open-policy-agent/opa v1.6.0

on GitHub

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improvements to the OPA website and documentation
• Allowing keywords in Rego references
• Parallel test execution
• Faster built-in function execution

Modernized OPA Website (#7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

• Builtins: You can now search them on the docs page!
• Sidebar redesign: Making it easier to find what you're looking for in our docs
• Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
• Downloads page: Find your OS' installation instructions on a less cluttered page!
• And much more

Authored by @sky3n3t and @charlieegan3

Allowing keywords in Rego references (#7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc.
in certain constructs:

package example

allow if {
    input.package.source         # not allowed (before v1.6.0)
    input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords.
The above example is now valid and will no longer cause a compilation error.

Authored by @johanfylling

Parallel Test Execution (#7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites.
The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @sspaink reported by @anderseknert

Faster Builtin Function Evaluation

The builtin context, an internal construct of OPA's evaluation engine, was previously provided to every builtin function.
As it turns out, only very few of them actually need it, for caching, cancellation, or lookups.
Those builtins are still provided with a builtin context, but for calls to all other builtins, we save the memory required by it.
The impact is tremendous: Even though the size of a single builtin context is only about 270 bytes, in an example application (Regal), this change brings about 360 MB of reduced memory usage!

Authored by @anderseknert

Runtime, Tooling, SDK

• cmd/check: opa check --bundle report virtual/base doc conflicts (#7701) authored by @anderseknert
  When opa check is used with the --bundle flag, an error will be reported if the provided json/yaml data has a conflicting overlap with the virtual documents generated by Rego rules. Such conflicts are ambiguous and can lead to unexpected evaluation results, and should be resolved.
• cmd/inspect: Fixing missing annotations location in opa inspect with JSON format (#7459) authored by @johanfylling reported by @mostealth
• cmd/parse: Expose --v0-compatible flag (#7668) authored by @tsandall
• cmd/refactor: Fix src:dst parsing to deal with colons (#7648) authored by @tsandall
• metrics: Fix restartable timer bug. (#7669) authored by @philipaconrad
• metrics: Prealloc maps + add benchmark (#7664) authored by @philipaconrad
• oracle: Add support for some and every (#7716) authored by @charlieegan3
• oracle: Support object refs in FindDefinition (#7711) authored by @charlieegan3
• plugin/decision: Check if event is too large after compression (#7526) authored by @sspaink
• runtime,server: Replace gorilla/mux dependency with http.ServeMux (#7676) authored by @anderseknert
  Note: This is a potentially breaking change for go API users directly interfacing with the OPA server's routing.
• server: Fix deferred metrics timers. (#7671) authored by @philipaconrad
• server: Fix query url when opa is served not from root path (#7644) authored by @olegKoshmeliuk
  Note: This is only applicable for the web UI hosted by OPA on its root path (/) and OPA is served at some other path than root.

Compiler, Topdown and Rego

• ast: Ensure surplus leading zeros always error (#7726) authored by @charlieegan3
  Note: Primitive Rego number values with leading zeros (e.g. 0123) are now considered invalid at time of parsing and will generate an error. If you're impacted by this change, please update your policies to not have numbers with leading zeros. E.g. 0123 should be changed to 123.
• ast: Fixing type-checker schema cache race condition for inlined schemas (#7679, 7571) authored by @johanfylling reported by @daniel-petrov-gig
• perf: Improve performance when referencing "global" in loop (#7654) authored by @anderseknert
• topdown: Fix issue where path in walk would get mutated (#7656) authored by @anderseknert reported by @robmyersrobmyers
• topdown/http: Lenient application/json Content-Type header (#6684) authored by @sspaink reported by @mrvanes

