Dep bump v0.7

.tool-versions

@@ -1 +1 @@
-golang 1.25.3
+golang 1.25.8

Dockerfile

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM docker.io/library/golang:1.25.3 AS build
+FROM docker.io/library/golang:1.25.8 AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile.dist

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3@sha256:e8938564f866174a6d79e55dfe577c2ed184b1f53e91d782173fb69b07ce69ef AS build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25.8@sha256:8c5aeac74b4b60dc2e5e44f6b639186b7ec2fec8f0eb9a36d4a32dcf8e255f52 AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Makefile

@@ -102,7 +102,7 @@ TEST_OUTPUT_FILTER=grep -vE '0.0% of statements|\[no test files\]'
 .PHONY: test
 test: ## Run all unit tests
 	@echo "Unit tests:"
-	@set -o pipefail && go test -race -covermode=atomic -coverprofile=coverage-unit.out -timeout 1s -tags=unit ./... | $(TEST_OUTPUT_FILTER)
+	@set -o pipefail && go test -race -covermode=atomic -coverprofile=coverage-unit.out -timeout 5s -tags=unit ./... | $(TEST_OUTPUT_FILTER)
 	@echo "Integration tests:"
 	@set -o pipefail && go test -race -covermode=atomic -coverprofile=coverage-integration.out -timeout 15s -tags=integration ./... | $(TEST_OUTPUT_FILTER)
 # Given the nature of generative tests the test timeout is increased from 500ms

benchmark/internal/registry/registry.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/internal/suite/closer.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/internal/suite/suite.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/internal/untar/untar.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/base_images.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/nab.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/offliner.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/offliner_test.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/referrers.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/refs.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/related.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/scans.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/offliner/subjects.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

benchmark/simple/simple.go

@@ -1,3 +1,5 @@
+//go:build benchmark
+
 // Copyright The Conforma Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

docs/modules/ROOT/pages/ec_opa_bench.adoc

@@ -14,6 +14,7 @@ Example with bundle and input data:
 	opa bench -b ./policy-bundle -i input.json 'data.authz.allow'
 
 To run benchmarks against a running OPA server to evaluate server overhead use the --e2e flag.
+To enable more detailed analysis use the --metrics and --benchmem flags.
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 

docs/modules/ROOT/pages/ec_opa_build.adoc

@@ -64,14 +64,14 @@ The 'build' command supports targets (specified by -t):
             original policy or data files.
 
     plan    The plan target emits a bundle containing a plan, i.e., an intermediate
-            representation compiled from the input files for each specified entrypoint.
-            This is for further processing, OPA cannot evaluate a "plan bundle" like it
-            can evaluate a wasm or rego bundle.
+			representation compiled from the input files for each specified entrypoint.
+			This is for further processing, OPA cannot evaluate a "plan bundle" like it
+			can evaluate a wasm or rego bundle.
 
-The -e flag tells the 'build' command which documents (entrypoints) will be queried by 
-the software asking for policy decisions, so that it can focus optimization efforts and 
+The -e flag tells the 'build' command which documents (entrypoints) will be queried by
+the software asking for policy decisions, so that it can focus optimization efforts and
 ensure that document is not eliminated by the optimizer.
-Note: Unless the --prune-unused flag is used, any rule transitively referring to a 
+Note: Unless the --prune-unused flag is used, any rule transitively referring to a
 package or rule declared as an entrypoint will also be enumerated as an entrypoint.
 
 Signing

docs/modules/ROOT/pages/ec_opa_exec.adoc

@@ -21,6 +21,7 @@ After: Decision Logs
 By default, the 'exec' command executes the "default decision" (specified in
 the OPA configuration) against each input file. This can be overridden by
 specifying the --decision argument and pointing at a specific policy decision,
+
 e.g., opa exec --decision /foo/bar/baz ...
 
 [source,shell]
@@ -30,15 +31,15 @@ ec opa exec <path> [<path> [...]] [flags]
 
 == Examples
   Loading input from stdin:
-    documentation exec [<path> [...]] --stdin-input [flags]
+    opa exec [<path> [...]] --stdin-input [flags]
 
 == Options
 
 -b, --bundle:: set bundle file(s) or directory path(s). This flag can be repeated.
 -c, --config-file:: set path of configuration file
 --decision:: set decision to evaluate
---fail:: exits with non-zero exit code on undefined result and errors (Default: false)
---fail-defined:: exits with non-zero exit code on defined result and errors (Default: false)
+--fail:: exits with non-zero exit code on undefined/empty result and errors (Default: false)
+--fail-defined:: exits with non-zero exit code on defined/non-empty result and errors (Default: false)
 --fail-non-empty:: exits with non-zero exit code on non-empty result and errors (Default: false)
 -f, --format:: set output format (Default: json)
 -h, --help:: help for exec (Default: false)

docs/modules/ROOT/pages/ec_opa_inspect.adoc

@@ -1,13 +1,13 @@
 = ec opa inspect
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s)
 
 == Synopsis
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s).
 
