ci: bump actions/cache to v5 and codecov/codecov-action to v6

[QuantumExplorer]

Issue being fixed or feature implemented

GitHub Actions emits Node.js 20 deprecation warnings on every CI run because we still pin actions/cache@v4 (Node 20) and codecov/codecov-action@v5 (also pulls in actions/github-script@v7/Node 20). Mirrors dashpay/rust-dashcore#741.

What was done?

• Bumped every reference of actions/cache@v4 (and the /save, /restore subpaths) to @v5 across the workflows in .github/workflows/ and the composite actions in .github/actions/.
• Bumped codecov/codecov-action@v5 to @v6 in .github/workflows/tests-rs-workspace.yml. v6 also brings in actions/github-script@v8, removing the second deprecation notice surfaced via the codecov step.

Both actions now run on Node.js 24.

How Has This Been Tested?

CI on this PR exercises every touched workflow / composite action.

Breaking Changes

None — caches keys are unchanged, so existing cache entries remain reusable.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores
  • Updated GitHub Actions infrastructure dependencies to latest versions for improved caching and code coverage integration. No user-facing changes.

[coderabbitai]

Warning

Rate limit exceeded

@QuantumExplorer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 24 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3a7364e3-801e-468e-8bdc-aba96a0a5837

📥 Commits

Reviewing files that changed from the base of the PR and between b032baf and fa9dd78.

📒 Files selected for processing (3)

• .github/actions/docker/action.yaml
• .github/workflows/swift-sdk-build.yml
• .github/workflows/swift-sdk-release.yml

📝 Walkthrough

Walkthrough

This pull request systematically upgrades GitHub Actions cache and tool dependencies across the repository. All actions/cache@v4 references are replaced with actions/cache@v5 in composite actions and workflows, and one Codecov upload step is upgraded from v5 to v6. Cache keys and paths remain unchanged.

Changes

GitHub Actions Dependency Versions

Layer / File(s)	Summary
Composite Actions - Cache Upgrades .github/actions/docker/action.yaml, .github/actions/librocksdb/action.yaml, .github/actions/local-network/action.yaml, .github/actions/nodejs/action.yaml, .github/actions/rust/action.yaml	Cargo, Yarn, librocksdb, Node.js, and Rust build caching steps switch from actions/cache@v4 to actions/cache@v5. All cache keys and paths remain unchanged.
Workflows - Cache & Tool Upgrades .github/workflows/swift-example-app-ui-smoke.yml, .github/workflows/swift-sdk-build.yml, .github/workflows/swift-sdk-release.yml, .github/workflows/tests-build-js.yml, .github/workflows/tests-dashmate.yml, .github/workflows/tests-rs-workspace.yml	Cache steps across Swift, iOS, and test workflows upgrade to actions/cache@v5; Codecov upload step upgrades to codecov/codecov-action@v6. No job logic, build steps, or cache configuration is changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

A hop through the workflows, so neat and so clean,
From v4 caches to v5 they've been seen,
Each composite action now shiny and new,
With codecov updated, the tests march on through! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: bump actions/cache to v5 and codecov/codecov-action to v6' accurately and concisely summarizes the main changes: updating GitHub Actions to newer versions across CI workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/crazy-meninsky-724d89

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

✅ Review complete (commit fa9dd78)

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/swift-sdk-build.yml (1)

9-9: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Verify self-hosted runner version supports actions/cache@v5.

actions/cache@v5 requires a minimum GitHub Actions runner version of 2.327.1 (uses Node.js 24 runtime). This workflow targets a [self-hosted, macOS, ARM64] runner (Line 9). Before deploying, ensure that runner is on version ≥ 2.327.1, otherwise the cache steps at lines 50, 67, and 91 will fail at runtime.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/swift-sdk-build.yml at line 9, The workflow uses a
self-hosted runner (runs-on: [self-hosted, macOS, ARM64]) together with
actions/cache@v5; ensure the runner's GitHub Actions runner version is >=
2.327.1 or change the workflow to use a supported cache action or hosted runner.
Specifically, either (a) verify and upgrade the self-hosted runner to >= 2.327.1
so actions/cache@v5 works for the cache steps that use actions/cache@v5, or (b)
pin cache steps to a compatible version (e.g., actions/cache@v4) or switch to a
GitHub-hosted runner to avoid runtime failures.

