chore(deps): update go dependencies

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
github.com/ThalesIgnite/crypto11	indirect	minor	v1.2.5 -> v1.6.0
github.com/aws/aws-sdk-go-v2/credentials	indirect	patch	v1.18.17 -> v1.18.19
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	indirect	patch	v1.18.10 -> v1.18.11
github.com/aws/aws-sdk-go-v2/internal/configsources	indirect	patch	v1.4.10 -> v1.4.11
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	indirect	patch	v1.13.10 -> v1.13.11
github.com/cncf/xds/go	indirect	digest	2ee22ca -> 0feb691
github.com/letsencrypt/boulder	require	minor	v0.20250721.0 -> v0.20251021.0
github.com/open-policy-agent/opa	indirect	minor	v1.1.0 -> v1.9.0
github.com/prometheus/procfs	indirect	minor	v0.17.0 -> v0.19.1
github.com/protocolbuffers/txtpbfmt	indirect	digest	f293424 -> 16587c7
github.com/sigstore/scaffolding	require	patch	v0.7.22 -> v0.7.25
github.com/transparency-dev/formats	indirect	digest	404c0d5 -> fb14049
golang.org/x/exp	indirect	digest	90e834f -> a4bb9ff
google.golang.org/api	indirect	minor	v0.252.0 -> v0.253.0
google.golang.org/genproto	indirect	digest	88f65dc -> 3a174f9
google.golang.org/genproto/googleapis/api	indirect	digest	88f65dc -> 3a174f9
google.golang.org/genproto/googleapis/rpc	indirect	digest	88f65dc -> 3a174f9
knative.dev/hack	require	digest	4fae780 -> 4377a69
knative.dev/hack/schema	require	digest	4fae780 -> 4377a69
knative.dev/pkg	require	digest	a1339c6 -> b988e0b

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

ThalesIgnite/crypto11 (github.com/ThalesIgnite/crypto11)

v1.6.0

Compare Source

What's Changed

• Update go1.25.1 by @​Nicolas-Peiffer in ThalesGroup#124

Full Changelog: ThalesGroup/crypto11@v1.5.0...v1.6.0

v1.5.0

Compare Source

What's Changed

• Fix findkeys error and eval byte nil or len zero by @​Nicolas-Peiffer in ThalesGroup#122
• Update go1.24.5 by @​Nicolas-Peiffer in ThalesGroup#123

Full Changelog: ThalesGroup/crypto11@v1.4.1...v1.5.0

v1.4.1

Compare Source

What's Changed

• update to go 1.23.6
• fix: underlying library context is reused through reference counting by @​ek-1n574 in ThalesGroup#114

New Contributors

• @​ek-1n574 made their first contribution in ThalesGroup#114

Full Changelog: ThalesGroup/crypto11@v1.4.0...v1.4.1

v1.4.0

Compare Source

What's Changed

• upgrade to go1.23.6 by @​Nicolas-Peiffer in ThalesGroup#116

New Contributors

• @​Nicolas-Peiffer made their first contribution in ThalesGroup#116

Full Changelog: ThalesGroup/crypto11@v1.3.0...v1.4.0

v1.3.0

Compare Source

What's Changed

• feature: optimized aes cbc support by @​IceManGreen in ThalesGroup#107
• RSA support for asymmetric decryption by @​IceManGreen in ThalesGroup#115

New Contributors

• @​IceManGreen made their first contribution in ThalesGroup#107

Full Changelog: ThalesGroup/crypto11@v1.2.1...v1.3.0

letsencrypt/boulder (github.com/letsencrypt/boulder)

v0.20251021.0

Compare Source

What's Changed

• Reduce nonce redemption flake by giving WFE time to mark SubConns READY by @​aarongable in #​8442
• Simplify IssueCertificate into straight-line code by @​aarongable in #​8424
• Delete sa.GetMaxExpiration and sa.GetRevokedCerts by @​aarongable in #​8401
• Ceremony: add checks for too-large validity period by @​aarongable in #​8446
• build(deps): bump the aws group with 3 updates by @​dependabot[bot] in #​8444
• Remove support for the old log line checksum format by @​mcpherrinm in #​8416

Full Changelog: letsencrypt/boulder@v0.20251014.0...v0.20251021.0

v0.20251014.0

Compare Source

What's Changed

• build(deps): bump the otel group with 6 updates by @​dependabot[bot] in #​8437
• sfe: Add configurable automatic approvals for first-tier limits by @​beautifulentropy in #​8381
• Switch to new log checksum format by @​mcpherrinm in #​8415
• Reland "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8430

