⬆️(ci) upgrade GitHub Actions workflow steps to latest versions

[StephanMeijer]

Purpose / Proposal

I was looking into adding Docker build support for linux/arm64 in several repositories of https://github.com/suitenumerique. During that, I noticed several repositories have outdated GitHub Workflow steps. This pull request has the purpose to update them.

External contributions

• I have read and followed the contributing guidelines
• I have read and agreed to the Code of Conduct
• I have signed off my commits with git commit --signoff (DCO compliance)
• I have signed my commits with my SSH or GPG key (git commit -S)
• My commit messages follow the required format: <gitmoji>(type) title description
• I have added a changelog entry under ## [Unreleased] section (if noticeable change)
• I have added corresponding tests for new features or bug fixes (if applicable)

Testing happens when GitHub Workflows are being executed.

---

The creation of this pull request was done semi-automatically. I did automate a bunch, but I reviewed all changes manually to check if they are backwards compatible.

Summary by CodeRabbit

• Chores
  • Upgraded CI/CD workflow tooling to newer action versions for improved stability and security.
  • Enabled stricter cache verification on restored frontend caches to surface cache misses earlier.
  • No user-facing functionality changes.

[coderabbitai]

Walkthrough

Updated GitHub Actions workflow references across multiple files: bumped actions/checkout (v4→v6), actions/setup-node (v4→v6), actions/cache (v4→v5), and actions/setup-python (v5→v6) where present; added fail-on-cache-miss: true to frontend cache restore steps. No control-flow changes.

Changes

Cohort / File(s)	Summary
Conversation Workflows .github/workflows/conversations-frontend.yml, .github/workflows/conversations.yml	Upgraded actions/checkout to @v6, actions/setup-node to @v6, actions/cache to @v5; added fail-on-cache-miss: true to restored frontend cache steps in conversations-frontend.yml.
Crowdin Integration Workflows .github/workflows/crowdin_download.yml, .github/workflows/crowdin_upload.yml	Bumped actions/checkout to @v6, actions/setup-node to @v6, actions/cache to @v5, and actions/setup-python to @v6 where used; no other logic changes.
Container Build Workflow .github/workflows/docker-hub.yml	Replaced actions/checkout@v4 with actions/checkout@v6 in build-and-push backend/frontend jobs; no other step changes.
Infrastructure & Utility Workflows .github/workflows/dependencies.yml, .github/workflows/helmfile-linter.yaml, .github/workflows/release-helm-chart.yaml	Updated actions/checkout to @v6, actions/setup-node to @v6, and actions/cache to @v5 where present; workflows retain existing control flow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: upgrading GitHub Actions workflow steps to their latest versions across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[StephanMeijer]

This PR relates to other PR's:

Project	Pull Request
suitenumerique/calc	suitenumerique/calc#15
suitenumerique/conversations	#297
suitenumerique/docs	suitenumerique/docs#1902
suitenumerique/e2esdk	suitenumerique/e2esdk#2
suitenumerique/find	suitenumerique/find#55
suitenumerique/projects	suitenumerique/projects#63
suitenumerique/meet	suitenumerique/meet#984
suitenumerique/meet-whisperx	suitenumerique/meet-whisperx#27
suitenumerique/meet-kyutai-moshi-stt	suitenumerique/meet-kyutai-moshi-stt#3
suitenumerique/hackdays	suitenumerique/hackdays#3
suitenumerique/people	suitenumerique/people#1072
suitenumerique/django-lasuite	suitenumerique/django-lasuite#63
suitenumerique/ui-kit	suitenumerique/ui-kit#172
suitenumerique/messages	suitenumerique/messages#555
suitenumerique/drive	suitenumerique/drive#552
suitenumerique/st-deploycenter	suitenumerique/st-deploycenter#39
suitenumerique/st-home	suitenumerique/st-home#54
suitenumerique/hackdays2025	suitenumerique/hackdays2025#202

[StephanMeijer]

✅ I manually reviewed this PR and it should work just fine.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/docker-hub.yml (1)

24-26: Consider SHA-pinning action references for supply-chain security.

All action references in this PR use mutable major-version tags (e.g., @v6). For workflows that handle secrets and push to DockerHub, supply-chain security best practices recommend pinning to the specific commit SHA alongside the readable tag as a comment, so a tag reassignment cannot silently alter behavior.

🛡️ Example SHA-pinned reference pattern

-        uses: actions/checkout@v6
+        uses: actions/checkout@<SHA>  # v6.x.x

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-hub.yml around lines 24 - 26, Replace mutable
action tags like actions/checkout@v6 with SHA-pinned references to the exact
commit to prevent silent changes; update the workflow entry that currently uses
actions/checkout@v6 to reference the full commit SHA for that release and add
the human-readable tag (e.g., `@v6`) as a comment for clarity, and do the same for
any other action usages in the file to ensure supply-chain integrity.