-The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file. Bundles are
-gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
+The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file.
+Bundles are gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
 the following:
 
 * packages that are contributed by .rego files
@@ -23,10 +23,10 @@ Example:
     bundle.tar.gz
     $ opa inspect bundle.tar.gz
 
-You can provide exactly one OPA bundle, path to a bundle directory, or direct path to a Rego file to the 'inspect' command
-on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as a bundle
-and summarize its structure and contents. If you provide a path referring to a Rego file, the 'inspect' command will load
-that file and summarize its structure and contents.
+You can provide exactly one OPA bundle, to a bundle directory, or direct path to a Rego file to the 'inspect'
+command on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as
+a bundle and summarize its structure and contents.  If you provide a path referring to a Rego file, the 'inspect' command
+will load that file and summarize its structure and contents.
 
 [source,shell]
 ----

docs/modules/ROOT/pages/ec_opa_run.adoc

@@ -4,7 +4,7 @@ Start OPA in interactive or server mode
 
 == Synopsis
 
-Start an instance of the Open Policy Agent (OPA).
+Start an instance of OPA.
 
 To run the interactive shell:
 
@@ -142,7 +142,7 @@ ec opa run [flags]
 -b, --bundle:: load paths as bundle files or root directories (Default: false)
 -c, --config-file:: set path of configuration file
 --diagnostic-addr:: set read-only diagnostic listening address of the server for /health and /metric APIs (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket) (Default: [])
---disable-telemetry:: disables anonymous information reporting (see: https://www.openpolicyagent.org/docs/latest/privacy) (Default: false)
+--disable-telemetry:: disables version check against GitHub releases (see: https://www.openpolicyagent.org/docs/privacy) (Default: false)
 --exclude-files-verify:: set file names to exclude during bundle verification (Default: [])
 -f, --format:: set shell output format, i.e, pretty, json (Default: pretty)
 --h2c:: enable H2C for HTTP listeners (Default: false)
@@ -166,7 +166,7 @@ ec opa run [flags]
 --signing-alg:: name of the signing algorithm (Default: RS256)
 --skip-known-schema-check:: disables type checking on known input schemas (Default: false)
 --skip-verify:: disables bundle signature verification (Default: false)
---skip-version-check:: disables anonymous version reporting (see: https://www.openpolicyagent.org/docs/latest/privacy) (Default: false)
+--skip-version-check:: disables version check against GitHub releases (see: https://www.openpolicyagent.org/docs/privacy) (Default: false)
 --tls-ca-cert-file:: set path of TLS CA cert file
 --tls-cert-file:: set path of TLS certificate file
 --tls-cert-refresh-period:: set certificate refresh period (Default: 0s)

docs/modules/ROOT/pages/ec_opa_sign.adoc

@@ -21,7 +21,7 @@ for a list of supported signing algorithms.
 The key to be used for signing the JWT MUST be provided using the --signing-key flag.
 For example, for RSA family of algorithms, the command expects a PEM file containing
 the private key.
-For HMAC family of algorithms (eg. HS256), the secret can be provided using
+For HMAC family of algorithms (e.g. HS256), the secret can be provided using
 the --signing-key flag.
 
 OPA 'sign' can ONLY be used with the --bundle flag to load paths that refer to

docs/modules/ROOT/pages/ec_opa_test.adoc

@@ -65,7 +65,7 @@ If used with the '--bench' option then tests will be benchmarked.
 
 Example benchmark run:
 
-	$ opa test --bench ./example/
+	$  opa test --bench ./example/
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 
@@ -87,13 +87,15 @@ ec opa test <path> [path [...]] [flags]
 -c, --coverage:: report coverage (overrides debug tracing) (Default: false)
 -z, --exit-zero-on-skipped:: skipped tests return status 0 (Default: false)
 --explain:: enable query explanations (Default: fails)
+--fail-on-empty:: Whether to fail the test when no test was run (Default: false)
 -f, --format:: set output format (Default: pretty)
 -h, --help:: help for test (Default: false)
 --ignore:: set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])
 -m, --max-errors:: set the number of errors to allow before compilation fails early (Default: 10)
 -p, --parallel:: the number of tests that can run in parallel, defaulting to the number of CPUs (explicitly set with 0). Benchmarks are always run sequentially.
 -r, --run:: run only test cases matching the regular expression
 -s, --schema:: set schema file path or directory path
+--sort:: sort the JSON formatted test output (Default: none)
 -t, --target:: set the runtime to exercise (Default: rego)
 --threshold:: set coverage threshold and exit with non-zero status if coverage is less than threshold % (Default: 0)
 --timeout:: set test timeout (default 5s, 30s when benchmarking) (Default: 0s)