chore: bump rust, yq, grpc-health-check, tfhe-rs and trivy

[dd23]

Description of changes

This PR bumps the rust toolchain to v1.94 stable.
Also bumps yq and grpc-health-check to fix security issues, and tfhe-rs to v1.5.3, and the trivy github action to v0.35.0.

Closes https://github.com/zama-ai/kms-internal/issues/2928

PR Checklist

I attest that all checked items are satisfied. Any deviation is clearly justified above.

• Title follows conventional commits (e.g. chore: ...).
• Tests added for every new pub item and test coverage has not decreased.
• Public APIs and non-obvious logic documented; unfinished work marked as TODO(#issue).
• unwrap/expect/panic only in tests or for invariant bugs (documented if present).
• No dependency version changes OR (if changed) only minimal required fixes.
• No architectural protocol changes OR linked spec PR/issue provided.
• No breaking deployment config changes OR devops label + infra notified + infra-team reviewer assigned.
• No breaking gRPC / serialized data changes OR commit marked with ! and affected teams notified.
• No modifications to existing versionized structs OR backward compatibility tests updated.
• No critical business logic / crypto changes OR ≥2 reviewers assigned.
• No new sensitive data fields added OR Zeroize + ZeroizeOnDrop implemented.
• No new public storage data OR data is verifiable (signature / digest).
• No unsafe; if unavoidable: minimal, justified, documented, and test/fuzz covered.
• Strongly typed boundaries: typed inputs validated at the edge; no untyped values or errors cross modules.
• Self-review completed.

Dependency Update Questionnaire for rust, yq, and grpc-health-check

1. Ownership changes or suspicious concentration? No
2. Low popularity? No
3. Unusual version jump? No
4. Lacking documentation? No
5. Missing CI? No
6. No security / disclosure policy? Yes for yq and grpc-health-probe, but security issues are actively fixed via regular Github issues.
7. Significant size increase? No

[github-actions]

Consolidated Tests Results 2026-03-09 - 17:25:42

Test Results

11 passed

Details

11 tests
not captured
junit-to-ctrf
build-and-test test-reporter #775
chore: bump rust to v1.94 stable, also bump yq, grpc-health-check, and tfhe-rs #455

test-reporter: Run #775

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
11	11	0	0	0	0	0	not captured

🎉 All tests passed!

Tests

View All Tests

Test Name	Status	Flaky	Duration
nightly_full_gen_tests_k8s_default_threshld_sequential_crs	✅		33.0s
test_k8s_threshld_insecure	✅		3m 14s
k8s_test_crs_uniqueness	✅		33.0s
k8s_test_insecure_keygen_encrypt_and_public_decrypt	✅		3m 18s
k8s_test_insecure_keygen_encrypt_multiple_types	✅		3m 38s
k8s_test_keygen_and_crs	✅		3m 14s
k8s_test_keygen_uniqueness	✅		8m 51s
nightly_full_gen_tests_k8s_default_centralzd_sequential_crs	✅		1.7s
test_k8s_centralzd_insecure	✅		1m 1s
k8s_test_centralized_insecure	✅		1m 1s
nightly_full_gen_tests_default_k8s_centralized_sequential_crs	✅		1.7s

_{🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚

🔄 This comment has been updated

[github-actions]

Vulnerability Scan Results

Details

Report Summary

┌───────────────────────────────────┬────────────┬─────────────────┬─────────┐
│              Target               │    Type    │ Vulnerabilities │ Secrets │
├───────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ base:latest (chainguard 20230214) │ chainguard │        0        │    -    │
├───────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ usr/bin/yq                        │  gobinary  │        0        │    -    │
└───────────────────────────────────┴────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)