Skip to main content

Updating External Components

This guide covers identification, updating, vetting, and breaking change handling for all reused externally-maintained components. It satisfies the OpenSSF Best Practices Silver documentation_reuse_component_update criterion.

For quick dependency commands, see the Component Updates section of the Pull Request Process guide. For CVE-driven security updates, see Security Review.

Component Inventory

ComponentSourceVersion LocationCurrent VersionUpdate Method
NVIDIA GPU OperatorHelminfrastructure/setup/defaults.confGPU_OPERATOR_VERSIONv25.3.4Manual
KAI SchedulerHelminfrastructure/setup/defaults.confKAI_SCHEDULER_VERSIONv0.5.5Manual
OSMO ChartHelminfrastructure/setup/defaults.confOSMO_CHART_VERSION1.0.1Manual
OSMO ImageContainerinfrastructure/setup/defaults.confOSMO_IMAGE_VERSION6.0.0Manual
AzureML K8s ExtensionAzure CLIinfrastructure/setup/defaults.confAZUREML_EXTENSION_VERSION1.3.1Manual
Isaac LabContainerHardcoded in 7+ files2.3.2Manual grep
Azure Terraform ProvidersTerraformversions.tf across 8 directoriesFloor-pinnedDependabot (2/4)
Python Packagespip/uvpyproject.toml, requirements.txtMixedDependabot
GitHub ActionsGitHubWorkflow YAML (18 files)SHA-pinnedDependabot

[!IMPORTANT] Isaac Lab version 2.3.2 is hardcoded across workflow YAMLs, deploy scripts, and pyproject.toml files. No centralized variable exists. Use grep -r "2.3.2" --include="*.yaml" --include="*.yml" --include="*.toml" --include="*.sh" to locate all references before updating.

Identifying Available Updates

EcosystemTool or MethodCommand or Location
PythonDependabot PRs, uv pip compile --upgrade.github/dependabot.yml, pyproject.toml
TerraformDependabot PRs, terraform init -upgrade.github/dependabot.yml, infrastructure/terraform/
Helm Chartshelm repo update && helm search repo <chart> --versionsNVIDIA NGC Helm repositories
Container ImagesNVIDIA NGC catalog, GitHub release pagesnvcr.io/nvidia/ namespace
GitHub ActionsDependabot PRs, gh api repos/{owner}/{repo}/releases/latest.github/dependabot.yml

Automated Updates (Dependabot)

Dependabot opens PRs weekly on Monday for covered ecosystems. Configuration lives in .github/dependabot.yml.

EcosystemDirectoryGroupingSchedule
pip/python-dependenciesWeekly, Monday
pip/training/training-dependenciesWeekly, Monday
terraform/infrastructure/terraformNoneWeekly, Monday
terraform/infrastructure/terraform/dnsNoneWeekly, Monday
github-actions/github-actionsWeekly, Monday

PR flow: Dependabot opens PR → CI runs (dependency-review, pinning-scan, CodeQL, linters) → maintainer reviews changelog and test results → merge.

[!NOTE] Dependabot does not cover Helm charts, container images, or 2 additional Terraform directories (vpn/, automation/). These require manual updates.

Manual Update Process

Helm Charts

Helm chart versions are centralized in infrastructure/setup/defaults.conf.

  1. Check for a new chart version:

    helm repo update
    helm search repo <chart-name> --versions

  2. Update the version variable in infrastructure/setup/defaults.conf

  3. Run --config-preview on affected deploy scripts to verify configuration

  4. Deploy to a test cluster and validate

  5. Submit PR with changelog summary from the upstream release

Container Images (Isaac Lab)

  1. Check NVIDIA NGC for a new Isaac Lab release

  2. Search for all current version references:

    grep -r "2.3.2" --include="*.yaml" --include="*.yml" --include="*.toml" --include="*.sh"

  3. Update all references (expect 7+ files across workflows/, deploy/, pyproject.toml)

  4. Test a training workflow with the new image

  5. Submit PR with migration notes from the NVIDIA release changelog

Terraform Providers

For directories not covered by Dependabot (vpn/, automation/):

  1. Run terraform init -upgrade in the target directory
  2. Run terraform plan -var-file=terraform.tfvars to verify no breaking changes
  3. Submit PR with provider changelog references

Vetting Criteria

Apply this checklist before merging any component update.

CriterionCheckRequired For
Changelog reviewRead release notes for breaking changesAll updates
API compatibilityVerify no breaking API changes affect current usageMajor and minor updates
License checkConfirm license unchanged or still OSI-approvedAll updates
Security advisoriesCheck GitHub Security Advisories, NVDAll updates
CI passageAll CI checks pass on the update PRAll updates
Deployment test--config-preview then deploy to test clusterHelm and container updates

Breaking Change Handling

  1. Identify breaking changes from the upstream changelog and migration guides
  2. Assess impact on deployment scripts, training workflows, and CI
  3. Create migration steps in the PR description
  4. Update affected documentation (README files, deployment guides, workflow templates)
  5. Add breaking-change label to the PR
  6. Request review from infrastructure owners (@microsoft/edge-ai-core-dev)

CI Validation for Dependency PRs

These workflows validate dependency update PRs automatically.

WorkflowPurposeScope
dependency-review.ymlBlock moderate+ vulnerabilitiesAll dependency PRs
dependency-pinning-scan.ymlEnforce 95% SHA pinning complianceGitHub Actions
codeql-analysis.ymlStatic analysis for Python codePython changes
scorecard.ymlOpenSSF Scorecard assessmentRepository-wide

Security-Critical Updates

For CVE-driven updates requiring expedited handling:

  1. Maintainer identifies a CVE affecting a project dependency
  2. Open a priority PR referencing the security advisory
  3. Target 24-48 hour review turnaround
  4. Update SECURITY.md if disclosure is warranted

See Security Review for the full security update process.

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.