Bumps
[github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa)
from 0.69.0 to 0.70.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/open-policy-agent/opa/releases">github.com/open-policy-agent/opa's
releases</a>.</em></p>
<blockquote>
<h2>v0.70.0</h2>
<p>This release contains a mix of features, performance improvements,
and bugfixes.</p>
<h3>Optimized read mode for OPA's in-memory store (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7125">#7125</a>)</h3>
<p>A new optimized read mode has been added to the default in-memory
store, where data written to the store is eagerly converted
to AST values (the data format used during evaluation). This removes the
time spent converting raw data values to AST
during policy evaluation, thereby improving performance.</p>
<p>The memory footprint of the store will increase, as processed AST
values generally take up more space in memory than the
corresponding raw data values, but overall memory usage of OPA might
remain more stable over time, as pre-converted data
is shared across evaluations and isn't recomputed for each evaluation,
which can cause spikes in memory usage.</p>
<p>This mode can be enabled for <code>opa run</code>, <code>opa
eval</code>, and <code>opa bench</code> by setting the
<code>--optimize-store-for-read-speed</code> flag.</p>
<p>More information about this feature can be found <a
href="https://www.openpolicyagent.org/docs/v0.70.0/policy-performance/#storage-optimization">here</a>.</p>
<p>Co-authored by <a
href="https://github.com/johanfylling"><code>@johanfylling</code></a>
and <a
href="https://github.com/ashutosh-narkar"><code>@ashutosh-narkar</code></a>.</p>
<h3>Topdown and Rego</h3>
<ul>
<li>topdown: Use new Inter-Query Value Cache for
<code>json.match_schema</code> built-in function (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7011">#7011</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a>
reported by <a
href="https://github.com/lcarva"><code>@lcarva</code></a></li>
<li>ast: Fix location text attribute for multi-value rules with
generated body (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7128">#7128</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
<li>ast: Fix regression in <code>opa check</code> where a file that
referenced non-provided schemas failed validation (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7124">#7124</a>)
authored by <a
href="https://github.com/tjons"><code>@tjons</code></a></li>
<li>test/cases/testdata: Fix bug in test by replacing unification by
explicit equality check (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7093">#7093</a>)
authored by <a
href="https://github.com/matajoh"><code>@matajoh</code></a></li>
<li>ast: Replace use of yaml.v2 library with yaml.v3. The earlier
version would parse <code>yes</code>/<code>no</code> values as boolean.
The usage of yaml.v2 in the parser was unintentional and now has been
updated to yaml.v3 (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7090">#7090</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
</ul>
<h3>Runtime, Tooling, SDK</h3>
<ul>
<li>cmd: Make <code>opa check</code> respect <code>--ignore</code> when
<code>--bundle</code> flag is set (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7136">#7136</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
<li>server/writer: Properly handle result encoding errors which earlier
on failure would emit logs such as <code>superfluous call to
WriteHeader()</code> while still returning <code>200</code> HTTP status
code. Now, errors encoding the payload properly lead to <code>500</code>
HTTP status code, without extra logs. Also use Header().Set() not
Header().Add() to avoid duplicate content-type headers (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7114">#7114</a>)
authored by <a
href="https://github.com/srenatus"><code>@srenatus</code></a></li>
<li>cmd: Support <code>file://</code> format for TLS key material file
flags in <code>opa run</code> (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7094">#7094</a>)
authored by <a
href="https://github.com/alexrohozneanu"><code>@alexrohozneanu</code></a></li>
<li>plugins/rest/azure: Support managed identity for App Service /
Container Apps (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7085">#7085</a>)
reported and authored by <a
href="https://github.com/apc-kamezaki"><code>@apc-kamezaki</code></a></li>
<li>debug: Fix step-over behaviour when exiting partial rules (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7096">#7096</a>)
authored by <a
href="https://github.com/johanfylling"><code>@johanfylling</code></a></li>
<li>util+plugins: Fix potential memory leaks with explicit timer
cancellation (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7089">#7089</a>)
authored by <a
href="https://github.com/philipaconrad"><code>@philipaconrad</code></a></li>
</ul>
<h3>Docs, Website, Ecosystem</h3>
<ul>
<li>docs: Fix OCI example with updated flag used by the ORAS CLI (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7130">#7130</a>)
authored by <a
href="https://github.com/b3n3d17"><code>@b3n3d17</code></a></li>
<li>docs: Delete Atom editor from supported editor integrations (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7111">#7111</a>)
authored by <a