Full Changelog: letsencrypt/boulder@v0.20251007.0...v0.20251014.0

v0.20251007.0

Compare Source

What's Changed

• Revert "SA: Stop supporting OCSP status NotReady" by @​aarongable in #​8429
• Introduce nonfunctional IssuerConfig.Profiles config field by @​aarongable in #​8423
• Refactor CA unittests to focus on top-level IssueCertificate by @​aarongable in #​8422
• Add logging of nonce prefix at nonce-service startup by @​jsha in #​8433
• publisher: Do not log failures to submit to audit logs by @​beautifulentropy in #​8435
• Update CI to go1.25.2 by @​aarongable in #​8436

Full Changelog: letsencrypt/boulder@v0.20251003.0...v0.20251007.0

v0.20251003.0

Compare Source

v0.20250929.0

Compare Source

What's Changed

• CA: Stop using OCSP status NotReady by @​aarongable in #​8394
• Remove support for temporally-sharded CRLs by @​aarongable in #​8400
• wfe: Permit Transfer-Encoding: chunked HTTP request bodies by @​benburkert in #​8403
• build(deps): bump the aws group with 4 updates by @​dependabot[bot] in #​8392
• Use GetRevocationStatus instead of GetCertificateStatus by @​aarongable in #​8402
• Start accepting a new log checksum format by @​mcpherrinm in #​8413

New Contributors

• @​benburkert made their first contribution in #​8403

Full Changelog: letsencrypt/boulder@v0.20250922.0...v0.20250929.0

v0.20250922.0

Compare Source

What's Changed

• Remove '-tags "integration"' from build by @​jsha in #​8383
• feat: Support for dns-account-01 Challenge by @​sheurich in #​8149
• test: Work around integration failures & flake by @​jprenken in #​8393
• Delete akamai-purger by @​aarongable in #​8352
• Upload releases to GHCR by @​jprenken in #​8386
• Move //revocation/reasons.go into the post-OCSP world by @​aarongable in #​8355
• Remove "ocsp-response" Ceremony type by @​aarongable in #​8396
• Ceremony: remove support for AIA OCSP URIs by @​aarongable in #​8397
• issuance: Remove last vestiges of OCSP support by @​aarongable in #​8398
• Recognize, but do not process, issuevmc CAA tags by @​BartG95 in #​8374
• Fix location of release.md by @​pgporada in #​8404

New Contributors

• @​BartG95 made their first contribution in #​8374

Full Changelog: letsencrypt/boulder@v0.20250908.0...v0.20250922.0

v0.20250908.0

Compare Source

What's Changed

• Upgrade to latest publicsuffix-go by @​mcpherrinm in #​8376
• sfe: Export emails to mailing list at submission time by @​beautifulentropy in #​8378
• sfe: Periodically import approved rate limit override tickets by @​beautifulentropy in #​8372
• build(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @​dependabot[bot] in #​8375

Full Changelog: letsencrypt/boulder@v0.20250902.0...v0.20250908.0

v0.20250902.0

Compare Source

What's Changed

• test: Enable optional coverage reporting by @​akshithg in #​8306
• sfe: Add rate limit override request portal Web UI and endpoints by @​beautifulentropy in #​8365
• Run go's modernize tool by @​mcpherrinm in #​8371
• sfe: Add per IP rate limits to the overrides request form submissions by @​beautifulentropy in #​8366

New Contributors

• @​akshithg made their first contribution in #​8306

Full Changelog: letsencrypt/boulder@v0.20250825.0...v0.20250902.0

v0.20250825.0

Compare Source

What's Changed

• test: rewrite CAA integration test in Go by @​jsha in #​8340
• test: Remove go1.24.x by @​beautifulentropy in #​8364
• RA: remove dependency on akamai-purger by @​aarongable in #​8353
• CA: delete GenerateOCSP method by @​aarongable in #​8351
• Ceremony: allow CRL ceremonies to skip certain lints by @​aarongable in #​8368
• sfe/zendesk: Add support for status to Zendesk client by @​beautifulentropy in #​8367