Docs, Website, Ecosystem

• adopters: add Pix4D as adopters for its RBAC service (#7645) authored by @marcaurele
• api: Expand docs for RegisterBuiltin — no thread-safety (#7667) authored by @anderseknert reported by @parth-mehta-989
• docs: Added a search function for the builtins section of policy-reference (#7704) authored by @sky3n3t
• docs: Add another OR note in AND section (#7706) authored by @charlieegan3
• docs: Add basic docs covering CI/CD use case (#7703) authored by @charlieegan3
• docs: Add current ecosystem contribution docs (#7678) authored by @charlieegan3
• docs: Add EvergreenCodeBlock for code with version (#7706) authored by @charlieegan3
• docs: Add feedback form for user reported issues (#7662) authored by @charlieegan3
• docs: Address broken links (#7661) authored by @charlieegan3
• docs: Archive explain that only latest patch is shown (#7682) authored by @charlieegan3
• docs: Fix bug where the search match respects case (#7713) authored by @sky3n3t
• docs: Hide feedback pop-up forever if dismissed (#7674) authored by @charlieegan3
• docs: Improve bundle structure documentation (#7683) authored by @charlieegan3
• docs: Improve explanations for initial examples (#7677) authored by @charlieegan3
• docs: Install/Download Instruction Update (#7687) authored by @charlieegan3
• docs: Move code example data inside the PlaygroundComponent (#7724) authored by @sky3n3t
• docs: policy-reference, update sig algs formatting (#7685) authored by @charlieegan3
• docs: Redirect old admission control link (#7730) authored by @charlieegan3
• docs: Refactored Networking Reference docs (#7686) authored by @sky3n3t
• docs: Revise sidebar order and layout (#7731) authored by @charlieegan3
• docs: Reworked existing policy examples to use PlaygroundExample (#7690) authored by @sky3n3t
• docs: Show a feedback popup on the docs site (#7663) authored by @charlieegan3
• docs: Show edge rather than latest release (#7717) authored by @charlieegan3
• docs: Show TOC on CLI page (#7712) authored by @charlieegan3
• docs: Update colors for feedback form in dark mode (#7691) authored by @charlieegan3
• docs: Update policy-ref allowing anchor linking (#7675) authored by @charlieegan3
• docs: Update rego in deployment examples (#7707) authored by @charlieegan3
• docs: Update sidebar (#7723) authored by @charlieegan3
• website: Disable cancel script (#7719) authored by @charlieegan3
• website: Explain automation in RELEASE.md (#7721) authored by @charlieegan3
• website: Fix badge endpoints (#7653) authored by @charlieegan3
• website: Refactor site components with CSS modules (#7666) authored by @charlieegan3
• website: Update docusaurus components to 3.8.1 (#7718) authored by @charlieegan3

Miscellaneous

• build: Better detection of go changes (#7696) authored by @charlieegan3
• build: Bump golang 1.24.3 -> 1.24.4 (#7672) authored by @srenatus
• Adding Clarification to merge instructions when cutting a patch release (#7660) authored by @johanfylling
• build: Make summary failure source clearer (#7697) authored by @charlieegan3
• build: Skip jobs for non docs changes (#7688) authored by @charlieegan3
• deps: Use google.golang.org/protobuf (#7655) authored by @sspaink
• perf: Simplify interning (#7714) authored by @anderseknert
• perf: Only pass built-in context to calls depending on it (#7728) authored by @anderseknert
• perf: Improve built-in concat performance (#7702) authored by @anderseknert
• perf: More efficient data/v1 POST handler (#7673) authored by @anderseknert
• test: Fix flaky TestRaisingHTTPClientQueryError (#7698) authored by @sspaink
• test: Fix flaky topdown query cache tests (#7590) authored by @sspaink
• Dependency updates; notably:
  • build(deps): Bump gqlparser from v2.5.27 to v2.5.28 (#7699) authored by @robmyersrobmyers
  • build(deps): bump github.com/go-logr/logr from 1.4.2 to 1.4.3
  • build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.26 to 2.5.27
  • build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0
  • build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2
  • build(deps): bump oras.land/oras-go/v2 from 2.5.0 to 2.6.0
  • build(deps): bump go.opentelemetry.io deps to 1.36.0/0.61.0