/precompiled.yaml
+++ b/.github/workflows/precompiled.yaml
@@ -84,6 +84,10 @@ jobs:
           echo "PUSH_ON_BUILD=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
           echo "BUILD_MULTI_ARCH_IMAGES=${GENERATE_ARTIFACTS}" >> $GITHUB_ENV
 
+      - name: Set CVE updates
+        uses: ./.github/actions/set-cve-updates
+        with:
+          dist: ${{ matrix.dist }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:

From dc6c6b160e1fed5893d292748d431cf9f6a93216 Mon Sep 17 00:00:00 2001
From: Rahul Sharma <rahulsharm@nvidia.com>
Date: Tue, 3 Mar 2026 13:37:51 -0800
Subject: [PATCH 2/2] address copilot comments/suggestions

Signed-off-by: Rahul Sharma <rahulsharm@nvidia.com>
---
 .github/actions/set-cve-updates/action.yml | 4 ++--
 ubuntu24.04/precompiled/Dockerfile         | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/set-cve-updates/action.yml b/.github/actions/set-cve-updates/action.yml
index b8ff0b2b8..80d4d0be6 100644
--- a/.github/actions/set-cve-updates/action.yml
+++ b/.github/actions/set-cve-updates/action.yml
@@ -28,8 +28,8 @@ runs:
     - name: Set CVE_UPDATES
       shell: bash
       run: |
-        if [[ "${{ inputs.dist }}" =~ "rhel" || "${{ inputs.dist }}" =~ "rocky" ]]; then
+        if [[ "${{ inputs.dist }}" =~ ^(rhel|rocky) ]]; then
           echo "CVE_UPDATES=openssl python3-urllib3 libarchive libxml2 pam python3 sqlite-libs gnupg2" >> $GITHUB_ENV
         elif [[ "${{ inputs.dist }}" =~ "ubuntu" ]]; then
-          echo "CVE_UPDATES=gnupg2 libssl3" >> $GITHUB_ENV
+          echo "CVE_UPDATES=gnupg libssl3" >> $GITHUB_ENV
         fi
diff --git a/ubuntu24.04/precompiled/Dockerfile b/ubuntu24.04/precompiled/Dockerfile
index c36043c7d..116a16abf 100644
--- a/ubuntu24.04/precompiled/Dockerfile
+++ b/ubuntu24.04/precompiled/Dockerfile
@@ -23,9 +23,9 @@ RUN dpkg --add-architecture i386 && \
         build-essential \
         ca-certificates \
         curl \
-        gpg \
         kmod \
         file \
+        gnupg \
         libelf-dev \
         libglvnd-dev \
         pkg-config && \