Bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.1

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.28.0 to 0.29.1.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.29.1

This release contains a number of enhancements and fixes.

SDK

• This release includes a new top-level package to support OPA integrations in Go programs: github.com/open-policy-agent/opa/sdk. Users that want to integrate OPA as a library in Go and expose features like bundles and decision logging should use this package. The package is controlled by specifying an OPA configuration file. Hot reloading is supported out-of-the-box. See the GoDoc for the package docs for more details.

Server

• A deadlock in the bundle plugin during shutdown has been resolved (#3363)
• An issue between bundle signing and bundle persistence when multiple data.json files are included in the bundle has been resolved (#3472)
• The github.com/open-policy-agent/opa/runtime#Params struct now supports a router parameter to enable custom routes on the HTTP server.
• The bundle manifest can now include an extra metadata key where arbitrary key-value pairs can be stored. Authored by @viovanov
• The bundle plugin now supports file:// urls in the resource field for test purposes.
• The decision log plugin emits a clearer message at DEBUG instead of INFO when there is no work to do. Authored by andrewbanchich
• The discovery plugin now supports a resource configuration field like the bundle plugin. Similarly, the resource is treated as the canonical setting to identify the discovery bundle.

Tooling

• The opa test timeout as been increased to 30 seconds when benchmarking (#3107)
• The opa eval --schema flag has been fixed to correctly set the schema when a single schema file is passed
• The opa build --debug flag output has been improved for readability
• The array.items JSON schema value is now supported by the type checker
• The opa fmt subcommand can now exit with a non-zero status when a diff is detected (by passing --fail)
• The opa test subcommand no longer emits bogus file paths when fed a file:// url

Built-in Functions

• The http.send built-in function falls back to the system certificate pool when the tls_ca_cert or tls_ca_cert_env_variable options are not specified (#2271) authored by @olamiko

Evaluation

• The order of support rules emitted by partial evaluation is now deterministic (#3453) authored by @andrehaland
• The big number performance regression caught by the fuzzer has been resolved (#3262)
• The evaluator has been updated to memoize calls to rules with arguments (functions) within a single query. This avoids recomputing function results when the same input is passed multiple times (similar to how complete rules are memoized.)

WebAssembly

• The wasm target no longer panics if the OPA binary does not include a wasm runtime (#3264)
• The interrupt handling mechanism has been rewritten to make safe use of the wasmtime package. The SDK also returns structured errors now that are more aligned with topdown. (#3225)
• The SDK provides the subset of required imports now (which is useful for debugging with opa_println in the runtime library if needed.)
• The opa_number_float type has been removed from the value library (it was unused after moving to libmpdec)
• The runtime library builder has been updated to use llvm-12 and the wasmtime-go package has been updated to v0.27.0

Documentation

• The HTTP API authorization tutorial has been updated to show how to distribute policies using bundles
• The Envoy tutorial has been tweaked to show better path matching examples

Infrastructure

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.29.1

This is a bugfix release to resolve an issue in the release pipeline.

0.29.0

This release contains a number of enhancements and fixes.

SDK

• This release includes a new top-level package to support OPA integrations in Go programs: github.com/open-policy-agent/opa/sdk. Users that want to integrate OPA as a library in Go and expose features like bundles and decision logging should use this package. The package is controlled by specifying an OPA configuration file. Hot reloading is supported out-of-the-box. See the GoDoc for the package docs for more details.

Server

• A deadlock in the bundle plugin during shutdown has been resolved (#3363)
• An issue between bundle signing and bundle persistence when multiple data.json files are included in the bundle has been resolved (#3472)
• The github.com/open-policy-agent/opa/runtime#Params struct now supports a router parameter to enable custom routes on the HTTP server.
• The bundle manifest can now include an extra metadata key where arbitrary key-value pairs can be stored. Authored by @viovanov
• The bundle plugin now supports file:// urls in the resource field for test purposes.
• The decision log plugin emits a clearer message at DEBUG instead of INFO when there is no work to do. Authored by andrewbanchich
• The discovery plugin now supports a resource configuration field like the bundle plugin. Similarly, the resource is treated as the canonical setting to identify the discovery bundle.

Tooling

• The opa test timeout as been increased to 30 seconds when benchmarking (#3107)
• The opa eval --schema flag has been fixed to correctly set the schema when a single schema file is passed
• The opa build --debug flag output has been improved for readability
• The array.items JSON schema value is now supported by the type checker
• The opa fmt subcommand can now exit with a non-zero status when a diff is detected (by passing --fail)
• The opa test subcommand no longer emits bogus file paths when fed a file:// url

Built-in Functions

• The http.send built-in function falls back to the system certificate pool when the tls_ca_cert or tls_ca_cert_env_variable options are not specified (#2271) authored by @olamiko

Evaluation

• The order of support rules emitted by partial evaluation is now deterministic (#3453) authored by @andrehaland
• The big number performance regression caught by the fuzzer has been resolved (#3262)
• The evaluator has been updated to memoize calls to rules with arguments (functions) within a single query. This avoids recomputing function results when the same input is passed multiple times (similar to how complete rules are memoized.)

WebAssembly

• The wasm target no longer panics if the OPA binary does not include a wasm runtime (#3264)
• The interrupt handling mechanism has been rewritten to make safe use of the wasmtime package. The SDK also returns structured errors now that are more aligned with topdown. (#3225)
• The SDK provides the subset of required imports now (which is useful for debugging with opa_println in the runtime library if needed.)
• The opa_number_float type has been removed from the value library (it was unused after moving to libmpdec)
• The runtime library builder has been updated to use llvm-12 and the wasmtime-go package has been updated to v0.27.0

Documentation

... (truncated)

Commits

• 3155647 Prepare v0.29.1 release
• 8f1d745 build: Fix post-tag workflow to run make generate
• f334a08 Prepare v0.30.0 development
• d99ad4e Prepare v0.29.0 release
• b3d7ea4 Patch release for OPA v0.28.0 that contains a fix for loading a single global...
• a2a4b5d Persist downloaded bundle bytes to disk
• f455066 Change log level
• 251dcc5 topdown: memoize function outputs (#3469)
• d8287db ast, compile: Update opa build --debug output
• a9c115c Upgrade github.com/bytecodealliance/wasmtime-go (#3483)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)