From ec1bab71c58b412a161cef0a24591c6de86ac88b Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Wed, 22 Apr 2026 17:41:31 -0700 Subject: [PATCH 1/5] release: bump version to 6.0.0 Breaking change: Drop support for Ruby < 3.3 - Ruby 3.1 reached EOL March 2025 - Ruby 3.2 reaches EOL March 2026 - Minimum required Ruby version is now 3.3.0 See HISTORY.md for full changelog. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- HISTORY.md | 25 +++++++++++++++++++++++++ lib/github-markup.rb | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 745a9c1b..3464e303 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,28 @@ +## 6.0.0 - 2026-04-22 + +### Breaking + +* Drop support for Ruby < 3.3 (Ruby 3.1 EOL March 2025, Ruby 3.2 EOL March 2026) + +### Security + +* Use HTTPS for cpanminus download in CI to prevent MITM attacks [#2050](https://github.com/github/markup/pull/2050) +* Bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 +* Harden CI pip install with `--require-hashes --no-deps` + +### Bug Fixes + +* Fix RST section ID rendering to iterate all anchors instead of only the first [040f91d](https://github.com/github/markup/commit/040f91d) + +### Infrastructure + +* Remove legacy Dockerfile and .dockerignore (Ubuntu Trusty, non-functional) [#2048](https://github.com/github/markup/pull/2048) +* Add Ruby 4.0 to CI test matrix +* Bump nokogiri to 1.19.2, activesupport to 7.2.3.1 +* Bump github-linguist from 7.30.0 to 9.1.0 +* Pin GitHub Actions to commit SHAs for supply chain hardening +* Add Dependabot configuration for automated dependency updates + ## 5.0.1 - 2024-06-17 * Bump activesupport from 4.0 to 7.1.3.4 diff --git a/lib/github-markup.rb b/lib/github-markup.rb index 7c36ad17..bd470da1 100644 --- a/lib/github-markup.rb +++ b/lib/github-markup.rb @@ -1,6 +1,6 @@ module GitHub module Markup - VERSION = '5.0.1' + VERSION = '6.0.0' Version = VERSION end end From 31e8db3ef5882fa394a637112a09b40c2cec708c Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Wed, 22 Apr 2026 17:49:30 -0700 Subject: [PATCH 2/5] Update Gemfile.lock for version 6.0.0 The gemspec version was bumped to 6.0.0 but Gemfile.lock still referenced 5.0.1, causing bundler deployment mode to fail in CI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 525e2c94..2c39c2ab 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ GIT PATH remote: . specs: - github-markup (5.0.1) + github-markup (6.0.0) GEM remote: https://rubygems.org/ From 4007cd165210e5c889f48c91326ed68505403725 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Thu, 23 Apr 2026 07:50:43 -0700 Subject: [PATCH 3/5] Fix changelog accuracy from multi-model review - Correct github-linguist version: 9.1.0 -> 9.3.0 - Note Ruby 3.2 removal from CI matrix alongside 4.0 addition - Add PR link for pip install hardening (#2048) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- HISTORY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 3464e303..97179d6b 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -8,7 +8,7 @@ * Use HTTPS for cpanminus download in CI to prevent MITM attacks [#2050](https://github.com/github/markup/pull/2050) * Bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 -* Harden CI pip install with `--require-hashes --no-deps` +* Harden CI pip install with `--require-hashes --no-deps` [#2048](https://github.com/github/markup/pull/2048) ### Bug Fixes @@ -17,9 +17,9 @@ ### Infrastructure * Remove legacy Dockerfile and .dockerignore (Ubuntu Trusty, non-functional) [#2048](https://github.com/github/markup/pull/2048) -* Add Ruby 4.0 to CI test matrix +* Update CI test matrix: drop Ruby 3.2, add Ruby 4.0 (now testing 3.3, 3.4, 4.0) * Bump nokogiri to 1.19.2, activesupport to 7.2.3.1 -* Bump github-linguist from 7.30.0 to 9.1.0 +* Bump github-linguist from 7.30.0 to 9.3.0 * Pin GitHub Actions to commit SHAs for supply chain hardening * Add Dependabot configuration for automated dependency updates From 4b0c3a9193bd4157c870499ca6102a2cf1edf6b0 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Mon, 4 May 2026 17:20:34 -0700 Subject: [PATCH 4/5] docs: update changelog date to 2026-05-04 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- HISTORY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 97179d6b..127f4a30 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,4 +1,4 @@ -## 6.0.0 - 2026-04-22 +## 6.0.0 - 2026-05-04 ### Breaking From 069a41b06fc6a338a86daee14a4277a370f1c7c1 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Mon, 4 May 2026 17:31:35 -0700 Subject: [PATCH 5/5] fix: complete changelog and pin actions/stale to SHA - Add missing security fixes: RubyGems HTTPS (#1854), CI permissions (#1855), rexml bumps - Add missing community PRs: spelling fixes (#1479), Textile link (#1703) - Clarify linguist version bump history - Add Dependabot CI action bumps catch-all entry - Pin actions/stale to commit SHA for supply chain hardening Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- .github/workflows/stale.yml | 2 +- HISTORY.md | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1eda4efa..cecd9d5e 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v10.2.0 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > diff --git a/HISTORY.md b/HISTORY.md index 127f4a30..33c1ea2e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -9,19 +9,28 @@ * Use HTTPS for cpanminus download in CI to prevent MITM attacks [#2050](https://github.com/github/markup/pull/2050) * Bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 * Harden CI pip install with `--require-hashes --no-deps` [#2048](https://github.com/github/markup/pull/2048) +* Use HTTPS for RubyGems source URL in Gemfile [#1854](https://github.com/github/markup/pull/1854) +* Add explicit `contents: read` permissions to CI workflow [#1855](https://github.com/github/markup/pull/1855) +* Bump rexml from 3.3.0 to 3.3.9 (multiple security fixes) ### Bug Fixes * Fix RST section ID rendering to iterate all anchors instead of only the first [040f91d](https://github.com/github/markup/commit/040f91d) +### Documentation + +* Fix spelling errors in codebase [#1479](https://github.com/github/markup/pull/1479) +* Fix broken Textile language link in README [#1703](https://github.com/github/markup/pull/1703) + ### Infrastructure * Remove legacy Dockerfile and .dockerignore (Ubuntu Trusty, non-functional) [#2048](https://github.com/github/markup/pull/2048) * Update CI test matrix: drop Ruby 3.2, add Ruby 4.0 (now testing 3.3, 3.4, 4.0) * Bump nokogiri to 1.19.2, activesupport to 7.2.3.1 -* Bump github-linguist from 7.30.0 to 9.3.0 -* Pin GitHub Actions to commit SHAs for supply chain hardening +* Bump github-linguist from 7.30.0 to 9.1.0, then to 9.3.0 +* Pin all GitHub Actions to commit SHAs for supply chain hardening * Add Dependabot configuration for automated dependency updates +* Various Dependabot bumps for CI actions (ruby/setup-ruby, actions/checkout, actions/cache, actions/setup-python, actions/stale) ## 5.0.1 - 2024-06-17 * Bump activesupport from 4.0 to 7.1.3.4