chore(deps): update module github.com/open-policy-agent/opa to v1.9.0

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/open-policy-agent/opa	v1.6.0 -> v1.9.0

---

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Compile API extensions ported from EOPA
• Improved rule indexing

Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite

Example Request

POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}

Example Response

HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling

• cmd: Print eval errors to stderr (#​6749) authored by @​sspaink reported by @​janorn
• plugin/decision: Encoder immediately returns when event same size as limit (#​7928) authored by @​sspaink
• plugin/decision: Refactor size buffer into its own type (#​7884) authored by @​sspaink
• plugins/bundle: Return callback error for manually triggered bundle downloads through the SDK (#​7869) authored by @​sspaink reported by @​victoraugustolls
• runtime: Fix possible panic in opa run when loading bundles in watch-mode (--watch) (#​7870) authored by @​sspaink reported by @​johanfylling

Compiler, Topdown and Rego

• perf: Don't invoke future parser for Rego v1 (#​7909) authored by @​anderseknert
• topdown: Add counter metric for http.send network requests (#​7851) authored by @​anivar
• topdown: Update numbers.range_step built-in error message (#​7882) authored by @​charlieegan3

Docs, Website

• docs: Add every and not examples (#​7901) authored by @​charlieegan3
• docs: Add examples for io.jwt and time built-ins (#​7892) authored by @​charlieegan3
• docs: Add examples for regex and string built-ins (#​7890) authored by @​charlieegan3
• docs: Add guide for common Rego errors (#​7896) authored by @​charlieegan3
• docs: Add missing anchors and example data (#​6205) authored by @​mmzzuu reported by @​johanfylling
• docs: Add Rego keyword examples (#​7889) authored by @​charlieegan3
• docs: Add Rego language comparison pages (#​7893) authored by @​charlieegan3
• docs: Add Style Guide to policy authoring docs (#​7932) authored by @​charlieegan3
• docs: Generative AI policy example fix (#​7885) authored by @​msorens
• docs: Remove integration from build-security (#​7899) authored by @​ieugen
• docs: Update Envoy tutorial for new versions and images (#​7911) authored by @​CharlieTLe
• docs: Update references to cheat sheet and awesome-opa (#​7930) authored by @​charlieegan3
• docs: Add OCP docs (#​7875) authored by @​charlieegan3
  • docs/ocp: Update docs on Azure object storage (#​7921) authored by @​minajevs
  • docs/ocp: Fix inline-transform example (#​7913) authored by @​srenatus
  • docs/ocp: Fix wrong example on concepts page (#​7907) authored by @​srenatus
  • docs/ocp: Update API reference (#​7906) authored by @​srenatus
  • docs/ocp: Update OCP api-key (#​7904) authored by @​charlieegan3
  • docs/ocp: Update OCP install instructions (#​7910) authored by @​ashutosh-narkar
• docs: Add Regal docs to OPA site (#​7874) authored by @​charlieegan3
  • docs/regal: Update docs following 0.36.0 (#​7891) authored by @​charlieegan3
• docs/deploy: Add OPA deployment docs (#​7898) authored by @​charlieegan3
• docs/website: Update references to Styra (#​7877) authored by @​charlieegan3

Miscellaneous

• Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
• Community Guidelines: update email list (#​7900) authored by @​srenatus
• ci: port binary tests to testscript (#​7865) authored by @​srenatus
• dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
• github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
• rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
• Dependency updates; notably:
  • build: Bump go to 1.25.1
  • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
  • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
  • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
  • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
  • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
  • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
  • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
  • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.

EdDSA Support in built-ins (#​7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

• io.jwt.decode_verify
• io.jwt.encode_sign
• io.jwt.encode_sign_raw

This feature benefited greatly from the groundwork laid by @​lestrrat in (#​7638). 👏 🎉 🥳

Authored by @​johanfylling reported by @​aromeyer

Runtime

• cmd: Add back default cmd.RootCommand definition. (#​7811) authored by @​philipaconrad
  Fixing a breaking change to the go API introduced in OPA v1.7.0.
• cmd: Fix opa exec parameters (#​7850, #​7840) authored by @​srenatus
  Fixing regressions introduced in OPA v1.7.0, where the --fail-non-empty and --stdin-input flags were dropped.
• config: accept env vars set to "", discern from unset (#​7831) authored by @​srenatus reported by @​ManuelNowackConfinale
• handlers: Add thread-safe initialization for gzipPool (#​7828) authored by @​charlieegan3
• plugins: Address race in config access (#​7825) authored by @​charlieegan3
• plugin/bundle: Correct bundle delay behavior (#​7812) authored by @​charlieegan3
• runtime: Update server init check (#​7818) authored by @​charlieegan3

Topdown

• perf: Performance greatly improved for Object.Insert on existing key (#​7820) authored by @​anderseknert
• topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#​7638) authored by @​lestrrat

