diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d2b67d8d6f..f5a3ccf005 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,11 @@ jobs:
           - clang
         os:
           - ubuntu-22.04
+          - ubuntu-24.04
+        # temporary workaround for https://bugs.launchpad.net/ubuntu/+source/llvm-toolchain-18/+bug/2064187
+        exclude:
+          - compiler: clang
+            os: ubuntu-24.04
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index c43f3d9a45..f45597d61f 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -13,7 +13,7 @@ permissions:
   contents: read
 jobs:
   Fuzzing:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: github.repository == 'lxc/lxc'
     strategy:
       fail-fast: false
diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml
index 5481a4ef07..7bc9c575d8 100644
--- a/.github/workflows/commits.yml
+++ b/.github/workflows/commits.yml
@@ -10,7 +10,7 @@ jobs:
     permissions:
       pull-requests: read  # for tim-actions/get-pr-commits to get list of commits from the PR
     name: Signed-off-by (DCO)
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Get PR Commits
       id: 'get-pr-commits'
@@ -27,7 +27,7 @@ jobs:
     permissions:
       contents: none
     name: Branch target
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Check branch target
       env:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index d73d9301a7..d58b550687 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -8,7 +8,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 773ae0c2aa..3ed652947a 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -7,7 +7,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -26,4 +26,5 @@ jobs:
         run: |
           cd config/apparmor/
           ./lxc-generate-aa-rules.py container-rules.base > container-rules
+          cat abstractions/container-base.in container-rules > abstractions/container-base
           git diff --exit-code
diff --git a/src/lxc/storage/zfs.c b/src/lxc/storage/zfs.c
index 0047440447..521a9fd637 100644
--- a/src/lxc/storage/zfs.c
+++ b/src/lxc/storage/zfs.c
@@ -500,12 +500,20 @@ int zfs_clonepaths(struct lxc_storage *orig, struct lxc_storage *new,
 	 */
 	dataset_len = strlen(dataset);
 	len = 4 + dataset_len + 1 + strlen(cname) + 1;
+
+/* see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069 */
+#pragma GCC diagnostic push
+#if defined __GNUC__ && __GNUC__ >= 12
+#pragma GCC diagnostic ignored "-Wuse-after-free"
+#endif
 	new->src = realloc(dataset, len);
 	if (!new->src) {
 		ERROR("Failed to reallocate memory");
 		free(dataset);
 		return -1;
 	}
+#pragma GCC diagnostic pop
+
 	memmove(new->src + 4, new->src, dataset_len);
 	memmove(new->src, "zfs:", 4);