Upgrade to latest Ruby, Keycloak, and OmniAuth versions

forgejo_admin commented

2026-05-09 17:24:27 +00:00

Contributor

Superseded — split into pal-enterprises#14 and pal-e-platform#358 for single-repo scope.

Type

Feature

Lineage

Standalone — discovered during initial pal-enterprises scaffold and deploy.

Repo

ldraney/pal-enterprises

User Story

As a platform owner
I want all core dependencies at their latest stable versions
So that pal-enterprises starts on a current foundation without accumulating tech debt from day one.

Context

During initial scaffold we used Ruby 3.4.8 (system default), OmniAuth 1.9.2 (pulled by omniauth_openid_connect), and the cluster runs Keycloak 26.0.7. All have newer stable releases:

Component	Current	Target
Ruby	3.4.8	4.0.2
Keycloak	26.0.7	26.6.1
OmniAuth	1.9.2	2.1.4
Container image	ruby:3.4-slim	ruby:4.0-slim

Ruby 4.0 is a major version — gem compatibility must be verified. Keycloak 26.6 is a minor bump but the upgrade guide should be reviewed. OmniAuth 2.x changed CSRF defaults (handled by omniauth-rails_csrf_protection gem).

File Targets

Files the agent should modify or create:

.ruby-version — bump to 4.0.2
Gemfile — update ruby constraint, bundle update omniauth stack
Gemfile.lock — regenerated
k8s/dev.yaml — container image to ruby:4.0-slim
Dockerfile — base image to ruby:4.0-slim

Files in other repos:

pal-e-platform: terraform/modules/keycloak/main.tf — image tag 26.0.7 → 26.6.1
pal-e-services: terraform/k3s.tfvars — if any realm schema changes needed

Files the agent should NOT touch:

config/initializers/omniauth.rb — OIDC config is correct, only gem version changes
Keycloak realm/client definitions — no client changes needed

Acceptance Criteria

When I run ruby --version in the container, it shows 4.0.2
When I run bundle exec rails server, the app boots without deprecation errors
When I visit /login and click "Sign in with Keycloak", the OIDC flow completes
When I visit the Keycloak admin console, version shows 26.6.1
When I test existing westside-app and pal-e-app auth flows, they still work

Test Expectations

bundle install completes without errors on Ruby 4.0
bin/rails db:prepare runs migrations successfully
Health check at /up returns 200
OIDC callback at /auth/keycloak/callback processes correctly
Run command: kubectl -n pal-enterprises logs deployment/pal-enterprises --tail=20

Constraints

Verify all gems in Gemfile.lock support Ruby 4.0 before committing
Review Keycloak upgrade guide for 26.0 → 26.6 breaking changes
Must not break existing OIDC clients (westside-app, westside-spa, pal-e-app)
Host (archbox) Ruby also needs updating — coordinate with westside-ror and pal-e-ror

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-enterprises — project this affects
sop-keycloak-client-creation — Keycloak client conventions (now IaC'd)