.github/workflows/conversations.yml (1)

96-96: astral-sh/setup-uv@v6 is behind the current recommendation of v7.

This is pre-existing and not changed in this PR, but since the PR is already aligning all actions to their latest major versions, it's worth considering bumping this too.

The official astral-sh documentation now recommends astral-sh/setup-uv@v7 for use with GitHub Actions.

♻️ Suggested bump (also applies to line 196)

-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/conversations.yml at line 96, Update the GitHub Action
usage string `astral-sh/setup-uv@v6` to the recommended major version
`astral-sh/setup-uv@v7` in the workflow so it aligns with the current docs and
other action bumps in this PR; search for occurrences of `astral-sh/setup-uv@v6`
(including the second occurrence noted) and replace them with
`astral-sh/setup-uv@v7`.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/conversations.yml:
- Line 96: Update the GitHub Action usage string `astral-sh/setup-uv@v6` to the
recommended major version `astral-sh/setup-uv@v7` in the workflow so it aligns
with the current docs and other action bumps in this PR; search for occurrences
of `astral-sh/setup-uv@v6` (including the second occurrence noted) and replace
them with `astral-sh/setup-uv@v7`.

In @.github/workflows/docker-hub.yml:
- Around line 24-26: Replace mutable action tags like actions/checkout@v6 with
SHA-pinned references to the exact commit to prevent silent changes; update the
workflow entry that currently uses actions/checkout@v6 to reference the full
commit SHA for that release and add the human-readable tag (e.g., `@v6`) as a
comment for clarity, and do the same for any other action usages in the file to
ensure supply-chain integrity.

[StephanMeijer]

added fail-on-cache-miss: true to cache restoration steps in conversations-frontend for stricter cache validation.

The bot @coderabbitai is mistaken. I did not add fail-on-cache-miss: true. This was already activated.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the diff for conversations-frontend.yml to verify if fail-on-cache-miss was already present
git diff origin/main...HEAD -- .github/workflows/conversations-frontend.yml | grep -C 5 "fail-on-cache-miss"

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Get the full diff for conversations-frontend.yml to see what actually changed
git diff origin/main...HEAD -- .github/workflows/conversations-frontend.yml

Length of output: 2779

---

@StephanMeijer You're absolutely right, and I apologize for the error in the summary. Looking at the actual diff, the only changes made in .github/workflows/conversations-frontend.yml are version upgrades:

• actions/checkout@v4 → actions/checkout@v6
• actions/setup-node@v4 → actions/setup-node@v6
• actions/cache@v4 → actions/cache@v5

The fail-on-cache-miss: true setting was already present in the file before your changes and was not modified in this PR. Thank you for catching and correcting this inaccuracy! 🐰

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/crowdin_upload.yml (1)

23-23: Optional: Consider pinning action versions to immutable commit SHAs.

Major-version tags like @v5/@v6 are mutable — they can be silently updated by the upstream maintainer. Pinning to a full commit SHA (e.g. actions/checkout@<sha>) eliminates the risk of unexpected behaviour from a tag reassignment, at the cost of requiring manual updates.

Also applies to: 26-26, 36-36, 52-52, 58-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/crowdin_upload.yml at line 23, Replace mutable
major-version action refs with immutable commit SHAs: change uses:
actions/checkout@v6 and the other mutable refs at the same workflow (the actions
referenced at lines with uses entries for actions/checkout, actions/setup-node,
actions/upload-artifact, etc.) to their corresponding full commit SHAs; locate
the uses: entries for "actions/checkout@v6", the setup-node and other actions
mentioned and update each to a pinned commit (actions/<name>@<sha>) so the
workflow cannot change unexpectedly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/crowdin_upload.yml:
- Line 23: Replace mutable major-version action refs with immutable commit SHAs:
change uses: actions/checkout@v6 and the other mutable refs at the same workflow
(the actions referenced at lines with uses entries for actions/checkout,
actions/setup-node, actions/upload-artifact, etc.) to their corresponding full
commit SHAs; locate the uses: entries for "actions/checkout@v6", the setup-node
and other actions mentioned and update each to a pinned commit
(actions/<name>@<sha>) so the workflow cannot change unexpectedly.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b44cab2 and a77ab33.

📒 Files selected for processing (8)

• .github/workflows/conversations-frontend.yml
• .github/workflows/conversations.yml
• .github/workflows/crowdin_download.yml
• .github/workflows/crowdin_upload.yml
• .github/workflows/dependencies.yml
• .github/workflows/docker-hub.yml
• .github/workflows/helmfile-linter.yaml
• .github/workflows/release-helm-chart.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/crowdin_download.yml
• .github/workflows/docker-hub.yml
• .github/workflows/release-helm-chart.yaml
• .github/workflows/conversations-frontend.yml

[StephanMeijer]

Rebased this branch on the latest target branch and force-pushed.