chore: upgrade Node.js version to 24 across Dockerfiles and workflows

[mikeallisonJS]

Summary by CodeRabbit

• Chores
  • Upgraded Node.js runtime from 22 to 24 across the development container, CI workflows, build images, and deployment configurations to align tooling and images with a newer Node LTS, improving performance, compatibility, and security.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 085a7b8f-d3b6-4207-a52d-973d65568011

📥 Commits

Reviewing files that changed from the base of the PR and between ee49eaa and f6a474d.

📒 Files selected for processing (1)

• .devcontainer/Dockerfile

---

Walkthrough

This PR updates Node.js versions to 24 across devcontainer images, GitHub Actions workflows (build/test/lint/e2e/deploy), Playwright/cache key namespaces, and the Arclight production Docker base image.

Changes

Node.js 24 runtime upgrade

Layer / File(s)	Summary
Local development environment .devcontainer/Dockerfile, .devcontainer/docker-compose.yml	Devcontainer VARIANT ARG default and docker-compose bootstrap image and app build ARG updated to Node.js 24 and adjusted devcontainer image reference.
Core CI workflows .github/workflows/main.yml, .github/workflows/autofix.ci.yml, .github/workflows/danger.yml, .github/workflows/visual-test.yml, .github/workflows/ai-build-spike.yml, .github/workflows/e2e-tests.yml	GitHub Actions setup-node inputs and related cache keys updated to Node.js 24 across build, test, lint, danger, visual, AI spike, and E2E jobs.
Deployment workflows .github/workflows/api-deploy-*.yml, .github/workflows/app-deploy.yml, .github/workflows/ecs-frontend-deploy-*.yml, .github/workflows/worker-deploy.yml	node-version values bumped to 24 in affected and deployment job matrices; Playwright browser cache namespaces updated to Node-24 where present.
Production app container apps/arclight/Dockerfile	Base image updated from node:22-bullseye-slim to node:24-bullseye-slim.

---

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Possibly related PRs

• JesusFilm/core#9208: Also modifies GitHub Actions actions/setup-node configuration and node-version values in workflows.

---

Suggested reviewers

• tataihono
• kiran-redhat
• sharon-elsa-mathew1995
• csiyang

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and accurately summarizes the main change: upgrading Node.js version to 24 across Dockerfiles and workflows, which is the primary focus of all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 26-00-MA-chore-node-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit f6a474d

Command	Status	Duration	Result
nx affected --target=codecov --base=678563a36a1...	✅ Succeeded	<1s	View ↗
nx affected --target=test --base=678563a36a167e...	✅ Succeeded	1s	View ↗
nx run-many --target=prisma-generate --all --pa...	✅ Succeeded	2s	View ↗
nx affected --target=build --base=678563a36a167...	✅ Succeeded	26s	View ↗
nx affected --target=fetch-secrets --base=67856...	✅ Succeeded	<1s	View ↗
nx affected --target=test --base=678563a36a167e...	✅ Succeeded	1s	View ↗
nx affected --target=test --base=678563a36a167e...	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-20 19:42:12 UTC

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
journeys-admin	✅ Ready	journeys-admin preview	Wed May 13 10:27:34 NZST 2026

[csiyang]

Heads up — the matrix bump on the lint wrapper (and the other matrix-suffixed jobs in this PR) actually renames the GitHub-Actions check from lint (22) to lint (24). That wrapper doesn't use ${{ matrix.node-version }} for anything inside the job — it exists purely to control the check name reported to the ruleset (which the comment on lines 94–97 explains).

If the branch protection rule was already updated to require the (24)-suffixed names, this is fine. If not, the rename stops satisfying protection and PRs jam — same applies to build (X), test (X, Y/3), and the per-app build-and-deploy (X) checks renamed in this diff.

Did you update the ruleset alongside this?

Two nits while you're in there:

• autofix.ci.yml:97 still reads "stays lint (22)" — needs updating (or revert the matrix to keep the comment accurate).
• e2e-tests.yml:84,86 still hardcode node-22-playwright-… cache keys.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/e2e-tests.yml (1)

84-86: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update Playwright cache keys to Node 24.

These keys are still hardcoded to node-22, which leaves this job using an outdated cache namespace after the runtime bump.

