Upgrade: Bump github.com/open-policy-agent/opa from 0.67.1 to 0.70.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.67.1 to 0.70.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.70.0

This release contains a mix of features, performance improvements, and bugfixes.

Optimized read mode for OPA's in-memory store (#7125)

A new optimized read mode has been added to the default in-memory store, where data written to the store is eagerly converted to AST values (the data format used during evaluation). This removes the time spent converting raw data values to AST during policy evaluation, thereby improving performance.

The memory footprint of the store will increase, as processed AST values generally take up more space in memory than the corresponding raw data values, but overall memory usage of OPA might remain more stable over time, as pre-converted data is shared across evaluations and isn't recomputed for each evaluation, which can cause spikes in memory usage.

This mode can be enabled for opa run, opa eval, and opa bench by setting the --optimize-store-for-read-speed flag.

More information about this feature can be found here.

Co-authored by @​johanfylling and @​ashutosh-narkar.

Topdown and Rego

• topdown: Use new Inter-Query Value Cache for json.match_schema built-in function (#7011) authored by @​anderseknert reported by @​lcarva
• ast: Fix location text attribute for multi-value rules with generated body (#7128) authored by @​anderseknert
• ast: Fix regression in opa check where a file that referenced non-provided schemas failed validation (#7124) authored by @​tjons
• test/cases/testdata: Fix bug in test by replacing unification by explicit equality check (#7093) authored by @​matajoh
• ast: Replace use of yaml.v2 library with yaml.v3. The earlier version would parse yes/no values as boolean. The usage of yaml.v2 in the parser was unintentional and now has been updated to yaml.v3 (#7090) authored by @​anderseknert

Runtime, Tooling, SDK

• cmd: Make opa check respect --ignore when --bundle flag is set (#7136) authored by @​anderseknert
• server/writer: Properly handle result encoding errors which earlier on failure would emit logs such as superfluous call to WriteHeader() while still returning 200 HTTP status code. Now, errors encoding the payload properly lead to 500 HTTP status code, without extra logs. Also use Header().Set() not Header().Add() to avoid duplicate content-type headers (#7114) authored by @​srenatus
• cmd: Support file:// format for TLS key material file flags in opa run (#7094) authored by @​alexrohozneanu
• plugins/rest/azure: Support managed identity for App Service / Container Apps (#7085) reported and authored by @​apc-kamezaki
• debug: Fix step-over behaviour when exiting partial rules (#7096) authored by @​johanfylling
• util+plugins: Fix potential memory leaks with explicit timer cancellation (#7089) authored by @​philipaconrad

Docs, Website, Ecosystem

• docs: Fix OCI example with updated flag used by the ORAS CLI (#7130) authored by @​b3n3d17
• docs: Delete Atom editor from supported editor integrations (#7111) authored by @​KaranbirSingh7
• docs/website: Add Styra OPA ASP.NET Core SDK integration (#7073) authored by @​philipaconrad
• docs/website: Update compatibility information on the rego-cpp integration (#7078) authored by @​matajoh

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23
  • build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5
  • build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
  • build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
  • build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1

v0.69.0

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.70.0

This release contains a mix of features, performance improvements, and bugfixes.

Optimized read mode for OPA's in-memory store (#7125)

A new optimized read mode has been added to the default in-memory store, where data written to the store is eagerly converted to AST values (the data format used during evaluation). This removes the time spent converting raw data values to AST during policy evaluation, thereby improving performance.

The memory footprint of the store will increase, as processed AST values generally take up more space in memory than the corresponding raw data values, but overall memory usage of OPA might remain more stable over time, as pre-converted data is shared across evaluations and isn't recomputed for each evaluation, which can cause spikes in memory usage.

This mode can be enabled for opa run, opa eval, and opa bench by setting the --optimize-store-for-read-speed flag.

More information about this feature can be found here.

Co-authored by @​johanfylling and @​ashutosh-narkar.

