Skip to content

fix(deps): update module github.com/open-policy-agent/opa to v1.15.0#197

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-open-policy-agent-opa-1.x
Closed

fix(deps): update module github.com/open-policy-agent/opa to v1.15.0#197
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-open-policy-agent-opa-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 2, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/open-policy-agent/opa v1.13.1v1.15.0 age adoption passing confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.15.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Add logger plugin interface and file logger implementation with log rotation
  • Custom HTTPAuthPlugin behavior change, all per-request authentication logic must be moved from NewClient() to
    Prepare()
  • AWS signing supports for web identity for assume role credentials
Logger Plugin Support (#​8434) (authored by @​srenatus)

OPA now supports pluggable logging implementations via the logger plugin interface, which is based on Go's standard log/slog.Handler interface. This allows any slog.Handler implementation to be used as a logger plugin. Loggers can be configured via the server.logger_plugin configuration option and used for both runtime logging and decision logs. OPA includes a built-in file logger plugin (file_logger) that writes structured JSON logs with rotation support using lumberjack. Users can also implement and register custom logger plugins when building OPA.

Example configuration for server logging:

server:
  logger_plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info

Example configuration for decision logs using the same plugin:

server:
  logger_plugin: file_logger

decision_logs:
  plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info
Custom HTTPAuthPlugin behavior change (#​8376) (authored by @​srenatus)

The HTTPAuthPlugin.NewClient() method is now called once per Client instance and cached rather than being called for
every request. Custom plugins that performed per-request operations in NewClient() (such as request counters,
per-request transport wrapping, or logging/metrics side effects) will now only execute those operations once. All
per-request authentication logic must be moved from NewClient() to Prepare(). All plugins included in OPA have been
updated and are unaffected by this change.

Runtime, SDK, Tooling
  • plugins/logger: Add logger plugin interface and file logger implementation with log rotation (#​8434) (authored by
    @​srenatus)
  • plugins/logs: Decision logs can now use logger plugins for output (#​8434) (authored by @​srenatus)
  • logging: Add BufferedLogger to capture early startup logs before plugins are initialized (#​8434) (authored by
    @​srenatus)
  • plugins/rest: Configurable re-read interval for TLS client certificates via cert_reread_interval_seconds field.
    Defaults to re-reading on every request for backwards compatibility.
    The implementation also uses content hashing to detect changes and avoid re-parsing unchanged TLS certificates and
    keys. (#​8376) (authored by @​srenatus)
  • plugins/rest: All TLS configurations now inherit the minimum version and TLS ciphersuites as configured for the
    server. (#​8376) (authored by @​srenatus)
  • internal/providers/aws: Refactor deprecated crypto/elliptic APIs to crypto/ecdh (#​8395) (authored by @​kanywst)
  • plugins/rest: AWS Signing - Allow Service Account (Web Identity) credentials for Assume Role Credentials (#​8386) (
    authored by @​tiagogviegas)
Compiler, Topdown and Rego
  • ast: fix overlapping array and scalar pattern in rule index (authored by @​srenatus)
Bundles
Docs, Website, Ecosystem
Miscellaneous

v1.14.1

Compare Source

This is a patch release collecting two bug fixes and various dependency updates for Golang standard library and common package vulnerabilities.

These bug fixes include a revert of the rule indexer tweaks shipped in 1.14.0, which had caused unexpected lookup failures for some users. (We expect to properly fix the issue in 1.15.0, but for now, a revert is the quicker choice.)

Changes
  • Fix intermittent plugins manager deadlock on opa.configure (#​8407)
  • Revert "ast: make rule index track var assignments and x in {...} (#​8341)" (#​8410)
  • build: bump deps (go.mod from main)
  • build: bump go 1.26.1 (#​8409)

v1.14.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved rule indexing of variable assignments and x in {...} expressions
  • Support for --h2c with unix domain socket for opa run
  • A new glossary tooltip for technical terms in the docs
  • Fixes published in the v1.13.1 and v1.13.2 releases
Improved rule indexing of variable assignments and x in {...} expressions (#​1841)

With this change, the rule indexer will index expressions like:

allow if input.role in {"admin", "user"}

On lookup, the rule body will only be returned if input.role is either one of "admin" or "user".

The reverse case is also indexed:

allow if "admin" in input.roles

in which the searched collection is unknown.

Authored by @​srenatus reported by @​nischalsheth

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • maintainers: Moving nilekhc to emeritus, and renew maintainer terms (#​8276) authored by @​JaydipGabani
  • ast: Add public method to extend the compliance test cases with IR plans (#​7556) authored by @​sspaink reported by @​shomron
  • ast: Tiny nitpicky cleanup (#​8309) authored by @​srenatus
  • chore: Clean up bundle storage tests (#​8267) authored by @​anderseknert
  • chore: Remove unnecessary comment from bundle JWT verification impl (#​8354) authored by @​johanfylling
  • ci: Bump golangci-lint (v2.9.0), fix issues (#​8314) authored by @​srenatus
  • ci: Harden and update all GH Actions workflows (#​8356, #​8377, #​8368 authored by @​philipaconrad and @​srenatus
  • go: Cleanup old build flags (#​8314) authored by @​srenatus
  • rego: Remove superfluous package import of plugins (#​6754) authored by @​srenatus reported by @​oxisto
  • tests: Extract runtime Info to new package (#​8362) authored by @​charlieegan3
  • tests: Fix BenchmarkFunctionArgumentCounts query (#​8327) authored by @​alex60217101990
  • tests: Disable rule indexing for benchmark (#​8375) authored by @​srenatus
  • workflows: Add nightly vuln checks for released versions/images (#​8336 #​8339) authored by @​srenatus
  • Dependency updates; notably:
    • build: bump golang from 1.25.6 to 1.26.0
    • build(deps): build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0
      Applying fix for GHSA-9h8m-3fm2-qjrq
    • build(deps): bump github.com/dgraph-io/badger/v4 from 4.9.0 to 4.9.1
    • build(deps): bump github.com/huandu/go-sqlbuilder from 1.39.0 to 1.39.1
    • build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
    • build(deps): bump golang.org/x/text from 0.33.0 to 0.34.0
    • build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
    • build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0

v1.13.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.25.7.
That version of the Go standard library contains a fix for GO-2026-4337.

Full Changelog: open-policy-agent/opa@v1.13.1...v1.13.2

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 3am every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from timo-reymann April 2, 2026 23:12
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 2, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 9 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.6 -> 1.25.0
github.com/vektah/gqlparser/v2 v2.5.31 -> v2.5.32
go.opentelemetry.io/otel v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/metric v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/sdk v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace v1.39.0 -> v1.40.0
golang.org/x/crypto v0.47.0 -> v0.48.0
golang.org/x/net v0.49.0 -> v0.51.0
golang.org/x/sync v0.19.0 -> v0.20.0
golang.org/x/sys v0.40.0 -> v0.41.0

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 2, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.58%. Comparing base (1684815) to head (f0c4244).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #197   +/-   ##
=======================================
  Coverage   76.58%   76.58%           
=======================================
  Files          81       81           
  Lines        1930     1930           
=======================================
  Hits         1478     1478           
  Misses        318      318           
  Partials      134      134

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 3, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.15.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/github.com-open-policy-agent-opa-1.x branch April 3, 2026 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timo-reymann timo-reymann Awaiting requested review from timo-reymann

Assignees

@timo-reymann timo-reymann

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timo-reymann