From b79964adeb1d95a40aad9282f631932eca82a105 Mon Sep 17 00:00:00 2001 From: lferreira Date: Mon, 22 Jun 2026 10:12:05 +0100 Subject: [PATCH 1/3] Upgrade excon >= 1.5.0 to address CVE-2026-54171 (breaking: drops Ruby < 3.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit excon 1.5.0 fixes GHSA-48rx-c7pg-q66r (medium — header redaction on redirects) but requires Ruby >= 3.1. This drops support for Ruby 2.6, 2.7, and 3.0, all of which are end-of-life. Changes: - gemspec: excon ~> 0.39 → >= 1.5.0, required_ruby_version >= 3.1 - CI matrix: 2.6/2.7/3.0 → 3.1/3.2/3.3 - gem-push workflow: Ruby 2.6 → 3.1 --- .github/workflows/gem-push.yml | 6 +++--- .github/workflows/ruby.yml | 2 +- postcodes_io.gemspec | 3 ++- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/gem-push.yml b/.github/workflows/gem-push.yml index f82f088..c9c5d7a 100644 --- a/.github/workflows/gem-push.yml +++ b/.github/workflows/gem-push.yml @@ -14,10 +14,10 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Set up Ruby 2.6 - uses: actions/setup-ruby@v1 + - name: Set up Ruby 3.1 + uses: ruby/setup-ruby@v1 with: - ruby-version: 2.6.x + ruby-version: 3.1 - name: Publish to GPR run: | diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml index e26f6ed..29d3bbd 100644 --- a/.github/workflows/ruby.yml +++ b/.github/workflows/ruby.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - ruby-version: ['2.6', '2.7', '3.0'] + ruby-version: ['3.1', '3.2', '3.3'] steps: - uses: actions/checkout@v2 diff --git a/postcodes_io.gemspec b/postcodes_io.gemspec index 85c7143..9078f58 100644 --- a/postcodes_io.gemspec +++ b/postcodes_io.gemspec @@ -17,11 +17,12 @@ Gem::Specification.new do |spec| spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = ["lib"] + spec.required_ruby_version = ">= 3.1" spec.add_development_dependency "bundler" spec.add_development_dependency "rake" spec.add_development_dependency "rspec" spec.add_development_dependency "webmock" - spec.add_runtime_dependency "excon", "~> 0.39" + spec.add_runtime_dependency "excon", ">= 1.5.0" end From 0f9045039449f04c8cc14621b92fd81bfad4cefc Mon Sep 17 00:00:00 2001 From: lferreira Date: Mon, 22 Jun 2026 10:18:52 +0100 Subject: [PATCH 2/3] Fix CI: update ruby/setup-ruby to v1 to support Ruby 3.1+ The previously pinned commit hash (473e4d8) was too old to recognise Ruby 3.1, causing the test workflow to fail after the excon upgrade bumped the minimum Ruby version. --- .github/workflows/ruby.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml index 29d3bbd..aac5543 100644 --- a/.github/workflows/ruby.yml +++ b/.github/workflows/ruby.yml @@ -24,10 +24,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Set up Ruby - # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby, - # change this to (see https://github.com/ruby/setup-ruby#versioning): - # uses: ruby/setup-ruby@v1 - uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e + uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically From 3906be3e11b108d45ee662beaf7a2c60d3f82fdd Mon Sep 17 00:00:00 2001 From: lferreira Date: Mon, 22 Jun 2026 10:28:45 +0100 Subject: [PATCH 3/3] Fix CI: bump actions/checkout from v2 to v7 v2 uses Node 12, which is incompatible with GitHub Actions runners that now default to Node 24. Updated in both ruby.yml and gem-push.yml. --- .github/workflows/gem-push.yml | 2 +- .github/workflows/ruby.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gem-push.yml b/.github/workflows/gem-push.yml index c9c5d7a..e79fd4c 100644 --- a/.github/workflows/gem-push.yml +++ b/.github/workflows/gem-push.yml @@ -13,7 +13,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v7 - name: Set up Ruby 3.1 uses: ruby/setup-ruby@v1 with: diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml index aac5543..6e0702b 100644 --- a/.github/workflows/ruby.yml +++ b/.github/workflows/ruby.yml @@ -22,7 +22,7 @@ jobs: ruby-version: ['3.1', '3.2', '3.3'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v7 - name: Set up Ruby uses: ruby/setup-ruby@v1 with: