From d0f798a939f45f715fbe4eb0bda1e3c07450d1ee Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Wed, 22 Apr 2026 17:41:31 -0700 Subject: [PATCH 1/3] release: bump version to 6.0.0 Breaking change: Drop support for Ruby < 3.3 - Ruby 3.1 reached EOL March 2025 - Ruby 3.2 reaches EOL March 2026 - Minimum required Ruby version is now 3.3.0 See HISTORY.md for full changelog. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- HISTORY.md | 25 +++++++++++++++++++++++++ lib/github-markup.rb | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 745a9c1b..3464e303 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,28 @@ +## 6.0.0 - 2026-04-22 + +### Breaking + +* Drop support for Ruby < 3.3 (Ruby 3.1 EOL March 2025, Ruby 3.2 EOL March 2026) + +### Security + +* Use HTTPS for cpanminus download in CI to prevent MITM attacks [#2050](https://github.com/github/markup/pull/2050) +* Bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 +* Harden CI pip install with `--require-hashes --no-deps` + +### Bug Fixes + +* Fix RST section ID rendering to iterate all anchors instead of only the first [040f91d](https://github.com/github/markup/commit/040f91d) + +### Infrastructure + +* Remove legacy Dockerfile and .dockerignore (Ubuntu Trusty, non-functional) [#2048](https://github.com/github/markup/pull/2048) +* Add Ruby 4.0 to CI test matrix +* Bump nokogiri to 1.19.2, activesupport to 7.2.3.1 +* Bump github-linguist from 7.30.0 to 9.1.0 +* Pin GitHub Actions to commit SHAs for supply chain hardening +* Add Dependabot configuration for automated dependency updates + ## 5.0.1 - 2024-06-17 * Bump activesupport from 4.0 to 7.1.3.4 diff --git a/lib/github-markup.rb b/lib/github-markup.rb index 7c36ad17..bd470da1 100644 --- a/lib/github-markup.rb +++ b/lib/github-markup.rb @@ -1,6 +1,6 @@ module GitHub module Markup - VERSION = '5.0.1' + VERSION = '6.0.0' Version = VERSION end end From 90abb8c992e035785c116a5e892aa4bead37b0fb Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Wed, 22 Apr 2026 17:49:30 -0700 Subject: [PATCH 2/3] Update Gemfile.lock for version 6.0.0 The gemspec version was bumped to 6.0.0 but Gemfile.lock still referenced 5.0.1, causing bundler deployment mode to fail in CI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 525e2c94..2c39c2ab 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ GIT PATH remote: . specs: - github-markup (5.0.1) + github-markup (6.0.0) GEM remote: https://rubygems.org/ From 545c0fd6350833254879431ca52aeb2a1bbba578 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Thu, 23 Apr 2026 07:50:43 -0700 Subject: [PATCH 3/3] Fix changelog accuracy from multi-model review - Correct github-linguist version: 9.1.0 -> 9.3.0 - Note Ruby 3.2 removal from CI matrix alongside 4.0 addition - Add PR link for pip install hardening (#2048) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- HISTORY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 3464e303..97179d6b 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -8,7 +8,7 @@ * Use HTTPS for cpanminus download in CI to prevent MITM attacks [#2050](https://github.com/github/markup/pull/2050) * Bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 -* Harden CI pip install with `--require-hashes --no-deps` +* Harden CI pip install with `--require-hashes --no-deps` [#2048](https://github.com/github/markup/pull/2048) ### Bug Fixes @@ -17,9 +17,9 @@ ### Infrastructure * Remove legacy Dockerfile and .dockerignore (Ubuntu Trusty, non-functional) [#2048](https://github.com/github/markup/pull/2048) -* Add Ruby 4.0 to CI test matrix +* Update CI test matrix: drop Ruby 3.2, add Ruby 4.0 (now testing 3.3, 3.4, 4.0) * Bump nokogiri to 1.19.2, activesupport to 7.2.3.1 -* Bump github-linguist from 7.30.0 to 9.1.0 +* Bump github-linguist from 7.30.0 to 9.3.0 * Pin GitHub Actions to commit SHAs for supply chain hardening * Add Dependabot configuration for automated dependency updates