Suggested patch

-          key: ${{ runner.os }}-node-22-playwright-${{ hashFiles('pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-node-24-playwright-${{ hashFiles('pnpm-lock.yaml') }}
           restore-keys: |
-            ${{ runner.os }}-node-22-playwright-
+            ${{ runner.os }}-node-24-playwright-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-tests.yml around lines 84 - 86, The Playwright cache
key strings in the e2e-tests workflow are still using the old node runtime
namespace; update the cache key and restore-keys values that currently contain
"node-22" to "node-24" (i.e., replace the string "node-22-playwright-" in the
key and restore-keys entries), and scan the same workflow for any other
"node-22" occurrences to update them consistently so the cache namespace matches
the Node 24 runtime.

🧹 Nitpick comments (2)

.github/workflows/visual-test.yml (1)

4-4: Note: Workflow is currently disabled.

The Node version update on line 17 is correct, but this workflow won't run until the trigger is changed from branches: [never] to an active branch pattern. The upgrade will take effect when the workflow is re-enabled.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/visual-test.yml at line 4, The workflow is disabled by the
trigger "branches: [never]"; replace that line with an active branch pattern
(for example change branches: [never] to branches: [main] or branches: [main,
release/*]) or configure triggers under "on:" (e.g., on: push and/or
pull_request with branches) so the workflow actually runs; keep the Node version
change you already made on line 17 unchanged.

apps/arclight/Dockerfile (1)

1-34: ⚡ Quick win

Consider adding a non-root user for production security.

The Dockerfile runs as root, which is flagged by Trivy (DS-0002). While this is a pre-existing issue and outside the scope of this Node upgrade, production containers should run as a non-root user to limit the impact of potential container escapes or compromised processes.

🔒 Suggested enhancement to add non-root user

 FROM node:24-bullseye-slim

 EXPOSE 3000

 ARG SERVICE_VERSION=0.0.1
 ENV OTEL_RESOURCE_ATTRIBUTES="service.version=$SERVICE_VERSION"
 ENV VERCEL=true
 ENV PNPM_HOME="/usr/local/share/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"

 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       build-essential \
       python3 \
       python3-pip \
       libcurl4-openssl-dev \
       postgresql-client && \
     rm -rf /var/lib/apt/lists/*

 WORKDIR /app
 COPY ./dist/apps/arclight .
 COPY ./libs/prisma/media/db ./prisma-media/db
 COPY ./libs/prisma/media/prisma.config.ts ./prisma-media/prisma.config.ts
 COPY ./libs/prisma/languages/db ./prisma-languages/db
 COPY ./libs/prisma/languages/prisma.config.ts ./prisma-languages/prisma.config.ts
 COPY ./apps/arclight/docker-entrypoint.sh ./docker-entrypoint.sh

 # dependencies
 RUN mkdir -p $PNPM_HOME && corepack enable && corepack prepare pnpm@10.33.2 --activate
 RUN pnpm add -g next
 RUN pnpm install --prod --silent
 RUN pnpm add sharp pino dd-trace next-logger `@prisma/client` `@prisma/adapter-pg` dotenv prisma --silent
+
+# Create non-root user and switch to it
+RUN groupadd -r nodeapp && useradd -r -g nodeapp nodeapp && \
+    chown -R nodeapp:nodeapp /app
+USER nodeapp
+
 ENTRYPOINT ["./docker-entrypoint.sh"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/arclight/Dockerfile` around lines 1 - 34, The Dockerfile currently runs
as root; add a non-root user and switch to it before ENTRYPOINT to satisfy Trivy
DS-0002. In the Dockerfile (near the end after creating directories and
installing deps but before ENTRYPOINT), create a group/user (e.g., groupadd/app
useradd or addgroup/adduser), chown the runtime directories (WORKDIR /app,
$PNPM_HOME and any copied prisma dirs) to that user, and add a USER <username>
line so the container runs unprivileged; keep ENTRYPOINT unchanged. Ensure the
created user is non-login (nologin) and has ownership of /app and PNPM_HOME so
pnpm and the app can run.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.devcontainer/Dockerfile:
- Line 2: The Dockerfile currently uses the deprecated namespace in the FROM
line; update the base image reference to the official namespace by changing the
FROM instruction that uses ARG VARIANT (the line starting with "FROM
mcr.microsoft.com/vscode/devcontainers/typescript-node:${VARIANT} AS base") to
use "mcr.microsoft.com/devcontainers/typescript-node:${VARIANT}" instead so the
build pulls the maintained Microsoft devcontainer image for Node 24.

