Skip to content

fix(deps): update module github.com/open-policy-agent/opa to v1.12.1 #3246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
apeabody merged 6 commits into from
Jan 2, 2026
Merged

fix(deps): update module github.com/open-policy-agent/opa to v1.12.1 #3246

apeabody merged 6 commits into from
Jan 2, 2026
+132 −60

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 23, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
github.com/open-policy-agent/opa v1.6.0v1.12.1 age confidence

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

  • Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for String Interpolation in the Rego language
  • Faster compilation and runtime
  • Fixes published in the v1.11.1 release
String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}
{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

[!TIP]
Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public internet. Furthermore, available security measures should be applied regardless, for a defense in depth approach. See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #​8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

v1.11.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • More efficient connection management in the http.send built-in function
  • More performant loading of large bundles containing multiple Rego files
Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • Bump golangci-lint, more gocritic linters (#​8052) authored by @​anderseknert
  • Tidy up and unify sync pool handling (#​8068) authored by @​anderseknert
  • builtins: Add StringOperandByteSlice helper (#​8048) authored by @​anderseknert
  • test: Add test cases for consistent cache behavior (#​8015) authored by @​DFrenkel
  • util/performance: Remove math.Log10, remove unused KeysCount (#​8041) authored by @​srenatus
  • workflow: Add Benchmarks workflow (#​8072) authored by @​srenatus
  • workflows/pull-request: Update macos versions (#​8030) authored by @​srenatus
  • Dependency updates; notably:
    • build: golang 1.25.3 -> 1.25.4 (#​8051) authored by @​srenatus
    • build(deps): Bump github.com/bytecodealliance/wasmtime-go from v37.0.0 to v39.0.1 (#​8075) authored by @​srenatus
    • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.4 to 2.2.0
    • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.37.0 to 1.38.1
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.11 to 3.0.12
    • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.30 to 2.5.31 (#​8027) authored by @​johanfylling
    • build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0
    • build(deps): Bump golang.org/x/net from 0.44.0 to 0.45.0
    • build(deps): Bump golang.org/x/time from 0.13.0 to 0.14.0
    • build(deps): Bump google.golang.org/grpc from 1.75.1 to 1.76.0
    • build(deps): Bump google.golang.org/protobuf from 1.36.9 to 1.36.10

v1.10.1

Compare Source

This is a bugfix release for the split builtin: In v1.10.0, it was looping infinitely when used with an empty-string delimiter.

Reported by @​SignalRichard, authored by @​srenatus

The release is otherwise identical to v1.10.0.

v1.10.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Non-static arm64 executables for linux and darwin, supporting Wasm evaluation
  • Performance improvements to the formatter, compiler, and runtime
  • A new --fail-on-empty flag for opa test
  • Support for IS NOT NULL query statements in the Compile API
Non-static OPA binaries for linux/arm64 and darwin/arm64

Starting with this release, OPA will ship non-static arm64 executables for linux and darwin.
These binaries have support for Wasm evaluation.
Furthermore, the openpolicyagent/opa:latest docker image is a multi-platform image with arm64 support.

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous

v1.9.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Compile API extensions ported from EOPA
  • Improved rule indexing
Compile Rego Queries Into SQL Filters (#​7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

### METADATA
### scope: document

### compile:
###   unknowns: [input.fruits]
include if input.fruits.name == input.favorite
Example Request
POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}
Example Response
HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @​srenatus and @​philipaconrad

Improved Rule Indexing For "Naked" Refs (#​7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @​srenatus

Runtime, Tooling
Compiler, Topdown and Rego
Docs, Website
Miscellaneous
  • Bump golangci-lint to v2.4.0 (#​7878) authored by @​sspaink
  • Community Guidelines: update email list (#​7900) authored by @​srenatus
  • ci: port binary tests to testscript (#​7865) authored by @​srenatus
  • dependabot: Updating e2e go deps together with core OPA deps (#​7923) authored by @​johanfylling
  • github_actions: Add working directory in arguments for Link Checker (#​7883) authored by @​sspaink
  • rego: Add comprehensive WASM performance benchmarks (#​7841) authored by @​anivar
  • Dependency updates; notably:
    • build: Bump go to 1.25.1
    • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
    • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
    • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
    • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
    • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
    • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
    • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.
EdDSA Support in built-ins (#​7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

This feature benefited greatly from the groundwork laid by @​lestrrat in (#​7638). 👏 🎉 🥳