Topdown and Rego

• topdown: Use new Inter-Query Value Cache for json.match_schema built-in function (#7011) authored by @​anderseknert reported by @​lcarva
• ast: Fix location text attribute for multi-value rules with generated body (#7128) authored by @​anderseknert
• ast: Fix regression in opa check where a file that referenced non-provided schemas failed validation (#7124) authored by @​tjons
• test/cases/testdata: Fix bug in test by replacing unification by explicit equality check (#7093) authored by @​matajoh
• ast: Replace use of yaml.v2 library with yaml.v3. The earlier version would parse yes/no values as boolean. The usage of yaml.v2 in the parser was unintentional and now has been updated to yaml.v3 (#7090) authored by @​anderseknert

Runtime, Tooling, SDK

• cmd: Make opa check respect --ignore when --bundle flag is set (#7136) authored by @​anderseknert
• server/writer: Properly handle result encoding errors which earlier on failure would emit logs such as superfluous call to WriteHeader() while still returning 200 HTTP status code. Now, errors encoding the payload properly lead to 500 HTTP status code, without extra logs. Also use Header().Set() not Header().Add() to avoid duplicate content-type headers (#7114) authored by @​srenatus
• cmd: Support file:// format for TLS key material file flags in opa run (#7094) authored by @​alexrohozneanu
• plugins/rest/azure: Support managed identity for App Service / Container Apps (#7085) reported and authored by @​apc-kamezaki
• debug: Fix step-over behaviour when exiting partial rules (#7096) authored by @​johanfylling
• util+plugins: Fix potential memory leaks with explicit timer cancellation (#7089) authored by @​philipaconrad

Docs, Website, Ecosystem

• docs: Fix OCI example with updated flag used by the ORAS CLI (#7130) authored by @​b3n3d17
• docs: Delete Atom editor from supported editor integrations (#7111) authored by @​KaranbirSingh7
• docs/website: Add Styra OPA ASP.NET Core SDK integration (#7073) authored by @​philipaconrad
• docs/website: Update compatibility information on the rego-cpp integration (#7078) authored by @​matajoh

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23
  • build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5
  • build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
  • build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
  • build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1

0.69.0

... (truncated)

Commits

• 2ea031e Prepare v0.70.0 release
• 6af5e79 storage: Optimized read mode for default data storage
• 1b797d9 Make opa check respect --ignore when --bundle flag is set (#7137)
• 8e44b98 build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#7138)
• ad6ffda build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#7135)
• 67fe53b Update Andrew Peabody to emeritus (#7133)
• 30f3747 build(deps): bump github/codeql-action from 3.26.13 to 3.27.0
• f7957bd 🐛 fix: oras cli changed to --config
• 58ec50b Fix location for multivalue rules with generated bodies (#7129)
• 555fe84 only check schemas when schemas are provided (#7124)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The pull request primarily focuses on updating the versions of several dependencies, including the github.com/open-policy-agent/opa library, which is a key component of the application, and it is important to review the changelog or release notes for the updated dependencies to understand any potential security-related changes or fixes.

Expand for full summary

Summary:

The code changes in this pull request primarily focus on updating the versions of several dependencies used in the project, including the github.com/open-policy-agent/opa library, which is a key component of the application. From an application security perspective, these changes are not particularly concerning, as updating dependencies to their latest versions is a common practice and is often done to take advantage of bug fixes, security updates, or new features.

However, it's important to review the changelog or release notes for the updated dependencies to understand any potential security-related changes or fixes that may have been included. Additionally, it's recommended to have a comprehensive security testing process in place to ensure that the application continues to function as expected and does not introduce any new vulnerabilities after the dependency updates.

Files Changed:

1. go.mod: This file has been updated to change the version of the github.com/open-policy-agent/opa dependency from 0.67.1 to 0.70.0. This is a routine dependency update and is unlikely to introduce any significant security risks, as long as the update is part of a well-planned and tested release process.

2. go.sum: This file has been updated to reflect the changes in the versions of several dependencies, including github.com/agnivade/levenshtein, github.com/golang/glog, github.com/klauspost/compress, github.com/prometheus/client_golang, github.com/dgryski/trifles, github.com/open-policy-agent/opa, golang.org/x/time, and google.golang.org/grpc. These changes are likely to update the dependencies used in the project to their latest versions, which may include bug fixes, security updates, or new features. It's important to review the changes and ensure that the updated dependencies do not introduce any new vulnerabilities or security issues.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.