Bump github.com/open-policy-agent/opa from 0.70.0 to 1.17.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.70.0 to 1.17.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)