Authored by @​johanfylling reported by @​aromeyer

Runtime
Topdown
  • perf: Performance greatly improved for Object.Insert on existing key (#​7820) authored by @​anderseknert
  • topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#​7638) authored by @​lestrrat
Docs, Website
Miscellaneous

v1.7.1

Compare Source

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

  • A missing symbol in the cmd package (cmd.RootCommand)
  • A possible panic in the opa parse command

v1.7.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved OPA SDK/API for better extensibility
SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

Runtime, Tooling

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from q2w as a code owner October 23, 2025 20:24
@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Oct 23, 2025
@renovate-bot renovate-bot requested a review from a team as a code owner October 23, 2025 20:24
@forking-renovate
Copy link

forking-renovate bot commented Oct 23, 2025
edited
Loading

ℹ Artifact update notice

File name: cli/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 29 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.4 -> 1.24.6
go (toolchain) 1.24.9 -> 1.24.11
golang.org/x/text v0.30.0 -> v0.31.0
github.com/cenkalti/backoff/v5 v5.0.2 -> v5.0.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 -> v2.27.2
github.com/klauspost/compress v1.18.0 -> v1.18.1
github.com/prometheus/client_golang v1.22.0 -> v1.23.2
github.com/prometheus/common v0.62.0 -> v0.66.1
github.com/prometheus/procfs v0.15.1 -> v0.17.0
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 -> v0.0.0-20250401214520-65e299d6c5c9
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 -> v1.4.0
github.com/sirupsen/logrus v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/tchap/go-patricia/v2 v2.3.2 -> v2.3.3
github.com/vektah/gqlparser/v2 v2.5.28 -> v2.5.31
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 -> v0.63.0
go.opentelemetry.io/otel v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 -> v1.38.0
go.opentelemetry.io/otel/metric v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/sdk/metric v1.37.0 -> v1.38.0
go.opentelemetry.io/otel/trace v1.37.0 -> v1.38.0
go.opentelemetry.io/proto/otlp v1.6.0 -> v1.7.1
golang.org/x/crypto v0.43.0 -> v0.45.0
golang.org/x/mod v0.28.0 -> v0.29.0
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/term v0.36.0 -> v0.37.0
golang.org/x/tools v0.37.0 -> v0.38.0
google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c -> v0.0.0-20250825161204-c5933d9347a5

@dpebot
Copy link
Collaborator

dpebot commented Oct 23, 2025

/gcbrun

@gemini-code-assist
Copy link

gemini-code-assist bot commented Oct 23, 2025

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant update of the github.com/open-policy-agent/opa module from version v1.6.0 to v1.9.0. This upgrade brings a range of new capabilities, including the ability to compile Rego queries into SQL filters, improved rule indexing for more efficient policy evaluation, and enhanced SDK extensibility. Additionally, it incorporates support for EdDSA signatures in JWT built-ins and updates the project's Go version along with various other indirect dependencies, ensuring the project benefits from the latest features, performance improvements, and security fixes.

Highlights

  • OPA Core Updates: Upgraded Open Policy Agent (OPA) from v1.6.0 to v1.9.0, incorporating new features, performance enhancements, and bug fixes across multiple versions.
  • SQL Filter Generation: OPA now supports compiling Rego queries into SQL filters, a feature previously exclusive to EOPA, enhancing data filtering capabilities.
  • Improved Rule Indexing: The OPA rule indexer has been improved to better handle 'naked' references, leading to more efficient policy evaluation by avoiding unnecessary rule processing.
  • Enhanced SDK/API Extensibility: Version v1.7.0 introduced significant improvements to the OPA SDK and API, offering more integration points for developers.
  • EdDSA Signature Support: Added support for EdDSA signatures in io.jwt built-in functions, including a new io.jwt.verify_eddsa function, improving JWT handling.
  • Go Version Update: The project's Go version has been updated from 1.24.4 to 1.24.6.
  • Dependency Updates: Numerous indirect Go dependencies have been updated to their latest versions, ensuring stability and incorporating the latest fixes.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 23, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the github.com/open-policy-agent/opa dependency from v1.6.0 to v1.9.0. This is a significant update, and I've highlighted a couple of points to be aware of. Specifically, the OPA update itself spans several minor versions with notable changes to the Go SDK, which warrants careful testing. Additionally, this update causes a downgrade of the transitive dependency go.uber.org/multierr, which could have unforeseen consequences. Please review the specific comments and ensure comprehensive testing is performed before merging.

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 77ddaf0 to a98a5f8 Compare October 24, 2025 16:12
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from a98a5f8 to 775b743 Compare October 24, 2025 16:26
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 775b743 to 74d90e7 Compare October 24, 2025 16:38
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 74d90e7 to fccb6a2 Compare October 24, 2025 16:59
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from fccb6a2 to 6a3964b Compare October 24, 2025 17:15
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 6a3964b to e10b769 Compare October 24, 2025 19:16
@dpebot
Copy link
Collaborator

dpebot commented Oct 24, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from e10b769 to 5961565 Compare October 28, 2025 21:23
@dpebot
Copy link
Collaborator

dpebot commented Oct 28, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 5961565 to f9501c3 Compare October 28, 2025 21:40
@dpebot
Copy link
Collaborator

dpebot commented Oct 28, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from f9501c3 to 6ba3ee3 Compare October 28, 2025 23:33
@dpebot
Copy link
Collaborator

dpebot commented Oct 28, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 6ba3ee3 to c904155 Compare October 30, 2025 00:45
@dpebot
Copy link
Collaborator

dpebot commented Oct 30, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from c904155 to 1079441 Compare October 30, 2025 02:40
@dpebot
Copy link
Collaborator

dpebot commented Oct 30, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 1079441 to bf28e6e Compare October 30, 2025 04:18
@dpebot
Copy link
Collaborator

dpebot commented Dec 30, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from b299e70 to d9c5ab0 Compare December 30, 2025 23:49
@dpebot
Copy link
Collaborator

dpebot commented Dec 30, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from d9c5ab0 to dc067ab Compare December 31, 2025 00:29
@dpebot
Copy link
Collaborator

dpebot commented Dec 31, 2025

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from dc067ab to dafb322 Compare December 31, 2025 01:14
@dpebot
Copy link
Collaborator

dpebot commented Dec 31, 2025

/gcbrun

@dpebot
Copy link
Collaborator

dpebot commented Jan 2, 2026

/gcbrun

@apeabody apeabody self-assigned this Jan 2, 2026
@forking-renovate
Copy link

forking-renovate bot commented Jan 2, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@apeabody
Copy link
Collaborator

apeabody commented Jan 2, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 2, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This PR updates the OPA dependency from v1.6.0 to v1.12.1. The API migration in cli/report/report.go is correct. However, I've identified a potential panic in the findReports function if a Rego query returns no results. I've added a comment with a suggestion to make the code more robust.

@dpebot
Copy link
Collaborator

dpebot commented Jan 2, 2026

/gcbrun

@apeabody
fix(report): handle empty OPA result sets in findReports
9d97c41 
Adds a check for empty result sets from OPA evaluation to prevent panics when no documents are returned. Includes a regression test.
@apeabody apeabody force-pushed the renovate/cli-github.com-open-policy-agent-opa-1.x branch from 2c966a8 to 9d97c41 Compare January 2, 2026 19:19
@dpebot
Copy link
Collaborator

dpebot commented Jan 2, 2026

/gcbrun

@apeabody
fix(cli): handle os.RemoveAll error in report_test.go
f167730 
Fixes errcheck lint error found by golangci-lint.
@dpebot
Copy link
Collaborator

dpebot commented Jan 2, 2026

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Jan 2, 2026

/gemini review

@apeabody apeabody changed the title chore(deps): update module github.com/open-policy-agent/opa to v1.12.1 fix(deps): update module github.com/open-policy-agent/opa to v1.12.1 Jan 2, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 2, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the github.com/open-policy-agent/opa dependency from v1.6.0 to v1.12.1. The changes include necessary API migrations for the updated dependency, a bug fix to prevent a panic when OPA evaluation yields no results, and a new test to cover this fix.

The changes are well-implemented and improve the robustness of the code. I've added a few suggestions to further improve code clarity and follow idiomatic testing practices in Go.

@dpebot
Copy link
Collaborator

dpebot commented Jan 2, 2026

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Jan 2, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 2, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the github.com/open-policy-agent/opa dependency from v1.6.0 to v1.12.1, a significant version jump. The code changes correctly adapt to breaking changes in the OPA SDK, specifically by updating the file loading mechanism. A crucial improvement is the added check for empty result sets from Rego evaluations, which prevents a potential panic and is well-covered by a new test case. The changes are well-implemented and improve the robustness of the reporting functionality.

@apeabody apeabody merged commit eacf321 into GoogleCloudPlatform:main Jan 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apeabody apeabody apeabody approved these changes

@q2w q2w Awaiting requested review from q2w q2w is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@apeabody apeabody

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renovate-bot @dpebot @apeabody