🧹 Nitpick comments (2)

.github/workflows/swift-sdk-build.yml (1)

133-133: ⚡ Quick win

actions/github-script@v7 uses Node.js 20, which is now deprecated — bump to v8.

GitHub Actions runners will force JavaScript actions to run on Node.js 24 by default starting June 2nd, 2026, and Node.js 20 will be fully removed in September 2026. Since this PR is already systematically removing Node.js runtime deprecation warnings, bumping this reference is a natural follow-on.

♻️ Proposed fix

-        uses: actions/github-script@v7
+        uses: actions/github-script@v8

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/swift-sdk-build.yml at line 133, Update the GitHub Actions
step that references actions/github-script@v7 to use the v8 tag to avoid Node.js
20 deprecation; locate the workflow step containing the string "uses:
actions/github-script@v7" and change it to the v8 release (e.g.,
actions/github-script@v8) so the action runs on a supported Node.js runtime.

.github/actions/docker/action.yaml (1)

154-154: ⚡ Quick win

actions/github-script@v6 uses Node.js 16, which is already deprecated — bump to v7 or v8.

actions/github-script@v6 runs on Node.js 16, and GitHub has deprecated Node.js 16 actions and will stop supporting them. Since this PR's stated goal is to eliminate Node.js runtime deprecation warnings, this reference is a gap: it emits a deprecation warning that is older than the Node.js 20 warnings being fixed everywhere else in the PR.

♻️ Proposed fix

-      uses: actions/github-script@v6
+      uses: actions/github-script@v7

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/docker/action.yaml at line 154, The workflow currently pins
the GitHub Script action to "uses: actions/github-script@v6", which targets
Node.js 16 and triggers deprecation warnings; update that reference to a Node
18+ compatible release (e.g., actions/github-script@v7 or `@v8`) by replacing
"actions/github-script@v6" with the chosen newer major version and verify any
script inputs/behavior in the step using that action remain compatible (adjust
call signature or input names in the same workflow step if needed).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/swift-sdk-build.yml:
- Line 9: The workflow uses a self-hosted runner (runs-on: [self-hosted, macOS,
ARM64]) together with actions/cache@v5; ensure the runner's GitHub Actions
runner version is >= 2.327.1 or change the workflow to use a supported cache
action or hosted runner. Specifically, either (a) verify and upgrade the
self-hosted runner to >= 2.327.1 so actions/cache@v5 works for the cache steps
that use actions/cache@v5, or (b) pin cache steps to a compatible version (e.g.,
actions/cache@v4) or switch to a GitHub-hosted runner to avoid runtime failures.

---

Nitpick comments:
In @.github/actions/docker/action.yaml:
- Line 154: The workflow currently pins the GitHub Script action to "uses:
actions/github-script@v6", which targets Node.js 16 and triggers deprecation
warnings; update that reference to a Node 18+ compatible release (e.g.,
actions/github-script@v7 or `@v8`) by replacing "actions/github-script@v6" with
the chosen newer major version and verify any script inputs/behavior in the step
using that action remain compatible (adjust call signature or input names in the
same workflow step if needed).

In @.github/workflows/swift-sdk-build.yml:
- Line 133: Update the GitHub Actions step that references
actions/github-script@v7 to use the v8 tag to avoid Node.js 20 deprecation;
locate the workflow step containing the string "uses: actions/github-script@v7"
and change it to the v8 release (e.g., actions/github-script@v8) so the action
runs on a supported Node.js runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 51ef53c8-bb3e-49ee-95ac-ac47e923cd8d

📥 Commits

Reviewing files that changed from the base of the PR and between b9ac843 and b032baf.