Full Changelog: letsencrypt/boulder@v0.20250819.0...v0.20250825.0

v0.20250819.0

Compare Source

What's Changed

• Add --generate-notes flag to gh release create by @​mcpherrinm in #​8337
• admin: Add tooling to support rate limit overrides in the database by @​beautifulentropy in #​8281
• Remove GO111MODULE and GOFLAGS. by @​jsha in #​8333
• Add tool to generate, verify, and output a list of CRLDPs by @​aarongable in #​8329
• Build Boulder in a container for release by @​jsha in #​8331
• Restrict permissions of merged-to-main workflow by @​aarongable in #​8347
• sfe/zendesk: Add a Zendesk API client implementation by @​beautifulentropy in #​8320
• grpc: remove serverIPAddresses config option by @​jsha in #​8339
• Remove ocsp-responder by @​aarongable in #​8344
• Remove python integration test in-the-past scaffolding by @​aarongable in #​8086
• go: Add go1.25.0 to the test suite by @​beautifulentropy in #​8357
• sfe/test: Configure SFE to use a zendesk-test-srv by @​beautifulentropy in #​8354
• RA: delete GenerateOCSP method by @​aarongable in #​8350
• Remove Boulder's understanding of FAKECLOCK by @​aarongable in #​8356

Full Changelog: letsencrypt/boulder@v0.20250812.0...v0.20250819.0

v0.20250812.0

Compare Source

v0.20250805.0

Compare Source

v0.20250728.0

Compare Source

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Compile API extensions ported from EOPA
• Improved rule indexing

Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite

Example Request

POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}

Example Response

HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling

• cmd: Print eval errors to stderr (#​6749) authored by @​sspaink reported by @​janorn
• plugin/decision: Encoder immediately returns when event same size as limit (#​7928) authored by @​sspaink
• plugin/decision: Refactor size buffer into its own type (#​7884) authored by @​sspaink
• plugins/bundle: Return callback error for manually triggered bundle downloads through the SDK (#​7869) authored by @​sspaink reported by @​victoraugustolls
• runtime: Fix possible panic in opa run when loading bundles in watch-mode (--watch) (#​7870) authored by @​sspaink reported by @​johanfylling

Compiler, Topdown and Rego

• perf: Don't invoke future parser for Rego v1 (#​7909) authored by @​anderseknert
• topdown: Add counter metric for http.send network requests (#​7851) authored by @​anivar
• topdown: Update numbers.range_step built-in error message (#​7882) authored by @​charlieegan3

Docs, Website

• docs: Add every and not examples (#​7901) authored by @​charlieegan3
• docs: Add examples for io.jwt and time built-ins (#​7892) authored by @​charlieegan3
• docs: Add examples for regex and string built-ins (#​7890) authored by @​charlieegan3
• docs: Add guide for common Rego errors (#​7896) authored by @​charlieegan3
• docs: Add missing anchors and example data (#​6205) authored by @​mmzzuu reported by @​johanfylling
• docs: Add Rego keyword examples (#​7889) authored by @​charlieegan3
• docs: Add Rego language comparison pages (#​7893) authored by @​charlieegan3
• docs: Add Style Guide to policy authoring docs (#​7932) authored by @​charlieegan3
• docs: Generative AI policy example fix (#​7885) authored by @​msorens
• docs: Remove integration from build-security (#​7899) authored by @​ieugen
• docs: Update Envoy tutorial for new versions and images (#​7911) authored by @​CharlieTLe
• docs: Update references to cheat sheet and awesome-opa (#​7930) authored by @​charlieegan3
• docs: Add OCP docs (#​7875) authored by @​charlieegan3
  • docs/ocp: Update docs on Azure object storage (#​7921) authored by @​minajevs
  • docs/ocp: Fix inline-transform example (#​7913) authored by @​srenatus
  • docs/ocp: Fix wrong example on concepts page (#​7907) authored by @​srenatus
  • docs/ocp: Update API reference (#​7906) authored by @​srenatus
  • docs/ocp: Update OCP api-key (#​7904) authored by @​charlieegan3
  • docs/ocp: Update OCP install instructions (#​7910) authored by @​ashutosh-narkar
• docs: Add Regal docs to OPA site (#​7874) authored by @​charlieegan3
  • docs/regal: Update docs following 0.36.0 (#​7891) authored by @​charlieegan3
• docs/deploy: Add OPA deployment docs (#​7898) authored by @​charlieegan3
• docs/website: Update references to Styra (#​7877) authored by @​charlieegan3

Miscellaneous

• Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
• Community Guidelines: update email list (#​7900) authored by @​srenatus
• ci: port binary tests to testscript (#​7865) authored by @​srenatus
• dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
• github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
• rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
• Dependency updates; notably:
  • build: Bump go to 1.25.1
  • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
  • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
  • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
  • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
  • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
  • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
  • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
  • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.

