chore: update GitHub Actions to Node.js 24 compatible versions

[josecelano]

Overview

Several GitHub Actions workflows produce deprecation warnings because some actions still run on Node.js 20. Starting June 2nd, 2026, GitHub will force all actions to run with Node.js 24 by default, and Node.js 20 will be removed from runners on September 16th, 2026.

Each affected action needs to be reviewed: in some cases a newer version with Node.js 24 support exists and can be adopted; in other cases no compatible release exists yet and the issue must be tracked until one does.

Reference: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

Specification

See detailed specification: docs/issues/460-node-24-action-deprecation-warnings.md

Affected Actions by Workflow

backup-container.yaml — Backup Container

• docker/setup-buildx-action@v3
• docker/build-push-action@v6
• docker/login-action@v3
• docker/metadata-action@v5

container.yaml — Container

• docker/setup-buildx-action@v3
• docker/build-push-action@v6
• docker/login-action@v3
• docker/metadata-action@v5

cargo-security-audit.yml — Cargo Security Audit

• rustsec/audit-check@v2.0.0

docker-security-scan.yml — Docker Security Scan

• aquasecurity/trivy-action@0.35.0 (which internally uses actions/cache on Node.js 20)

test-e2e-deployment.yml — E2E Deployment Workflow Tests

• docker/setup-buildx-action@v3

dependabot-updates — Dependabot (GitHub-managed)

• github/dependabot-action@main — This workflow is fully managed by GitHub and is not present in this repository. May resolve automatically.

Implementation Plan

Phase 1: Research available updates

• Check latest releases of docker/setup-buildx-action, docker/build-push-action, docker/login-action, docker/metadata-action for Node.js 24 support
• Check latest release of rustsec/audit-check for Node.js 24 support
• Check latest release of aquasecurity/trivy-action for Node.js 24 support (resolves transitive actions/cache warning)
• Investigate github/dependabot-action — determine if this is fully GitHub-managed and no action is needed from our side

Phase 2: Apply available updates

• Update all docker action versions in backup-container.yaml where newer Node.js 24 compatible versions are available
• Update all docker action versions in container.yaml where newer Node.js 24 compatible versions are available
• Update docker/setup-buildx-action in test-e2e-deployment.yml
• Update rustsec/audit-check in cargo-security-audit.yml
• Update aquasecurity/trivy-action in docker-security-scan.yml

Phase 3: Handle actions with no available update

• For any action without a Node.js 24-compatible release, open a follow-up tracking note or issue
• Document the status and re-check schedule

Acceptance Criteria

Quality Checks:

• Pre-commit checks pass: ./scripts/pre-commit.sh

Task-Specific Criteria:

• No Node.js 20 deprecation warnings appear in any of the affected workflow runs
• All updated action versions are pinned correctly and tested
• Any action that cannot be updated is documented with a follow-up plan

Related

• Affected workflow runs:
  • backup-container.yaml #24191868780
  • cargo-security-audit.yml #24455465380
  • container.yaml #24455465394
  • dependabot-updates #24389583837
  • docker-security-scan.yml #24445697392
  • test-e2e-deployment.yml #24455481734
• Specification: docs/issues/460-node-24-action-deprecation-warnings.md