Docs, Website

• Update website to build from tip of main (#​7848) authored by @​tsandall
• ast/builtins: Remove space from count description (#​7836) authored by @​charlieegan3
• docs: Add link to logic-or/and on docs index (#​7826) authored by @​charlieegan3
• docs: Add note on using LLM in PR discussions (#​7859) authored by @​anderseknert
• docs: Fix broken anchor links in annotations (#​7827) authored by @​charlieegan3
• docs: Use set in the Python code example for consistence (#​7860) authored by @​durnik-ivo
• docs: Update frontpage (#​7847) authored by @​tsandall
• docs/rest-api: Add notes about policy IDs (#​7837) authored by @​charlieegan3
• website: Use latest release rather than edge (#​7781) authored by @​charlieegan3

Miscellaneous

• Update organization affiliations (#​7842) authored by @​tsandall
• test/e2e: Avoid port exhaustion in concurrent tests (#​7862) authored by @​anderseknert
• server: Make TestCertReloading less verbose (#​7823) authored by @​charlieegan3
• cmd: Exec test wait for bundle server to start (#​7821) authored by @​charlieegan3
• cmd: Update tests to run sync when ready (#​7835) authored by @​charlieegan3
• cmd: Move accidental pkg var to local var (#​7813) authored by @​philipaconrad
• internal/report: Allow overriding GitHub repo (#​7867) authored by @​srenatus
• release: Adding Dockerfile for image used in *-patch build targets (#​7864) authored by @​johanfylling
• Dependency updates; notably:
  • build: Bump go to 1.24.6 (#​7834, #​7839) authored by @​johanfylling and @​thevilledev
  • build(deps): Bump go-viper/mapstructure/v2 from v2.3.0 to v2.4.0 (#​7857) authored by @​deeglaze
  • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.3 to 2.1.4
  • build(deps): Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0

v1.7.1

Compare Source

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

• A missing symbol in the cmd package (cmd.RootCommand)
• A possible panic in the opa parse command

v1.7.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improved OPA SDK/API for better extensibility

SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

• ast: Add DefaultModuleLoader (#​7794) authored by @​srenatus
• ast: Add feature registration from the outside (#​7782) authored by @​srenatus
• bundle: Add support for bundle store and activation plugins (#​7771) authored by @​philipaconrad
• cmd: Allow branding (#​7797) authored by @​srenatus
• decisionlogs: Add custom fields grab bag (#​7793) authored by @​srenatus
• plugins: allow registering handlerfuncs with name+path (#​7769) authored by @​srenatus
• rego: Expose QueryTracers, tracing.Options and Cancel from QueryContext (#​7767) authored by @​philipaconrad
• rego: Pass along TracingOpts into EvalContext (#​7778) authored by @​srenatus
• runtime: add ExtraDiscoveryOpts to runtime.Params (#​7766) authored by @​srenatus
• sdk: Allow for setting default options for all instances (#​7760) authored by @​srenatus
• server: Add hooks wiring + new hooks for inter-query caches (#​7775) authored by @​srenatus
• server: Ensure that wrapped middlewares all support http.Flusher (#​7772) authored by @​srenatus
• server/authorizer: Allow adding paths to validator (#​7792) authored by @​philipaconrad
• server+plugins: Allow plugins to inject http handler middlewares (#​7789) authored by @​srenatus reported by @​deeglaze
• store+runtime: Extension points for custom stores (#​7779) authored by @​srenatus
• test+eval: Add helper to smuggle compiler through context (#​7790) authored by @​srenatus
• tester: Support uint64 and float64 metrics in runBenchmark (#​7761) authored by @​srenatus

Runtime, Tooling

• build: Show a warning when .manifest is ignored (#​7807) authored by @​charlieegan3
• cli: Avoid os.Exit() in Run() funcs (#​7788) authored by @​srenatus
• config: Keep unknown env replacements (#​7786) authored by @​srenatus
• format: Not bracketing keywords in imports (#​7742) authored by @​johanfylling
• loader: Add bundle lazy loading mode across the runtime. (#​7768) authored by @​philipaconrad
• loader: Pass bundle name in AsBundle() (#​7798) authored by @​srenatus
• opa exec: stop plugins before exit (#​7760) authored by @​srenatus
• plugins/discovery: Make Factories() merge the factories (#​7777) authored by @​srenatus
• plugins/discovery: Replace environment variables after evaluation (#​7787) authored by @​philipaconrad
• plugins/logs: Add experimental intermediate results field (#​7796) authored by @​philipaconrad
• report: Fetching latest OPA release version from GitHub (#​7756) authored by @​johanfylling
  OPA will no longer send telemetry data when fetching the latest release version.
• runtime: Allow enabling NDBCache by default (#​7780) authored by @​srenatus
• server+logging: Add BatchDecisionID field to Decision Logs (#​7791) authored by @​philipaconrad
• store: Improve conflicting root error message (#​7806) authored by @​charlieegan3

Compiler, Topdown and Rego

• perf: AST compiler optimizations (#​7740) authored by @​anderseknert

Docs, Website

Note: While we have been working on the new website we have been showing
the edge documentation contents (as contents and framework changes often must
go hand in hand). Now that the website development pace has slowed and the
functionality is more stable, we will be returning to showing the documentation
content from the latest release instead. Please use the
edge documentation site
to review new changes. PR previews are also based on the latest branch commit.
This change will be made to show the v1.7.0 release shortly after publishing.

