c8ca3585dfe99647c0ca039b03522bd83e0ca357: build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 (#943) (@dependabot[bot])
9b082a11765d408ffdddbf365bd0fdd990d87461: build(deps): bump github.com/open-policy-agent/opa from 0.64.0 to 0.64.1 (#947) (@dependabot[bot])
Other Changes
8f13bf6a82dbb7db38e1ca1a3cddba4f608dbee2: build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (#937) (@dependabot[bot])
37b04d6036f6a146cc2c38e29769ad245c4607e6: build(deps): bump github.com/docker/docker from v25.0.3+incompatible to v25.0.5+incompatible (#932) (@robmonct)
1b3cc13b4d5e8d99a7a124672046605d1c33d0bc: build(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#948) (@dependabot[bot])
28d92a408f9d39d01dd85e0055f05f36e09bbf7f: build(deps): bump github.com/moby/buildkit from 0.13.1 to 0.13.2 (#944) (@dependabot[bot])
4ab6feaed04fa44e1de39e9c823728bfdf906867: build(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#941) (@dependabot[bot])
c6bd5a541a1526f9ade5e02b41dc11725c97c47c: build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (#938) (@dependabot[bot])
298d74aeade4b4462961fa3c7f1d44a90d7a49d8: ci: Allow Dependabot to update github.com/hashicorp/go-getter (#946) (@jalseth)
Commits
9b082a1 build(deps): bump github.com/open-policy-agent/opa from 0.64.0 to 0.64.1 (#947)
1b3cc13 build(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#948)
298d74a ci: Allow Dependabot to update github.com/hashicorp/go-getter (#946)
28d92a4 build(deps): bump github.com/moby/buildkit from 0.13.1 to 0.13.2 (#944)
c8ca358 build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 (#943)
4ab6fea build(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#941)
37b04d6 build(deps): bump github.com/docker/docker from v25.0.3+incompatible to v25.0...
c6bd5a5 build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (#938)
8f13bf6 build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (#937)
This is a bug fix release addressing the following issues:
ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @suzuki-shunsuke
plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @ashutosh-narkar
v0.64.0
NOTES:
The minimum version of Go required to build the OPA module is 1.21
This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually.
The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that
the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration
check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts,
the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included
in the Status API messages so that management systems can get visibility into the local overrides.
In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all
configuration fields. For example, if the discovered configuration changes the labels section, only labels that are
additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the
bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision,
nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent
for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @ashutosh-narkar
Add rego_version attribute to the bundle manifest
A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to
use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual
files to override the global Rego version specified by rego_version.
When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the
--v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.
A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @johanfylling
Runtime, Tooling, SDK
compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @philipaconrad
cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @johanfylling
server: Keep default decision path in-sync with manager's config (#6697) authored by @ashutosh-narkar
sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @xico42
sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#6689) authored by @xico42
This is a bug fix release addressing the following issues:
ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#6720) authored by @suzuki-shunsuke
plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#6723) authored by @ashutosh-narkar
0.64.0
NOTES:
The minimum version of Go required to build the OPA module is 1.21
This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually.
The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that
the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration
check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts,
the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included
in the Status API messages so that management systems can get visibility into the local overrides.
In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all
configuration fields. For example, if the discovered configuration changes the labels section, only labels that are
additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the
bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision,
nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent
for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @ashutosh-narkar
Add rego_version attribute to the bundle manifest
A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to
use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual
files to override the global Rego version specified by rego_version.
When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the
--v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.
A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @johanfylling
Runtime, Tooling, SDK
compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @philipaconrad
cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @johanfylling
server: Keep default decision path in-sync with manager's config (#6697) authored by @ashutosh-narkar
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the all group with 8 updates:
0.8.1
0.8.2
0.1.41
0.1.44
0.51.0
0.52.0
0.63.0
0.64.1
0.24.0
0.25.0
0.29.3
0.29.4
0.29.3
0.29.4
0.29.3
0.29.4
Updates
cuelang.org/go
from 0.8.1 to 0.8.2Updates
github.com/enterprise-contract/enterprise-contract-controller/api
from 0.1.41 to 0.1.44Release notes
Sourced from github.com/enterprise-contract/enterprise-contract-controller/api's releases.
Commits
2ddfb79
Bump step-security/harden-runner from 2.7.0 to 2.7.1ba736bc
Merge pull request #323 from enterprise-contract/dependabot/go_modules/sigs.k...466019e
Merge pull request #324 from enterprise-contract/dependabot/go_modules/github...340ef50
Merge pull request #326 from enterprise-contract/dependabot/github_actions/co...15d0685
Bump codecov/codecov-action from 4.3.0 to 4.3.110d6067
Bump github.com/onsi/gomega from 1.33.0 to 1.33.1daba785
Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.17.431192dc
Merge pull request #322 from enterprise-contract/dependabot/github_actions/ac...5d81d40
Merge pull request #321 from enterprise-contract/dependabot/github_actions/ac...b4ffe2b
Merge pull request #320 from enterprise-contract/dependabot/github_actions/gi...Updates
github.com/open-policy-agent/conftest
from 0.51.0 to 0.52.0Release notes
Sourced from github.com/open-policy-agent/conftest's releases.
Commits
9b082a1
build(deps): bump github.com/open-policy-agent/opa from 0.64.0 to 0.64.1 (#947)1b3cc13
build(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#948)298d74a
ci: Allow Dependabot to update github.com/hashicorp/go-getter (#946)28d92a4
build(deps): bump github.com/moby/buildkit from 0.13.1 to 0.13.2 (#944)c8ca358
build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 (#943)4ab6fea
build(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#941)37b04d6
build(deps): bump github.com/docker/docker from v25.0.3+incompatible to v25.0...c6bd5a5
build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (#938)8f13bf6
build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (#937)Updates
github.com/open-policy-agent/opa
from 0.63.0 to 0.64.1Release notes
Sourced from github.com/open-policy-agent/opa's releases.
... (truncated)
Changelog
Sourced from github.com/open-policy-agent/opa's changelog.
... (truncated)
Commits
298f97d
Prepare v0.64.1 releasefaf6382
ci: pin GitHub Actions macos runner version and build for darwin/amd64e72e6f6
plugins/discovery: Update comparison logic for overrides75cc90a
Prepare v0.64.0 releasea400281
server: Keep default decision path in-sync with manager's configf2011b1
Adding Raygun to the policy-testing ecosystem (#6712)b58e87f
ast: Importingrego.v1
in v0 support modules when applicable (#6698)44fa8ad
Relax configuration check when Discovery is enabledef8532f
auth: requestToken close response body8260697
build: Update WASM Rego test generation setup (#6707)Updates
golang.org/x/net
from 0.24.0 to 0.25.0Commits
d27919b
go.mod: update golang.org/x dependenciese0324fc
http2: use net.ErrClosedb20cd59
quic: initiate key rotation earlier in connectionsf95a3b3
html: fix typo in package doc0a24555
http/httpguts: speed up ValidHeaderFieldNameec05fdc
http2: don't retry the first request on a connection on GOAWAY errorb67a0f0
http2: send correct LastStreamID in stream-caused GOAWAYa130fcc
quic: don't consider goroutines running when tests start as leakedUpdates
k8s.io/apiextensions-apiserver
from 0.29.3 to 0.29.4Commits
28317e8
Update dependencies to v0.29.4 tagce4a37c
Merge pull request #124180 from MadhavJivrajani/bump-x-net-2023-45288-12915b1282
[CVE-2023-45288] .*: bump x/net to v0.23.0400935e
sync: update go.modUpdates
k8s.io/apimachinery
from 0.29.3 to 0.29.4Commits
2bbf530
Merge pull request #124172liggitt/automated-cherry-pick-of-#123598
3e7c65a
Merge pull request #124180 from MadhavJivrajani/bump-x-net-2023-45288-12906deedf
[CVE-2023-45288] .*: bump x/net to v0.23.0801d824
Avoid logging binary junk for frame write failureUpdates
k8s.io/client-go
from 0.29.3 to 0.29.4Commits
9f00f2c
Update dependencies to v0.29.4 tag1e7adee
Merge pull request #124172liggitt/automated-cherry-pick-of-#123598
0058eee
Merge pull request #124180 from MadhavJivrajani/bump-x-net-2023-45288-129f0be73d
[CVE-2023-45288] .*: bump x/net to v0.23.0ca07432
sync: update go.modcc21122
Keep streams from being set up after closeAllStreamReaders is called8636987
Make websocket heartbeat test timing less flakyMost Recent Ignore Conditions Applied to This Pull Request
| Dependency Name | Ignore Conditions | | --- | --- | | github.com/open-policy-agent/conftest | [< 0.40, > 0.39.1-0.20230309145322-347708d2fd13] | | github.com/open-policy-agent/opa | [>= 0.50.a, < 0.51] | | github.com/enterprise-contract/enterprise-contract-controller/api | [>= 0.1.33.a, < 0.1.34] | | k8s.io/apimachinery | [>= 0.30.a, < 0.31] | | k8s.io/apiextensions-apiserver | [>= 0.30.a, < 0.31] | | k8s.io/client-go | [>= 0.30.a, < 0.31] |Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show