chore: bump all GitHub/Docker actions to latest major versions

[frostebite]

Summary

Bumps all action dependencies to their latest major versions, ahead of the June 2 2026 deadline when GitHub will force Node.js 24 for all actions.

All upgrades have been verified safe — no breaking changes affect current usage patterns in this repository.

Action	From	To
actions/checkout	v5	v6
actions/cache	v4	v5
actions/upload-artifact	v4	v5
actions/download-artifact	v4	v6
docker/build-push-action	v5	v7
docker/login-action	v3	v4
docker/setup-buildx-action	v3	v4
docker/setup-qemu-action	v3	v4

Also adds npm ecosystem to dependabot.yml so the report-to-backend action's package.json dependencies are tracked automatically.

Supersedes #247, #264, #265, #270, #274 (stale dependabot PRs that were already behind latest).

Files changed

All 13 workflow files + .github/dependabot.yml

Breaking change review

• docker/build-push-action v6-v7: Only change is Node 24 runtime + optional build summaries in job output (additive, no action needed)
• docker/login-action v4, setup-buildx-action v4, setup-qemu-action v4: Node 24 runtime only, no input/output changes
• actions/checkout v6: Node 24 runtime, credential storage moved to $RUNNER_TEMP (transparent)
• actions/cache v5: Node 24 runtime only
• actions/upload-artifact v5, download-artifact v6: Node 24 runtime, this repo downloads by name (not ID) so no breaking changes apply
• Minimum runner: v2.329.0+ (GitHub-hosted runners already satisfy this)

Test plan

• Verify the test.yml workflow passes on a PR build
• Monitor the next Ubuntu and Windows editor builds to confirm all steps succeed
• Close superseded dependabot PRs chore(deps): bump docker/build-push-action from 5 to 6 #247, chore(deps): bump actions/upload-artifact from 4 to 5 #264, chore(deps): bump actions/download-artifact from 4 to 6 #265, chore(deps): bump actions/checkout from 5 to 6 #270, chore(deps): bump actions/cache from 4 to 5 #274

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated GitHub Actions to latest versions across CI/CD workflows for improved performance and security.
  • Enhanced Dependabot configuration for npm dependency management.

• Bug Fixes

  • Improved Windows Docker service initialization with explicit startup verification.
  • Streamlined Unity Hub installation on Windows with direct CDN download method.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR performs a systematic upgrade of GitHub Actions versions across all CI/CD workflows, migrates Windows Hub installation from Chocolatey to PowerShell, adds Docker service startup handling for Windows builds, and configures Dependabot for npm dependency management in the report-to-backend actions directory.

Changes

CI/CD Infrastructure Upgrade

Layer / File(s)	Summary
Dependabot npm configuration .github/dependabot.yml	Adds npm dependency management for /.github/workflows/actions/report-to-backend on a weekly schedule.
actions/checkout v5 to v6 migration across workflows .github/workflows/main.yml, .github/workflows/new-ubuntu-*.yml, .github/workflows/new-windows-*.yml, .github/workflows/retry-*.yml, .github/workflows/test.yml	All workflow files upgrade checkout action from v5 to v6 consistently.
Docker tooling and artifact action version updates .github/workflows/new-ubuntu-base-image-requested.yml, .github/workflows/new-ubuntu-hub-image-requested.yml, .github/workflows/new-ubuntu-legacy-editor-image-requested.yml, .github/workflows/new-ubuntu-post-2019-2-editor-image-requested.yml, .github/workflows/retry-ubuntu-editor-image-requested.yml, .github/workflows/test.yml	Docker setup (QEMU, Buildx, login) actions upgrade from v3 to v4; build-push-action upgrades from v5 to v7; cache action upgrades from v4 to v5; artifact upload/download actions upgrade to v5/v6.
Windows Docker service startup requirement .github/workflows/test.yml	New PowerShell step ensures Docker service is running and polls docker version until ready on Windows builder.
Windows Hub Dockerfile installation migration images/windows/hub/Dockerfile	Replaces Chocolatey-based Unity Hub installation with direct PowerShell download and silent execution of UnityHubSetup-x64.exe from Unity CDN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• webbertakken
• GabLeRoux
• lazerwalker
• davidmfinol

Poem

🐰 The Actions flow, now fresh and bright,
With v6 and v7 in sight,
Docker tools and scripts align,
Windows Hub installation, so fine!
Infrastructure springs to life tonight! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: bumping GitHub and Docker actions to their latest major versions, which is the primary focus of the entire PR.
Description check	✅ Passed	The PR description is comprehensive and well-structured, including a clear summary, action version table, breaking change review, test plan, and file listing—far exceeding the template requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-action-versions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

[webbertakken]

This isn't always as simple as a bump in the action.
Especially for Cache it's been known to break in the past.