• docs: Add examples for crypto.sha256 and base64.encode built-in functions (#​7762) authored by @​ToluGIT
• docs: Break out the built-in categories in policy ref (#​7722) authored by @​sky3n3t
• docs: Correctly spell NetBSD (#​7738) authored by @​iamleot
• docs: Fix a number of minor docs typos (#​7799) authored by @​charlieegan3
• docs: Fix /docs/envoy-authorization/ 404 (#​7755 authored by @​charlieegan3
• docs: Remove link to OPA playground share (#​7750) authored by @​charlieegan3
• docs: Revise docs index page wording (#​7805) authored by @​charlieegan3
• docs: Update warning note in GraphQL API docs (#​7737) authored by @​charlieegan3
• website: Add wildcard CORS for data/versions.json (#​7784) authored by @​charlieegan3
• website: Ensure no hscroll on built-in tables (#​7773) authored by @​charlieegan3
• website: Render versions under /data/versions.json (#​7783) authored by @​charlieegan3
• website: Set mobile and desktop tab sizes (#​7774) authored by @​charlieegan3
• website: Show link to the edge release of the docs (#​7776) authored by @​charlieegan3

Miscellaneous

• Benchmark fixes (#​7765) authored by @​anderseknert

• Use Regal for linting Rego (#​7752) authored by @​anderseknert

• Use shorthand form for types (#​7757) authored by @​anderseknert

• .github: Use types for issues (#​7751) authored by @​charlieegan3

• build: Add top-level token permissions for workflows (#​7795) authored by @​timothyklee

• docs/build: Link checker fixes (#​7743) authored by @​charlieegan3

• Dependency updates; notably:

  • build(deps): bump github.com/containerd/containerd/v2 from 2.1.1 to 2.1.3
  • build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2
  • build(deps): bump go.opentelemetry.io deps from 1.36.0/0.61.0 to 1.37.0/0.62.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 38 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.24.6
go (toolchain)	1.24.7 -> 1.24.8
github.com/spf13/cobra	v1.9.1 -> v1.10.1
github.com/spf13/viper	v1.20.1 -> v1.21.0
google.golang.org/protobuf	v1.36.8 -> v1.36.9
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.27.0 -> v1.29.0
github.com/cenkalti/backoff/v5	v5.0.2 -> v5.0.3
github.com/go-jose/go-jose/v4	v4.0.5 -> v4.1.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.2
github.com/prometheus/client_golang	v1.22.0 -> v1.23.2
github.com/prometheus/common	v0.62.0 -> v0.66.1
github.com/prometheus/procfs	v0.15.1 -> v0.17.0
github.com/rcrowley/go-metrics	v0.0.0-20201227073835-cf1acfcdf475 -> v0.0.0-20250401214520-65e299d6c5c9
github.com/sagikazarmark/locafero	v0.7.0 -> v0.11.0
github.com/sergi/go-diff	v1.3.2-0.20230802210424-5b0b94c5c0d3 -> v1.4.0
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/sourcegraph/conc	v0.3.0 -> v0.3.1-0.20240121214520-5f936abd7ae8
github.com/spf13/afero	v1.12.0 -> v1.15.0
github.com/spf13/cast	v1.7.1 -> v1.10.0
github.com/spf13/pflag	v1.0.6 -> v1.0.10
github.com/tchap/go-patricia/v2	v2.3.2 -> v2.3.3
github.com/vektah/gqlparser/v2	v2.5.28 -> v2.5.30
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.63.0
go.opentelemetry.io/otel	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/metric	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/sdk	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/sdk/metric	v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.36.0 -> v1.38.0
go.opentelemetry.io/proto/otlp	v1.6.0 -> v1.7.1
go.yaml.in/yaml/v3	v3.0.3 -> v3.0.4
golang.org/x/crypto	v0.41.0 -> v0.42.0
golang.org/x/net	v0.43.0 -> v0.44.0
golang.org/x/sys	v0.35.0 -> v0.36.0
golang.org/x/term	v0.34.0 -> v0.35.0
golang.org/x/time	v0.12.0 -> v0.13.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250818200422-3122310a409c -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250818200422-3122310a409c -> v0.0.0-20250825161204-c5933d9347a5
google.golang.org/grpc	v1.74.2 -> v1.75.1

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun