Fix NVIDIA Driver version tracking in GH Actions

Harish Senthilkumar · harishxr · commit 40879b32e09f · 2025-10-09T12:49:23.000-07:00
diff --git a/NVIDIA_DRIVER_VERSION b/NVIDIA_DRIVER_VERSION
@@ -12,4 +12,4 @@
 # documentation or automation scripts.
 
 nvidia_driver_version_al2 = "550.163.01"
-nvidia_driver_version_al2023 = "570.133.20"
+nvidia_driver_version_al2023 = "580.65.06"
diff --git a/scripts/check-update-security.sh b/scripts/check-update-security.sh
@@ -141,12 +141,11 @@ instance_id=$(aws ec2 run-instances \
 
 # check-update based on platform
 if [[ $platform == al2023* ]]; then
-    check_upgrade_options="--releasever=latest --sec-severity Critical --exclude=$EXCLUDE_SEC_UPDATES_PKGS"
+    check_upgrade_options="--sec-severity Critical --exclude=$EXCLUDE_SEC_UPDATES_PKGS"
     if [[ $platform == *gpu ]]; then
         check_upgrade_options="nvidia-driver-cuda"
     fi
-    # Run check-upgrade in a loop to ensure that the repo metadata is up to date
-    command_params="commands=[\"for i in {1..5}; do dnf clean expire-cache; dnf --refresh check-upgrade $check_upgrade_options -q; code=$?; if [ $code -eq 100 ]; then exit 100; fi; sleep 5; done; exit 0\"]"
+    command_params="commands=[\"dnf --refresh check-upgrade --releasever=latest $check_upgrade_options -q\"]"
 elif [ "$platform" = "al2_gpu" ]; then
     # The amzn2-nvidia repository does not provide updateinfo metadata (updateinfo.xml),
     # which YUM relies on to classify updates as security-related. The --security flag
diff --git a/scripts/check-update.sh b/scripts/check-update.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -exo pipefail
+set -euo pipefail
 
 usage() {
     echo "Usage:"
@@ -33,63 +33,74 @@ handle_nvidia_version() {
         version=$(echo "$gpu_update" | cut -d' ' -f2)
     fi
 
-    # Update version entry if version is available and file exists
-    if [ -n "$version" ] && [ -f NVIDIA_DRIVER_VERSION ]; then
+    # Update version entry if version is available
+    if [ -n "$version" ]; then
         if grep -q "^${version_key} = " NVIDIA_DRIVER_VERSION; then
-            sed -i "s/^${version_key} = .*/${version_key} = \"${version}\"/" NVIDIA_DRIVER_VERSION
+            if ! sed -i "s/^${version_key} = .*/${version_key} = \"${version}\"/" NVIDIA_DRIVER_VERSION; then
+                echo "Failed to update NVIDIA driver version in NVIDIA_DRIVER_VERSION file"
+            fi
         fi
     fi
 }
 
-readonly ami_type="$1"
+readonly ami_type="${1:-}"
 if [ -z "$ami_type" ]; then
     error "AMI_TYPE must be provided"
 fi
 
+# Validate AMI type
+case "$ami_type" in
+al2 | al2023)
+    # Valid AMI types
+    ;;
+*)
+    error "Invalid AMI type: $ami_type"
+    ;;
+esac
+
+# Backup current release file and generate new one
 cp release-$ami_type.auto.pkrvars.hcl release-$ami_type.old.hcl
 ./generate-release-vars.sh $ami_type
+
+# Compare release files (excluding ami_version)
 set +e
 diff_val=$(diff <(grep -v ami_version release-$ami_type.old.hcl) <(grep -v ami_version release-$ami_type.auto.pkrvars.hcl))
 set -e
 
-# Check for NVIDIA driver version for both AL2 and AL2023
-if [ "$ami_type" = "al2" ] || [ "$ami_type" = "al2023" ]; then
-    gpu_update=$(./scripts/check-update-security.sh "${ami_type}_gpu")
-    handle_nvidia_version "$ami_type" "$gpu_update"
-    if [[ $gpu_update == true* ]]; then
-        Update="true"
-    fi
+# Initialize update flag
+Update="false"
+
+# Check for NVIDIA driver version updates
+gpu_update=$(./scripts/check-update-security.sh "${ami_type}_gpu")
+handle_nvidia_version "$ami_type" "$gpu_update"
+if [[ $gpu_update == true* ]]; then
+    Update="true"
 fi
 
-# If no difference in dependencies, check for security update
+# Check for security updates if no dependency changes
 if [ -z "$diff_val" ]; then
-    Update="false"
-    case "$ami_type" in
-    "al2" | "al2023")
-        # Check security updates for each architecture type
-        amd_update=$(./scripts/check-update-security.sh $ami_type)
-        arm_update=$(./scripts/check-update-security.sh "${ami_type}_arm")
-
-        # Combine results
-        if [[ $amd_update == true* ]] || [[ $arm_update == true* ]]; then
-            Update="true"
-        fi
-        ;;
-    *)
-        echo "Error: Invalid AMI type: $ami_type"
-        exit 1
-        ;;
-    esac
+    # Check security updates for each architecture type
+    amd_update=$(./scripts/check-update-security.sh $ami_type)
+    arm_update=$(./scripts/check-update-security.sh "${ami_type}_arm")
+
+    # Combine results
+    if [[ $amd_update == true* ]] || [[ $arm_update == true* ]]; then
+        Update="true"
+    fi
 else
     Update="true"
 fi
 
+# Clean up temporary file
 rm "release-$ami_type.old.hcl"
 
+# Handle git operations based on update status
 if [ "$Update" = "true" ]; then
     echo "Update exists for $ami_type"
     git add release-$ami_type.auto.pkrvars.hcl
-    if [ -f NVIDIA_DRIVER_VERSION ] && ! git diff --quiet NVIDIA_DRIVER_VERSION; then
+
+    # Add NVIDIA_DRIVER_VERSION if it has changes
+    if ! git diff --quiet NVIDIA_DRIVER_VERSION; then
         echo "NVIDIA driver version changes detected"
         git add NVIDIA_DRIVER_VERSION
     fi