📒 Files selected for processing (11)

• .github/actions/docker/action.yaml
• .github/actions/librocksdb/action.yaml
• .github/actions/local-network/action.yaml
• .github/actions/nodejs/action.yaml
• .github/actions/rust/action.yaml
• .github/workflows/swift-example-app-ui-smoke.yml
• .github/workflows/swift-sdk-build.yml
• .github/workflows/swift-sdk-release.yml
• .github/workflows/tests-build-js.yml
• .github/workflows/tests-dashmate.yml
• .github/workflows/tests-rs-workspace.yml

[QuantumExplorer]

Pushed a8e6fcd addressing CodeRabbit's two actions/github-script nitpicks (and the same step in swift-sdk-release.yml for consistency, since that file is already in the PR). All bumped to @v8 (Node 24).

On the major comment about runner version: the failed macOS run already pulled actions/cache@v5 successfully on Runner version: 2.334.0, so the ≥2.327.1 floor is met on the current self-hosted runners.

The Rust workspace tests / Tests (macOS) failures are unrelated to this PR — three instant_asset_lock_proof tests panic with DecodingError("parse failed: data not consumed entirely when explicitly deserializing") in packages/rs-dpp/.../instant_asset_lock_proof.rs:421/435/466. This PR only touches .github/ workflow files and cannot affect Rust deserialization. The failures look like fallout from #3617 (rust-dashcore v0.42-dev bump), which didn't itself trigger the macOS Rust tests because no Rust code was modified by that PR's path filter — this is the first PR-side run that exercises them post-bump.

[QuantumExplorer]

Confirmed pre-existing breakage on v3.1-dev — not regression from this PR.

Reproduced locally on this worktree by checking out only v3.1-dev's instant_asset_lock_proof.rs and running:

```
cargo test -p dpp --lib instant_asset_lock_proof::tests
```

Same three tests fail with identical errors:

• `test_raw_instant_lock_proof_preserves_output_index` → `DecodingError("parse failed: data not consumed entirely when explicitly deserializing")` at line 435
• `test_raw_instant_lock_proof_round_trip` → same error at line 421
• `test_try_from_value_round_trip` → `SerdeDeserializationError` wrapping the same decode error at line 466

Bisecting the merged commits since the last green macOS run (#3607):

PR	Touches
#3617	rust-dashcore → v0.42-dev (428b60d)
#3606, #3607	drive shielded subtree refactor
#3612	swift-example-app

The instant_asset_lock_proof round-trip going from `InstantAssetLockProof` → `RawInstantLockProof` → `InstantAssetLockProof` decodes a raw `InstantLock`/`Transaction` produced by rust-dashcore. The "data not consumed entirely" error pattern is exactly what you'd expect if rust-dashcore's wire format added trailing bytes (e.g. a new field) without a corresponding update on the dpp side. So #3617 is the prime suspect.

This PR (.github/* only) cannot affect Rust deserialization. Suggest tracking the dpp/rust-dashcore mismatch in a separate fix PR; this CI bump shouldn't be blocked on it.

[thepastaclaw]

Code Review

I verified the checked-out merge commit fa9dd78671366d0510eaeb82ab75109a25a198cf directly rather than relying on the earlier CI-only summary. The substantive changes are in the platform-wallet persister fallback, Swift persistence callbacks, and wasm document token-payment plumbing, and I did not confirm any concrete correctness issue in the touched code. I also attempted targeted Rust validation, but workspace builds are currently blocked in this environment by tenderdash-proto trying to download Tenderdash sources with no network access; that limitation did not surface a code defect in the reviewed changes.

Reviewed commit: fa9dd78

[thepastaclaw]

Correction to my automated review summary above: the actual PR diff at fa9dd786 is limited to GitHub Actions maintenance (actions/cache v4→v5 and codecov/codecov-action v5→v6). The platform-wallet / Swift / wasm wording in the review summary came from inspecting the merge commit history rather than the PR diff and should be ignored. I did not find any actionable issue in the CI action-version changes.