chore: Custom GitHub runner image with Unreal docker pre-installed

[tustanivsky]

This PR adds custom GitHub runner image generation workflows aimed at reducing CI times. Instead of pulling large Unreal Engine Docker images at the beginning of every job, they are pre-pulled and baked into reusable runner snapshots. As a result, build/test checks can start with the required Docker images already available locally, eliminating image download time and reducing network-related variability.

Custom Image Generation

Three dedicated, single-purpose image-builder workflows are introduced, each producing its own named snapshot:

Workflow	Snapshot	Builder Runner	UE versions
custom-image-windows.yml	unreal-image-windows	unreal-image-creating-runner-windows	4.27, 5.5–5.7
custom-image-linux.yml	unreal-image-linux	unreal-image-creating-runner-linux	4.27, 5.2–5.7
custom-image-android.yml	unreal-image-android	unreal-image-creating-runner-linux	5.4–5.7

Each workflow runs on workflow_dispatch and a weekly schedule. During execution it:

• Frees up disk space on the builder runner.
• Authenticates with GHCR.
• Pulls the required Docker images, logging available disk space after each pull.
• Verifies that all expected images were pulled successfully.
• Creates a GitHub Actions custom image snapshot from the prepared environment.

Custom image generation runner specs:

• 8 CPU cores
• 32GB RAM
• 300 GB SSD
• x64 arch

Benchmarks and Estimated Cost

• TODO

Other Considerations

• TODO

#skip-chagelog

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Bug Fixes 🐛

• Prevent potential script injection in crash-reporter-build workflow by fix-it-felix-sentry in #1324

Internal Changes 🔧

Deps

• Update Native SDK to v0.13.6 by github-actions in #1339
• Update Android Gradle Plugin to v6.4.0 by github-actions in #1338
• Update Cocoa SDK to v9.10.0 by github-actions in #1335
• Update Java SDK to v8.38.0 by github-actions in #1336
• Update Native SDK to v0.13.5 by github-actions in #1334
• Update Cocoa SDK to v9.9.0 by github-actions in #1332
• Update CLI to v3.3.5 by github-actions in #1323

Other

• Custom GitHub runner image with Unreal docker pre-installed by tustanivsky in #1340

• Update validate-pr workflow by stephanie-anderson in #1328

Other

• Fix intermittent crash when capturing screenshots due to invalid viewport by tustanivsky in #1331
• Suppress superfluous warnings when detecting for SteamOS by yangskyboxlabs in #1326
• Add out-of-process screenshot capturing on Windows by tustanivsky in #1325

---

_{🤖 This preview updates automatically when you update the PR.}

[sentry-warden]

Unfiltered push trigger runs branch-controlled scripts on snapshot-persistent self-hosted image runners

The custom-image-* workflows trigger on any push with no branches: filter, check out the pushed ref, and run repo-local scripts (./scripts/clean-storage-linux.sh / clean-storage-win.ps1) on persistent self-hosted runners (unreal-image-creating-runner-*) whose disk is captured via snapshot: into a base image reused by future jobs. A contributor with write access can push a modified script to any feature branch to execute code on the runner before the snapshot boundary, persistently poisoning every downstream runner image. Add a branches: [main] filter so only trusted refs build the images.

Evidence

• on: push in custom-image-android.yml and custom-image-windows.yml has no branches: filter, so any push to any branch triggers the workflow.
• The Free up disk space step runs ./scripts/clean-storage-linux.sh / clean-storage-win.ps1 directly from the checked-out ref, so a modified script on the pushed branch executes verbatim on the runner.
• runs-on: unreal-image-creating-runner-linux/-windows with snapshot: unreal-image-* indicates the runner state is captured into a reusable base image, so pre-snapshot code execution persists into future images.
• Precondition: the push trigger only fires for repository write-access users (not forks), limiting the actor to trusted collaborators, which bounds impact.

_{Identified by Warden security-review · 9HZ-CTN}