EdDSA Support in built-ins (#​7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

• io.jwt.decode_verify
• io.jwt.encode_sign
• io.jwt.encode_sign_raw

This feature benefited greatly from the groundwork laid by @​lestrrat in (#​7638). 👏 🎉 🥳

Authored by @​johanfylling reported by @​aromeyer

Runtime

• cmd: Add back default cmd.RootCommand definition. (#​7811) authored by @​philipaconrad
  Fixing a breaking change to the go API introduced in OPA v1.7.0.
• cmd: Fix opa exec parameters (#​7850, #​7840) authored by @​srenatus
  Fixing regressions introduced in OPA v1.7.0, where the --fail-non-empty and --stdin-input flags were dropped.
• config: accept env vars set to "", discern from unset (#​7831) authored by @​srenatus reported by @​ManuelNowackConfinale
• handlers: Add thread-safe initialization for gzipPool (#​7828) authored by @​charlieegan3
• plugins: Address race in config access (#​7825) authored by @​charlieegan3
• plugin/bundle: Correct bundle delay behavior (#​7812) authored by @​charlieegan3
• runtime: Update server init check (#​7818) authored by @​charlieegan3

Topdown

• perf: Performance greatly improved for Object.Insert on existing key (#​7820) authored by @​anderseknert
• topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#​7638) authored by @​lestrrat

Docs, Website

• Update website to build from tip of main (#​7848) authored by @​tsandall
• ast/builtins: Remove space from count description (#​7836) authored by @​charlieegan3
• docs: Add link to logic-or/and on docs index (#​7826) authored by @​charlieegan3
• docs: Add note on using LLM in PR discussions (#​7859) authored by @​anderseknert
• docs: Fix broken anchor links in annotations (#​7827) authored by @​charlieegan3
• docs: Use set in the Python code example for consistence (#​7860) authored by @​durnik-ivo
• docs: Update frontpage (#​7847) authored by @​tsandall
• docs/rest-api: Add notes about policy IDs (#​7837) authored by @​charlieegan3
• website: Use latest release rather than edge (#​7781) authored by @​charlieegan3

Miscellaneous

• Update organization affiliations (#​7842) authored by @​tsandall
• test/e2e: Avoid port exhaustion in concurrent tests (#​7862) authored by @​anderseknert
• server: Make TestCertReloading less verbose (#​7823) authored by @​charlieegan3
• cmd: Exec test wait for bundle server to start (#​7821) authored by @​charlieegan3
• cmd: Update tests to run sync when ready (#​7835) authored by @​charlieegan3
• cmd: Move accidental pkg var to local var (#​7813) authored by @​philipaconrad
• internal/report: Allow overriding GitHub repo (#​7867) authored by @​srenatus
• release: Adding Dockerfile for image used in *-patch build targets (#​7864) authored by @​johanfylling
• Dependency updates; notably:
  • build: Bump go to 1.24.6 (#​7834, #​7839) authored by @​johanfylling and @​thevilledev
  • build(deps): Bump go-viper/mapstructure/v2 from v2.3.0 to v2.4.0 (#​7857) authored by @​deeglaze
  • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.3 to 2.1.4
  • build(deps): Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0

v1.7.1

Compare Source

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

• A missing symbol in the cmd package (cmd.RootCommand)
• A possible panic in the opa parse command

v1.7.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improved OPA SDK/API for better extensibility

SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

• ast: Add DefaultModuleLoader (#​7794) authored by @​srenatus
• ast: Add feature registration from the outside (#​7782) authored by @​srenatus
• bundle: Add support for bundle store and activation plugins (#​7771) authored by @​philipaconrad
• cmd: Allow branding (#​7797) authored by @​srenatus
• decisionlogs: Add custom fields grab bag (#​7793) authored by @​srenatus
• plugins: allow registering handlerfuncs with name+path (#​7769) authored by @​srenatus
• rego: Expose QueryTracers, tracing.Options and Cancel from QueryContext (#​7767) authored by @​philipaconrad
• rego: Pass along TracingOpts into EvalContext (#​7778) authored by @​srenatus
• runtime: add ExtraDiscoveryOpts to runtime.Params (#​7766) authored by @​srenatus
• sdk: Allow for setting default options for all instances (#​7760) authored by @​srenatus
• server: Add hooks wiring + new hooks for inter-query caches (#​7775) authored by @​srenatus
• server: Ensure that wrapped middlewares all support http.Flusher (#​7772) authored by @​srenatus
• server/authorizer: Allow adding paths to validator (#​7792) authored by @​philipaconrad
• server+plugins: Allow plugins to inject http handler middlewares (#​7789) authored by @​srenatus reported by @​deeglaze
• store+runtime: Extension points for custom stores (#​7779) authored by @​srenatus
• test+eval: Add helper to smuggle compiler through context (#​7790) authored by @​srenatus
• tester: Support uint64 and float64 metrics in runBenchmark (#​7761) authored by @​srenatus

