Skip to content

fix(deps): update module github.com/open-policy-agent/opa to v1.9.0 #4842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

fix(deps): update module github.com/open-policy-agent/opa to v1.9.0 #4842

merged 1 commit into from
Oct 28, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/open-policy-agent/opa v1.8.0 -> v1.9.0 age confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing
Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website
Miscellaneous
  • Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
  • Community Guidelines: update email list (#​7900) authored by @​srenatus
  • ci: port binary tests to testscript (#​7865) authored by @​srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
  • rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner October 3, 2025 05:30
@renovate renovate bot added automerge Used by Kodiak bot to automerge PRs dependencies Pull requests that update a dependency file go labels Oct 3, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Oct 3, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
github.com/goccy/go-json v0.10.3 -> v0.10.5
github.com/lestrrat-go/httprc/v3 v3.0.0 -> v3.0.1
github.com/lestrrat-go/jwx/v3 v3.0.10 -> v3.0.11
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 -> v0.0.0-20250401214520-65e299d6c5c9
github.com/sirupsen/logrus v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
golang.org/x/time v0.12.0 -> v0.13.0

@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 2 times, most recently from 3331439 to 1354c63 Compare October 3, 2025 06:43
@kodiakhq
Copy link
Contributor

kodiakhq bot commented Oct 3, 2025

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

@kodiakhq kodiakhq bot removed the automerge Used by Kodiak bot to automerge PRs label Oct 3, 2025
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 19 times, most recently from 74f9423 to b28c9d9 Compare October 9, 2025 08:54
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch from b28c9d9 to 1cfed41 Compare October 11, 2025 21:01
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 14 times, most recently from a477106 to 635e0c8 Compare October 24, 2025 07:17
@kodiakhq kodiakhq bot removed the automerge Used by Kodiak bot to automerge PRs label Oct 24, 2025
@kodiakhq
Copy link
Contributor

kodiakhq bot commented Oct 24, 2025

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 5 times, most recently from 7a4befd to 3161b56 Compare October 28, 2025 11:44
@codecov
Copy link

codecov bot commented Oct 28, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.53%. Comparing base (c011ffc) to head (29eec38).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4842   +/-   ##
=======================================
  Coverage   65.53%   65.53%           
=======================================
  Files         172      172           
  Lines       14308    14308           
=======================================
  Hits         9377     9377           
  Misses       4256     4256           
  Partials      675      675
Flag Coverage Δ
unittests 65.53% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch 2 times, most recently from bdcebaf to 3cd4c12 Compare October 28, 2025 12:56
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Oct 28, 2025
@renovate renovate bot force-pushed the renovate/github.com-open-policy-agent-opa-1.x branch from 3cd4c12 to 29eec38 Compare October 28, 2025 13:23
@erka erka added the automerge Used by Kodiak bot to automerge PRs label Oct 28, 2025
@kodiakhq kodiakhq bot merged commit 2866836 into main Oct 28, 2025
40 checks passed
@kodiakhq kodiakhq bot deleted the renovate/github.com-open-policy-agent-opa-1.x branch October 28, 2025 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

automerge Used by Kodiak bot to automerge PRs dependencies Pull requests that update a dependency file go size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erka @markphelps