That said, if your agent checked all the upgrade notes we should be good

[frostebite]

Yes — each upgrade was cross-referenced against the actual release notes, changelogs, and action.yml diffs. Here's what we found:

actions/cache v4 → v5 (your main concern): As far as we can tell, the v4 and v5 action.yml inputs are identical — path, key, restore-keys, upload-chunk-size, enableCrossOsArchive, fail-on-cache-miss, lookup-only all appear unchanged. The only difference we see is the Node runtime bump (20 → 24). Our usage is the simplest possible pattern (path + key + restore-keys for buildx layer caching in the base/hub workflows) — which should be fully supported.

docker/build-push-action v5 → v7: We didn't find any removed inputs or changed defaults. The main addition is automatic build summaries in job output (cosmetic, added in v6). Two deprecated env vars were removed in v7 (DOCKER_BUILD_NO_SUMMARY, DOCKER_BUILD_EXPORT_RETENTION_DAYS) — neither appears to be used here.

docker/setup-buildx-action v3 → v4: Three deprecated inputs were removed (config, config-inline, install) — none of which seem to be used in our workflows. Our usages are either bare or driver: docker.

docker/login-action v3 → v4, docker/setup-qemu-action v3 → v4: Node runtime bump only as far as we can tell, no input/output changes found.

actions/checkout v5 → v6: Credential storage moved to $RUNNER_TEMP. Should be transparent for our usage (bare or fetch-depth: 0).

actions/upload-artifact v4 → v5, actions/download-artifact v4 → v6: Primarily Node runtime bumps. download-artifact v5 had a breaking change for downloads by artifact ID — we download by name only, so it shouldn't apply.

All workflows use GitHub-hosted runners (ubuntu-latest / windows-2022), which should already meet the runner v2.329.0+ requirement for all of these.

That said, if you've seen cache-specific issues with bumps in the past, we're happy to split that one out into a separate PR so it can be tested in isolation.

[webbertakken]

About the failures in CI, looks like that is a stale cache issue.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/new-windows-hub-image-requested.yml (1)

54-57: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Missing $ prefix in GitHub expression syntax.

Lines 54-57 are missing the $ prefix before {{ in the GitHub Actions expression syntax. This will prevent variable interpolation when the workflow is triggered via workflow_dispatch.

🐛 Proposed fix

 if ("${{ github.event.inputs.jobId }}")
 {
   # Workflow Dispatch
-  echo "jobId={{ github.event.inputs.jobId }}" >> $Env:GITHUB_OUTPUT
-  echo "repoVersionFull={{ github.event.inputs.repoVersionFull }}" >> $Env:GITHUB_OUTPUT
-  echo "repoVersionMinor={{ github.event.inputs.repoVersionMinor }}" >> $Env:GITHUB_OUTPUT
-  echo "repoVersionMajor={{ github.event.inputs.repoVersionMajor }}" >> $Env:GITHUB_OUTPUT
+  echo "jobId=${{ github.event.inputs.jobId }}" >> $Env:GITHUB_OUTPUT
+  echo "repoVersionFull=${{ github.event.inputs.repoVersionFull }}" >> $Env:GITHUB_OUTPUT
+  echo "repoVersionMinor=${{ github.event.inputs.repoVersionMinor }}" >> $Env:GITHUB_OUTPUT
+  echo "repoVersionMajor=${{ github.event.inputs.repoVersionMajor }}" >> $Env:GITHUB_OUTPUT
 } else

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/new-windows-hub-image-requested.yml around lines 54 - 57,
Update the GitHub Actions expression syntax used in the echo commands so the
input variables interpolate correctly: replace the bare {{
github.event.inputs.jobId }}, {{ github.event.inputs.repoVersionFull }}, {{
github.event.inputs.repoVersionMinor }}, and {{
github.event.inputs.repoVersionMajor }} with the proper expression form ${{
github.event.inputs.jobId }}, ${{ github.event.inputs.repoVersionFull }}, ${{
github.event.inputs.repoVersionMinor }}, and ${{
github.event.inputs.repoVersionMajor }} in the PowerShell echo lines that write
to $Env:GITHUB_OUTPUT (the echo statements shown in the diff).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/new-windows-hub-image-requested.yml:
- Around line 54-57: Update the GitHub Actions expression syntax used in the
echo commands so the input variables interpolate correctly: replace the bare {{
github.event.inputs.jobId }}, {{ github.event.inputs.repoVersionFull }}, {{
github.event.inputs.repoVersionMinor }}, and {{
github.event.inputs.repoVersionMajor }} with the proper expression form ${{
github.event.inputs.jobId }}, ${{ github.event.inputs.repoVersionFull }}, ${{
github.event.inputs.repoVersionMinor }}, and ${{
github.event.inputs.repoVersionMajor }} in the PowerShell echo lines that write
to $Env:GITHUB_OUTPUT (the echo statements shown in the diff).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a305f04-7154-4cbc-bfe9-ab26c4db81b6

📥 Commits

Reviewing files that changed from the base of the PR and between fdb6473 and 455d76a.

📒 Files selected for processing (14)

• .github/dependabot.yml
• .github/workflows/main.yml
• .github/workflows/new-ubuntu-base-image-requested.yml
• .github/workflows/new-ubuntu-hub-image-requested.yml
• .github/workflows/new-ubuntu-legacy-editor-image-requested.yml
• .github/workflows/new-ubuntu-post-2019-2-editor-image-requested.yml
• .github/workflows/new-windows-base-image-requested.yml
• .github/workflows/new-windows-hub-image-requested.yml
• .github/workflows/new-windows-legacy-editor-image-requested.yml
• .github/workflows/new-windows-post-2019-2-editor-image-requested.yml
• .github/workflows/retry-ubuntu-editor-image-requested.yml
• .github/workflows/retry-windows-editor-image-requested.yml
• .github/workflows/test.yml
• images/windows/hub/Dockerfile