href="https://github.com/KaranbirSingh7"><code>@KaranbirSingh7</code></a></li>
<li>docs/website: Add Styra OPA ASP.NET Core SDK integration (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7073">#7073</a>)
authored by <a
href="https://github.com/philipaconrad"><code>@philipaconrad</code></a></li>
<li>docs/website: Update compatibility information on the rego-cpp
integration (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7078">#7078</a>)
authored by <a
href="https://github.com/matajoh"><code>@matajoh</code></a></li>
</ul>
<h3>Miscellaneous</h3>
<ul>
<li>Dependency updates; notably:
<ul>
<li>build(deps): bump github.com/containerd/containerd from 1.7.22 to
1.7.23</li>
<li>build(deps): bump github.com/prometheus/client_golang from 1.20.4 to
1.20.5</li>
<li>build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0</li>
<li>build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0</li>
<li>build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md">github.com/open-policy-agent/opa's
changelog</a>.</em></p>
<blockquote>
<h2>0.70.0</h2>
<p>This release contains a mix of features, performance improvements,
and bugfixes.</p>
<h3>Optimized read mode for OPA's in-memory store (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7125">#7125</a>)</h3>
<p>A new optimized read mode has been added to the default in-memory
store, where data written to the store is eagerly converted
to AST values (the data format used during evaluation). This removes the
time spent converting raw data values to AST
during policy evaluation, thereby improving performance.</p>
<p>The memory footprint of the store will increase, as processed AST
values generally take up more space in memory than the
corresponding raw data values, but overall memory usage of OPA might
remain more stable over time, as pre-converted data
is shared across evaluations and isn't recomputed for each evaluation,
which can cause spikes in memory usage.</p>
<p>This mode can be enabled for <code>opa run</code>, <code>opa
eval</code>, and <code>opa bench</code> by setting the
<code>--optimize-store-for-read-speed</code> flag.</p>
<p>More information about this feature can be found <a
href="https://www.openpolicyagent.org/docs/v0.70.0/policy-performance/#storage-optimization">here</a>.</p>
<p>Co-authored by <a
href="https://github.com/johanfylling"><code>@johanfylling</code></a>
and <a
href="https://github.com/ashutosh-narkar"><code>@ashutosh-narkar</code></a>.</p>
<h3>Topdown and Rego</h3>
<ul>
<li>topdown: Use new Inter-Query Value Cache for
<code>json.match_schema</code> built-in function (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7011">#7011</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a>
reported by <a
href="https://github.com/lcarva"><code>@lcarva</code></a></li>
<li>ast: Fix location text attribute for multi-value rules with
generated body (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7128">#7128</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
<li>ast: Fix regression in <code>opa check</code> where a file that
referenced non-provided schemas failed validation (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7124">#7124</a>)
authored by <a
href="https://github.com/tjons"><code>@tjons</code></a></li>
<li>test/cases/testdata: Fix bug in test by replacing unification by
explicit equality check (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7093">#7093</a>)
authored by <a
href="https://github.com/matajoh"><code>@matajoh</code></a></li>
<li>ast: Replace use of yaml.v2 library with yaml.v3. The earlier
version would parse <code>yes</code>/<code>no</code> values as boolean.
The usage of yaml.v2 in the parser was unintentional and now has been
updated to yaml.v3 (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7090">#7090</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
</ul>
<h3>Runtime, Tooling, SDK</h3>
<ul>
<li>cmd: Make <code>opa check</code> respect <code>--ignore</code> when
<code>--bundle</code> flag is set (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7136">#7136</a>)
authored by <a
href="https://github.com/anderseknert"><code>@anderseknert</code></a></li>
<li>server/writer: Properly handle result encoding errors which earlier
on failure would emit logs such as <code>superfluous call to
WriteHeader()</code> while still returning <code>200</code> HTTP status
code. Now, errors encoding the payload properly lead to <code>500</code>
HTTP status code, without extra logs. Also use Header().Set() not
Header().Add() to avoid duplicate content-type headers (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7114">#7114</a>)
authored by <a
href="https://github.com/srenatus"><code>@srenatus</code></a></li>
<li>cmd: Support <code>file://</code> format for TLS key material file
flags in <code>opa run</code> (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7094">#7094</a>)
authored by <a
href="https://github.com/alexrohozneanu"><code>@alexrohozneanu</code></a></li>
<li>plugins/rest/azure: Support managed identity for App Service /
Container Apps (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7085">#7085</a>)
reported and authored by <a
href="https://github.com/apc-kamezaki"><code>@apc-kamezaki</code></a></li>
<li>debug: Fix step-over behaviour when exiting partial rules (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7096">#7096</a>)
authored by <a
href="https://github.com/johanfylling"><code>@johanfylling</code></a></li>
<li>util+plugins: Fix potential memory leaks with explicit timer
cancellation (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7089">#7089</a>)
authored by <a
href="https://github.com/philipaconrad"><code>@philipaconrad</code></a></li>
</ul>
<h3>Docs, Website, Ecosystem</h3>
<ul>
<li>docs: Fix OCI example with updated flag used by the ORAS CLI (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7130">#7130</a>)
authored by <a
href="https://github.com/b3n3d17"><code>@b3n3d17</code></a></li>
<li>docs: Delete Atom editor from supported editor integrations (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7111">#7111</a>)
authored by <a
href="https://github.com/KaranbirSingh7"><code>@KaranbirSingh7</code></a></li>
<li>docs/website: Add Styra OPA ASP.NET Core SDK integration (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7073">#7073</a>)
authored by <a
href="https://github.com/philipaconrad"><code>@philipaconrad</code></a></li>
<li>docs/website: Update compatibility information on the rego-cpp
integration (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7078">#7078</a>)
authored by <a
href="https://github.com/matajoh"><code>@matajoh</code></a></li>
</ul>
<h3>Miscellaneous</h3>
<ul>
<li>Dependency updates; notably:
<ul>
<li>build(deps): bump github.com/containerd/containerd from 1.7.22 to
1.7.23</li>
<li>build(deps): bump github.com/prometheus/client_golang from 1.20.4 to
1.20.5</li>
<li>build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0</li>
<li>build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0</li>
<li>build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2ea031ea04"><code>2ea031e</code></a>
Prepare v0.70.0 release</li>
<li><a
href="6af5e79bd9"><code>6af5e79</code></a>
storage: Optimized read mode for default data storage</li>
<li><a
href="1b797d9c1b"><code>1b797d9</code></a>
Make <code>opa check</code> respect <code>--ignore</code> when
<code>--bundle</code> flag is set (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7137">#7137</a>)</li>
<li><a
href="8e44b98993"><code>8e44b98</code></a>
build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7138">#7138</a>)</li>
<li><a
href="ad6ffdae6a"><code>ad6ffda</code></a>
build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7135">#7135</a>)</li>
<li><a
href="67fe53bfbe"><code>67fe53b</code></a>
Update Andrew Peabody to emeritus (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7133">#7133</a>)</li>
<li><a
href="30f374713b"><code>30f3747</code></a>
build(deps): bump github/codeql-action from 3.26.13 to 3.27.0</li>
<li><a
href="f7957bdd73"><code>f7957bd</code></a>
🐛 fix: oras cli changed to --config</li>
<li><a
href="58ec50b4b0"><code>58ec50b</code></a>
Fix location for multivalue rules with generated bodies (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7129">#7129</a>)</li>
<li><a
href="555fe84094"><code>555fe84</code></a>
only check schemas when schemas are provided (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7124">#7124</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/open-policy-agent/opa/compare/v0.69.0...v0.70.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2)
from 1.28.0 to 1.28.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6b53348f84"><code>6b53348</code></a>
Release 2024-10-28</li>
<li><a
href="784d2d39b0"><code>784d2d3</code></a>
Regenerated Clients</li>
<li><a
href="7258bd236c"><code>7258bd2</code></a>
Update endpoints model</li>
<li><a
href="f322198c04"><code>f322198</code></a>
Update API model</li>
<li><a
href="b65b80a89b"><code>b65b80a</code></a>
Merge pull request <a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2852">#2852</a>
from RanVaknin/signature-header-parsing-fix</li>
<li><a
href="803614d34f"><code>803614d</code></a>
Fixing changelog description and implementation to use TrimSpace</li>
<li><a
href="b12c8cf885"><code>b12c8cf</code></a>
adding changelog</li>
<li><a
href="f0caa97e86"><code>f0caa97</code></a>
patching GetSignedRequestSignature to cover edge cases with the
signature</li>
<li><a
href="e05890387e"><code>e058903</code></a>
drop service/nimble (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2851">#2851</a>)</li>
<li><a
href="896793a682"><code>896793a</code></a>
Release 2024-10-25</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/v1.28.0...config/v1.28.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds a new rego builtin `attest.internals.reproducible_git_checksum`.
This is needed for verifying DOI provenance, see
https://github.com/docker/doi-image-policy/blob/main/slsa.md#doi-build-reproducible-git-checksum.
We use https://github.com/go-git/go-git for as much of this as possible,
but it doesn't support the actual archive operation, so we shell out to
`git` for that.
There is some similar unexported code in bashbrew, and we should
probably be using the same code in the build process as we are here.
I'll create a follow-up ticket to sort that out.
* feature!: support for setting HTTP User-Agent header
* fix lint
* fix e2e
* refactor: move http.go to internal/util/useragent package and rename functions to Get and Set
* Move packages and use attest version