> **Superseded** — split into [pal-enterprises#14](https://forgejo.tail5b443a.ts.net/ldraney/pal-enterprises/issues/14) and [pal-e-platform#358](https://forgejo.tail5b443a.ts.net/ldraney/pal-e-platform/issues/358) for single-repo scope. --- ### Type Feature ### Lineage Standalone — discovered during initial pal-enterprises scaffold and deploy. ### Repo `ldraney/pal-enterprises` ### User Story As a platform owner I want all core dependencies at their latest stable versions So that pal-enterprises starts on a current foundation without accumulating tech debt from day one. ### Context During initial scaffold we used Ruby 3.4.8 (system default), OmniAuth 1.9.2 (pulled by omniauth_openid_connect), and the cluster runs Keycloak 26.0.7. All have newer stable releases: | Component | Current | Target | |---|---|---| | Ruby | 3.4.8 | 4.0.2 | | Keycloak | 26.0.7 | 26.6.1 | | OmniAuth | 1.9.2 | 2.1.4 | | Container image | ruby:3.4-slim | ruby:4.0-slim | Ruby 4.0 is a major version — gem compatibility must be verified. Keycloak 26.6 is a minor bump but the upgrade guide should be reviewed. OmniAuth 2.x changed CSRF defaults (handled by omniauth-rails_csrf_protection gem). ### File Targets Files the agent should modify or create: - `.ruby-version` — bump to 4.0.2 - `Gemfile` — update ruby constraint, bundle update omniauth stack - `Gemfile.lock` — regenerated - `k8s/dev.yaml` — container image to ruby:4.0-slim - `Dockerfile` — base image to ruby:4.0-slim Files in other repos: - `pal-e-platform: terraform/modules/keycloak/main.tf` — image tag 26.0.7 → 26.6.1 - `pal-e-services: terraform/k3s.tfvars` — if any realm schema changes needed Files the agent should NOT touch: - `config/initializers/omniauth.rb` — OIDC config is correct, only gem version changes - Keycloak realm/client definitions — no client changes needed ### Acceptance Criteria - [ ] When I run `ruby --version` in the container, it shows 4.0.2 - [ ] When I run `bundle exec rails server`, the app boots without deprecation errors - [ ] When I visit `/login` and click "Sign in with Keycloak", the OIDC flow completes - [ ] When I visit the Keycloak admin console, version shows 26.6.1 - [ ] When I test existing westside-app and pal-e-app auth flows, they still work ### Test Expectations - [ ] `bundle install` completes without errors on Ruby 4.0 - [ ] `bin/rails db:prepare` runs migrations successfully - [ ] Health check at `/up` returns 200 - [ ] OIDC callback at `/auth/keycloak/callback` processes correctly - Run command: `kubectl -n pal-enterprises logs deployment/pal-enterprises --tail=20` ### Constraints - Verify all gems in Gemfile.lock support Ruby 4.0 before committing - Review Keycloak upgrade guide for 26.0 → 26.6 breaking changes - Must not break existing OIDC clients (westside-app, westside-spa, pal-e-app) - Host (archbox) Ruby also needs updating — coordinate with westside-ror and pal-e-ror ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-enterprises` — project this affects - `sop-keycloak-client-creation` — Keycloak client conventions (now IaC'd)

forgejo_admin commented

2026-05-09 18:57:09 +00:00

Author

Contributor

Scope Review: NEEDS_REFINEMENT

Review note: review-1182-2026-05-09

Ticket scope is well-written with all template sections present and all file targets verified. However, it needs refinement before moving to next_up:

[DECOMPOSE] 5 AC + 5 test items across 3 repos (pal-enterprises, pal-e-platform, pal-e-services). Split into: (1) Keycloak 26.6.1 upgrade on pal-e-platform, (2) Ruby 4.0 + OmniAuth 2.x upgrade on pal-enterprises. Route to skill-decompose-ticket.
[SCOPE] Missing infra-upgrades user story entry on project-pal-enterprises page.
[SCOPE] Missing arch-keycloak architecture note in pal-e-docs.
[BODY] Add gem compatibility verification AC for Ruby 4.0 major version jump.
[BODY] Move AC #5 (existing auth flow tests) to the Keycloak upgrade sub-ticket.
[LABEL] Consider adding arch:rails-app label.

## Scope Review: NEEDS_REFINEMENT Review note: `review-1182-2026-05-09` Ticket scope is well-written with all template sections present and all file targets verified. However, it needs refinement before moving to next_up: - **[DECOMPOSE]** 5 AC + 5 test items across 3 repos (pal-enterprises, pal-e-platform, pal-e-services). Split into: (1) Keycloak 26.6.1 upgrade on pal-e-platform, (2) Ruby 4.0 + OmniAuth 2.x upgrade on pal-enterprises. Route to `skill-decompose-ticket`. - **[SCOPE]** Missing `infra-upgrades` user story entry on project-pal-enterprises page. - **[SCOPE]** Missing `arch-keycloak` architecture note in pal-e-docs. - **[BODY]** Add gem compatibility verification AC for Ruby 4.0 major version jump. - **[BODY]** Move AC #5 (existing auth flow tests) to the Keycloak upgrade sub-ticket. - **[LABEL]** Consider adding `arch:rails-app` label.