In @.github/workflows/autofix.ci.yml:
- Around line 94-97: Update the inline comment that currently reads "lint (22)"
to match the matrix change to Node 24 so it reads "lint (24)"; specifically,
edit the comment block that mentions "Matrix `node-version: [24]`" and replace
the `lint (22)` reference with `lint (24)` so the comment accurately reflects
the new node-version/check name.

---

Outside diff comments:
In @.github/workflows/e2e-tests.yml:
- Around line 84-86: The Playwright cache key strings in the e2e-tests workflow
are still using the old node runtime namespace; update the cache key and
restore-keys values that currently contain "node-22" to "node-24" (i.e., replace
the string "node-22-playwright-" in the key and restore-keys entries), and scan
the same workflow for any other "node-22" occurrences to update them
consistently so the cache namespace matches the Node 24 runtime.

---

Nitpick comments:
In @.github/workflows/visual-test.yml:
- Line 4: The workflow is disabled by the trigger "branches: [never]"; replace
that line with an active branch pattern (for example change branches: [never] to
branches: [main] or branches: [main, release/*]) or configure triggers under
"on:" (e.g., on: push and/or pull_request with branches) so the workflow
actually runs; keep the Node version change you already made on line 17
unchanged.

In `@apps/arclight/Dockerfile`:
- Around line 1-34: The Dockerfile currently runs as root; add a non-root user
and switch to it before ENTRYPOINT to satisfy Trivy DS-0002. In the Dockerfile
(near the end after creating directories and installing deps but before
ENTRYPOINT), create a group/user (e.g., groupadd/app useradd or
addgroup/adduser), chown the runtime directories (WORKDIR /app, $PNPM_HOME and
any copied prisma dirs) to that user, and add a USER <username> line so the
container runs unprivileged; keep ENTRYPOINT unchanged. Ensure the created user
is non-login (nologin) and has ownership of /app and PNPM_HOME so pnpm and the
app can run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5d819484-199c-4eb7-b42c-4cba2333a791

📥 Commits

Reviewing files that changed from the base of the PR and between 1d09fa6 and d193d50.

📒 Files selected for processing (18)

• .devcontainer/Dockerfile
• .devcontainer/docker-compose.yml
• .github/workflows/ai-build-spike.yml
• .github/workflows/api-deploy-prod.yml
• .github/workflows/api-deploy-stage.yml
• .github/workflows/api-deploy-worker.yml
• .github/workflows/app-deploy.yml
• .github/workflows/autofix.ci.yml
• .github/workflows/danger.yml
• .github/workflows/e2e-tests.yml
• .github/workflows/ecs-frontend-deploy-prod-worker.yml
• .github/workflows/ecs-frontend-deploy-prod.yml
• .github/workflows/ecs-frontend-deploy-stage-worker.yml
• .github/workflows/ecs-frontend-deploy-stage.yml
• .github/workflows/main.yml
• .github/workflows/visual-test.yml
• .github/workflows/worker-deploy.yml
• apps/arclight/Dockerfile

[mikeallisonJS]

Review feedback addressed (402debc)

Fixed:

• .devcontainer/Dockerfile:2 — switched the base image from the deprecated mcr.microsoft.com/vscode/devcontainers/typescript-node namespace to the maintained mcr.microsoft.com/devcontainers/typescript-node namespace. The legacy namespace does not publish a :24 tag.

Skipped (already resolved):

• .github/workflows/autofix.ci.yml lint (22)/(24) comment — already addressed in commit 93e02cc.

[stage-branch-merger]

I see you added the "on stage" label, I'll get this merged to the stage branch!

[stage-branch-merger]

Merge conflict attempting to merge this into stage. Please fix manually.

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
watch-modern	✅ Ready	watch-modern preview	Wed May 13 10:26:59 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
docs	✅ Ready	docs preview	Wed May 13 10:27:19 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
player	✅ Ready	player preview	Wed May 13 10:27:14 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
short-links	✅ Ready	short-links preview	Wed May 13 10:26:50 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
resources	✅ Ready	resources preview	Wed May 13 10:27:17 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
journeys	✅ Ready	journeys preview	Wed May 13 10:26:58 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
videos-admin	✅ Ready	videos-admin preview	Wed May 13 10:27:11 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
watch	✅ Ready	watch preview	Wed May 13 10:27:57 NZST 2026