Runtime, Tooling

• build: Show a warning when .manifest is ignored (#​7807) authored by @​charlieegan3
• cli: Avoid os.Exit() in Run() funcs (#​7788) authored by @​srenatus
• config: Keep unknown env replacements (#​7786) authored by @​srenatus
• format: Not bracketing keywords in imports (#​7742) authored by @​johanfylling
• loader: Add bundle lazy loading mode across the runtime. (#​7768) authored by @​philipaconrad
• loader: Pass bundle name in AsBundle() (#​7798) authored by @​srenatus
• opa exec: stop plugins before exit (#​7760) authored by @​srenatus
• plugins/discovery: Make Factories() merge the factories (#​7777) authored by @​srenatus
• plugins/discovery: Replace environment variables after evaluation (#​7787) authored by @​philipaconrad
• plugins/logs: Add experimental intermediate results field (#​7796) authored by @​philipaconrad
• report: Fetching latest OPA release version from GitHub (#​7756) authored by @​johanfylling
  OPA will no longer send telemetry data when fetching the latest release version.
• runtime: Allow enabling NDBCache by default (#​7780) authored by @​srenatus
• server+logging: Add BatchDecisionID field to Decision Logs (#​7791) authored by @​philipaconrad
• store: Improve conflicting root error message (#​7806) authored by @​charlieegan3

Compiler, Topdown and Rego

• perf: AST compiler optimizations (#​7740) authored by @​anderseknert

Docs, Website

Note: While we have been working on the new website we have been showing
the edge documentation contents (as contents and framework changes often must
go hand in hand). Now that the website development pace has slowed and the
functionality is more stable, we will be returning to showing the documentation
content from the latest release instead. Please use the
edge documentation site
to review new changes. PR previews are also based on the latest branch commit.
This change will be made to show the v1.7.0 release shortly after publishing.

• docs: Add examples for crypto.sha256 and base64.encode built-in functions (#​7762) authored by @​ToluGIT
• docs: Break out the built-in categories in policy ref (#​7722) authored by @​sky3n3t
• docs: Correctly spell NetBSD (#​7738) authored by @​iamleot
• docs: Fix a number of minor docs typos (#​7799) authored by @​charlieegan3
• docs: Fix /docs/envoy-authorization/ 404 (#​7755 authored by @​charlieegan3
• docs: Remove link to OPA playground share (#​7750) authored by @​charlieegan3
• docs: Revise docs index page wording (#​7805) authored by @​charlieegan3
• docs: Update warning note in GraphQL API docs (#​7737) authored by @​charlieegan3
• website: Add wildcard CORS for data/versions.json (#​7784) authored by @​charlieegan3
• website: Ensure no hscroll on built-in tables (#​7773) authored by @​charlieegan3
• website: Render versions under /data/versions.json (#​7783) authored by @​charlieegan3
• website: Set mobile and desktop tab sizes (#​7774) authored by @​charlieegan3
• website: Show link to the edge release of the docs (#​7776) authored by @​charlieegan3

Miscellaneous

• Benchmark fixes (#​7765) authored by @​anderseknert

• Use Regal for linting Rego (#​7752) authored by @​anderseknert

• Use shorthand form for types (#​7757) authored by @​anderseknert

• .github: Use types for issues (#​7751) authored by @​charlieegan3

• build: Add top-level token permissions for workflows (#​7795) authored by @​timothyklee

• docs/build: Link checker fixes (#​7743) authored by @​charlieegan3

• Dependency updates; notably:

  • build(deps): bump github.com/containerd/containerd/v2 from 2.1.1 to 2.1.3
  • build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2
  • build(deps): bump go.opentelemetry.io deps from 1.36.0/0.61.0 to 1.37.0/0.62.0

v1.6.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improvements to the OPA website and documentation
• Allowing keywords in Rego references
• Parallel test execution
• Faster built-in function execution

Modernized OPA Website (#​7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

• Builtins: You can now search them on the docs page!
• Sidebar redesign: Making it easier to find what you're looking for in our docs
• Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
• Downloads page: Find your OS' installation instructions on a less cluttered page!
• And much more

Authored by @​sky3n3t and @​charlieegan3

Allowing keywords in Rego references (#​7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc.
in certain constructs:

package example

allow if {
    input.package.source         # not allowed (before v1.6.0)
    input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords.
The above example is now valid and will no longer cause a compilation error.

Authored by @​johanfylling

Parallel Test Execution (#​7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites.
The performance boost is closely tied to the number of tests in your project

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).