Skip to content

🚨 Update module github.com/open-policy-agent/opa to v1 (release-v0.5) #1561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-v0.5
Choose a base branch
from
Open

🚨 Update module github.com/open-policy-agent/opa to v1 (release-v0.5) #1561

wants to merge 1 commit into from
+1 −1

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 22, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/open-policy-agent/opa v0.63.0 -> v1.9.0 age adoption passing confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing
Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website
Miscellaneous
  • Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
  • Community Guidelines: update email list (#​7900) authored by @​srenatus
  • ci: port binary tests to testscript (#​7865) authored by @​srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
  • rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.
EdDSA Support in built-ins (#​7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

This feature benefited greatly from the groundwork laid by @​lestrrat in (#​7638). 👏 🎉 🥳

Authored by @​johanfylling reported by @​aromeyer

Runtime
Topdown
  • perf: Performance greatly improved for Object.Insert on existing key (#​7820) authored by @​anderseknert
  • topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#​7638) authored by @​lestrrat
Docs, Website
Miscellaneous

v1.7.1

Compare Source

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

  • A missing symbol in the cmd package (cmd.RootCommand)
  • A possible panic in the opa parse command

v1.7.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved OPA SDK/API for better extensibility
SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website

Note: While we have been working on the new website we have been showing
the edge documentation contents (as contents and framework changes often must
go hand in hand). Now that the website development pace has slowed and the
functionality is more stable, we will be returning to showing the documentation
content from the latest release instead. Please use the
edge documentation site
to review new changes. PR previews are also based on the latest branch commit.
This change will be made to show the v1.7.0 release shortly after publishing.

Miscellaneous

v1.6.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improvements to the OPA website and documentation
  • Allowing keywords in Rego references
  • Parallel test execution
  • Faster built-in function execution
Modernized OPA Website (#​7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

  • Builtins: You can now search them on the docs page!
  • Sidebar redesign: Making it easier to find what you're looking for in our docs
  • Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
  • Downloads page: Find your OS' installation instructions on a less cluttered page!
  • And much more

Authored by @​sky3n3t and @​charlieegan3

Allowing keywords in Rego references (#​7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc.
in certain constructs:

package example

allow if {
    input.package.source         # not allowed (before v1.6.0)
    input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords.
The above example is now valid and will no longer cause a compilation error.

Authored by @​johanfylling

Parallel Test Execution (#​7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites.
The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @​sspaink reported by @​anderseknert

Faster Builtin Function Evaluation

The builtin context, an internal construct of OPA's evaluation engine, was previously provided to every builtin function.
As it turns out, only very few of them actually need it, for caching, cancellation, or lookups.
Those builtins are still provided with a builtin context, but for calls to all other builtins, we save the memory required by it.
The impact is tremendous: Even though the size of a single builtin context is only about 270 bytes, in an example application (Regal), this change brings about 360 MB of reduced memory usage!

Authored by @​anderseknert

Runtime, Tooling, SDK
  • cmd/check: opa check --bundle report virtual/base doc conflicts (#​7701) authored by @​anderseknert
    When opa check is used with the --bundle flag, an error will be reported if the provided json/yaml data has a conflicting overlap with the virtual documents generated by Rego rules. Such conflicts are ambiguous and can lead to unexpected evaluation results, and should be resolved.
  • cmd/inspect: Fixing missing annotations location in opa inspect with JSON format (#​7459) authored by @​johanfylling reported by @​mostealth
  • cmd/parse: Expose --v0-compatible flag (#​7668) authored by @​tsandall
  • cmd/refactor: Fix src:dst parsing to deal with colons (#​7648) authored by @​tsandall
  • metrics: Fix restartable timer bug. (#​7669) authored by @​philipaconrad
  • metrics: Prealloc maps + add benchmark (#​7664) authored by @​philipaconrad
  • oracle: Add support for some and every (#​7716) authored by @​charlieegan3
  • oracle: Support object refs in FindDefinition (#​7711) authored by @​charlieegan3
  • plugin/decision: Check if event is too large after compression (#​7526) authored by @​sspaink
  • runtime,server: Replace gorilla/mux dependency with http.ServeMux (#​7676) authored by @​anderseknert
    Note: This is a potentially breaking change for go API users directly interfacing with the OPA server's routing.
  • server: Fix deferred metrics timers. (#​7671) authored by @​philipaconrad
  • server: Fix query url when opa is served not from root path (#​7644) authored by @​olegKoshmeliuk
    Note: This is only applicable for the web UI hosted by OPA on its root path (/) and OPA is served at some other path than root.
Compiler, Topdown and Rego
  • ast: Ensure surplus leading zeros always error (#​7726) authored by @​charlieegan3
    Note: Primitive Rego number values with leading zeros (e.g. 0123) are now considered invalid at time of parsing and will generate an error. If you're impacted by this change, please update your policies to not have numbers with leading zeros. E.g. 0123 should be changed to 123.
  • ast: Fixing type-checker schema cache race condition for inlined schemas (#​7679, 7571) authored by @​johanfylling reported by @​daniel-petrov-gig
  • perf: Improve performance when referencing "global" in loop (#​7654) authored by @​anderseknert
  • topdown: Fix issue where path in walk would get mutated (#​7656) authored by @​anderseknert reported by @​robmyersrobmyers
  • topdown/http: Lenient application/json Content-Type header (#​6684) authored by @​sspaink reported by @​mrvanes
Docs, Website, Ecosystem
Miscellaneous

v1.5.1

Compare Source

This is a bug fix release addressing a regression to the walk built-in function, introduced in v1.5.0. See #​7656 (authored by @​anderseknert reported by @​robmyersrobmyers)

v1.5.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Among others:

  • Support for AWS SSO credentials provider
  • Support for signing client assertions with Azure Keyvault
  • Faster object.get, walk and builtin-function evaluation
  • Improved guardrails in the parser
  • Improvements to decision logging
Modernized OPA Website (#​7037)

The OPA website has been modernized with a new design and improved user experience.

The new site is based on Docusaurus and React which makes it easier to build live functionality and add non-documentation resources. This lays the groundwork for even more improvements in the future!

Documentation for older OPA versions are still available in the version archive.

Authored by @​charlieegan3

Runtime, Tooling, SDK
Planner, Topdown and Rego
Docs, Website, Ecosystem

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Oct 22, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: docs/go.sum
Command failed: go get -t ./...
go: module github.com/open-policy-agent/[email protected] requires go >= 1.24.6; switching to go1.24.9
go: downloading go1.24.9 (linux/amd64)
go: download go1.24.9: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

major release-v0.5 renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants