🚨 Update go modules (release-v0.6) (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/MakeNowJust/heredoc	v1.0.0 → v2.0.1
github.com/golangci/golangci-lint	v1.63.4 → v2.8.0
github.com/open-policy-agent/opa	v0.70.0 → v1.13.1
github.com/santhosh-tekuri/jsonschema/v5	v5.3.1 → v6.0.2
github.com/tektoncd/pipeline	v0.70.0 → v1.7.0
gopkg.in/go-jose/go-jose.v2	v2.6.3 → v4.1.3
helm.sh/helm/v3	v3.16.4 → v4.1.0

---

Release Notes

MakeNowJust/heredoc (github.com/MakeNowJust/heredoc)

v2.0.1

Compare Source

Version 2.0.1

Fixes

• Correct import path for Go modules

v2.0.0

Compare Source

Version 2.0.0

Breaking Changes

• Treats only white space (U+0020) and horizontal tabs (U+000D) as space characters. (#​6)

golangci/golangci-lint (github.com/golangci/golangci-lint)

v2.8.0

Compare Source

Released on 2026-01-07

1. Linters new features or changes
   • godoc-lint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd00 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6 to 2.22.11 (new rule: G116)
   • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
   • prealloc: from 1.0.0 to 1.0.1 (message changes)
   • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
2. Linters bug fixes
   • go-critic: from 0.14.2 to 0.14.3
   • go-errorlint: from 1.8.0 to 1.9.0
   • govet: from 0.39.0 to 0.40.0
   • protogetter: from 0.3.17 to 0.3.18
   • revive: add missing enable-default-rules setting
3. Documentation
   • docs: split installation page

v2.7.2

Compare Source

Released on 2025-12-07

1. Linter bug fixes
   • gosec: from 2.22.10 to daccba6

v2.7.1

Compare Source

Released on 2025-12-04

1. Linter bug fixes
   • modernize: disable stringscut analyzer

v2.7.0

Compare Source

1. Bug fixes
   • fix: clone args used by custom command
2. Linters new features or changes
   • no-sprintf-host-port: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
   • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
   • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
   • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
3. Linters bug fixes
   • perfsprint: from 0.10.0 to 0.10.1
   • wrapcheck: from 2.11.0 to 2.12.0
   • godoc-lint: from 0.10.1 to 0.10.2
4. Misc.
   • Add some flags to the custom command
5. Documentation
   • docs: split changelog v1 and v2

v2.6.2

Compare Source

Released on 2025-11-14

1. Bug fixes
   • fmt command with symlinks
   • use file depending on build configuration to invalidate cache
2. Linters bug fixes
   • testableexamples: from 1.0.0 to 1.0.1
   • testpackage: from 1.1.1 to 1.1.2

v2.6.1

Compare Source

v2.6.0

Compare Source

1. New linters
   • Add modernize analyzer suite
2. Linters new features or changes
   • arangolint: from 0.2.0 to 0.3.1
   • dupword: from 0.1.6 to 0.1.7 (new option comments-only)
   • go-critic: from 0.13.0 to 0.14.0 (new rules/checkers: zeroByteRepeat, dupOption)
   • gofumpt: from 0.9.1 to 0.9.2 ("clothe" naked returns is now controlled by the extra-rules option)
   • perfsprint: from 0.9.1 to 0.10.0 (new options: concat-loop, loop-other-ops)
   • wsl: from 5.2.0 to 5.3.0
3. Linters bug fixes
   • dupword: from 0.1.6 to 0.1.7
   • durationcheck: from 0.0.10 to 0.0.11
   • exptostd: from 0.4.4 to 0.4.5
   • fatcontext: from 0.8.1 to 0.9.0
   • forbidigo: from 2.1.0 to 2.3.0
   • ginkgolinter: from 0.21.0 to 0.21.2
   • godoc-lint: from 0.10.0 to 0.10.1
   • gomoddirectives: from 0.7.0 to 0.7.1
   • gosec: from 2.22.8 to 2.22.10
   • makezero: from 2.0.1 to 2.1.0
   • nilerr: from 0.1.1 to 0.1.2
   • paralleltest: from 1.0.14 to 1.0.15
   • protogetter: from 0.3.16 to 0.3.17
   • unparam: from 0df0534 to 5beb8c8
4. Misc.
   • fix: ignore some files to hash the version for custom build

v2.5.0

Compare Source

1. New linters
   • Add godoclint linter https://github.com/godoc-lint/godoc-lint
   • Add unqueryvet linter https://github.com/MirrexOne/unqueryvet
   • Add iotamixing linter https://github.com/AdminBenni/iota-mixing
2. Linters new features or changes
   • embeddedstructfieldcheck: from 0.3.0 to 0.4.0 (new option: empty-line)
   • err113: from aea10b5 to 0.1.1 (skip internals of Is methods for error type)
   • ginkgolinter: from 0.20.0 to 0.21.0 (new option: force-tonot)
   • gofumpt: from 0.8.0 to 0.9.1 (new rule is to "clothe" naked returns for the sake of clarity)
   • ineffassign: from 0.1.0 to 0.2.0 (new option: check-escaping-errors)
   • musttag: from 0.13.1 to 0.14.0 (support interface methods)
   • revive: from 1.11.0 to 1.12.0 (new options: identical-ifelseif-branches, identical-ifelseif-conditions, identical-switch-branches, identical-switch-conditions, package-directory-mismatch, unsecure-url-scheme, use-waitgroup-go, useless-fallthrough)
   • thelper: from 0.6.3 to 0.7.1 (skip t.Helper in functions passed to synctest.Test)
   • wsl: from 5.1.1 to 5.2.0 (improvements related to subexpressions)
3. Linters bug fixes
   • asciicheck: from 0.4.1 to 0.5.0
   • errname: from 1.1.0 to 1.1.1
   • fatcontext: from 0.8.0 to 0.8.1
   • go-printf-func-name: from 0.1.0 to 0.1.1
   • godot: from 1.5.1 to 1.5.4
   • gosec: from 2.22.7 to 2.22.8
   • nilerr: from 0.1.1 to a temporary fork
   • nilnil: from 1.1.0 to 1.1.1
   • protogetter: from 0.3.15 to 0.3.16
   • tagliatelle: from 0.7.1 to 0.7.2
   • testifylint: from 1.6.1 to 1.6.4
4. Misc.
   • fix: "no export data" errors are now handled as a standard typecheck error
5. Documentation
   • Improve nolint section about syntax

v2.4.0

Compare Source

1. Enhancements
   • 🎉 go1.25 support
2. Linters new features or changes
   • exhaustruct: from v3.3.1 to 4.0.0 (new options: allow-empty, allow-empty-rx, allow-empty-returns, allow-empty-declarations)
3. Linters bug fixes
   • godox: trim filepath from report messages
   • staticcheck: allow empty options
   • tagalign: from 1.4.2 to 1.4.3
4. Documentation
   • 🌟 New website (with a search engine)

v2.3.1

Compare Source

1. Linters bug fixes
   • gci: from 0.13.6 to 0.13.7
   • gosec: from 2.22.6 to 2.22.7
   • noctx: from 0.3.5 to 0.4.0
   • wsl: from 5.1.0 to 5.1.1
   • tagliatelle: force upper case for custom initialisms

v2.3.0

Compare Source

1. Linters new features or changes
   • ginkgolinter: from 0.19.1 to 0.20.0 (new option: force-assertion-description)
   • iface: from 1.4.0 to 1.4.1 (report message improvements)
   • noctx: from 0.3.4 to 0.3.5 (new detections: log/slog, exec, crypto/tls)
   • revive: from 1.10.0 to 1.11.0 (new rule: enforce-switch-style)
   • wsl: from 5.0.0 to 5.1.0
2. Linters bug fixes
   • gosec: from 2.22.5 to 2.22.6
   • noinlineerr: from 1.0.4 to 1.0.5
   • sloglint: from 0.11.0 to 0.11.1
3. Misc.
   • fix: panic close of closed channel

v2.2.2

Compare Source

1. Linters bug fixes
   • noinlineerr: from 1.0.3 to 1.0.4
2. Documentation
   • Improve debug keys documentation
3. Misc.
   • fix: panic close of closed channel
   • godot: add noinline value into the JSONSchema

v2.2.1

Compare Source

1. Linters bug fixes

• varnamelen: fix configuration

v2.2.0

Compare Source

1. New linters
   • Add arangolint linter https://github.com/Crocmagnon/arangolint
   • Add embeddedstructfieldcheck linter https://github.com/manuelarte/embeddedstructfieldcheck
   • Add noinlineerr linter https://github.com/AlwxSin/noinlineerr
   • Add swaggo formatter https://github.com/golangci/swaggoswag
2. Linters new features or changes
   • errcheck: add verbose option
   • funcorder: from 0.2.1 to 0.5.0 (new option alphabetical)
   • gomoddirectives: from 0.6.1 to 0.7.0 (new option ignore-forbidden)
   • iface: from 1.3.1 to 1.4.0 (new option unexported)
   • noctx: from 0.1.0 to 0.3.3 (new report messages, and new rules related to database/sql)
   • noctx: from 0.3.3 to 0.3.4 (new SQL functions detection)
   • revive: from 1.9.0 to 1.10.0 (new rules: time-date, unnecessary-format, use-fmt-print)
   • usestdlibvars: from 1.28.0 to 1.29.0 (new option time-date-month)
   • wsl: deprecation
   • wsl_v5: from 4.7.0 to 5.0.0 (major version with new configuration)
3. Linters bug fixes
   • dupword: from 0.1.3 to 0.1.6
   • exptostd: from 0.4.3 to 0.4.4
   • forbidigo: from 1.6.0 to 2.1.0
   • gci: consistently format the code
   • go-spancheck: from 0.6.4 to 0.6.5
   • goconst: from 1.8.1 to 1.8.2
   • gosec: from 2.22.3 to 2.22.4
   • gosec: from 2.22.4 to 2.22.5
   • makezero: from 1.2.0 to 2.0.1
   • misspell: from 0.6.0 to 0.7.0
   • usetesting: from 0.4.3 to 0.5.0
4. Misc.
   • exclusions: fix path-expect
   • formatters: write the input to stdout when using stdin and there are no changes
   • migration: improve the error message when trying to migrate a migrated config
   • typecheck: deduplicate errors
   • typecheck: stops the analysis after the first error
   • Deprecate print-resources-usage flag
   • Unique version per custom build
5. Documentation
   • Improves typecheck FAQ
   • Adds plugin systems recommendations
   • Add description for linters.default sets

v2.1.6

Compare Source

1. Linters bug fixes
   • godot: from 1.5.0 to 1.5.1
   • musttag: from 0.13.0 to 0.13.1
2. Documentation
   • Add note about golangci-lint v2 integration in VS Code

v2.1.5

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.4 release have not been published.

This release contains the same things as v2.1.3.

v2.1.4

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.3 release have not been published.

This release contains the same things as v2.1.3.

v2.1.3

Compare Source

1. Linters bug fixes
   • fatcontext: from 0.7.2 to 0.8.0
2. Misc.
   • migration: fix nakedret.max-func-lines: 0
   • migration: fix order of staticcheck settings
   • fix: add go.mod hash to the cache salt
   • fix: use diagnostic position for related information position

v2.1.2

Compare Source

1. Linters bug fixes
   • exptostd: from 0.4.2 to 0.4.3
   • gofumpt: from 0.7.0 to 0.8.0
   • protogetter: from 0.3.13 to 0.3.15
   • usetesting: from 0.4.2 to 0.4.3

v2.1.1

Compare Source

The release process of v2.1.0 failed due to a regression inside goreleaser.

The binaries of v2.1.0 have been published, but not the other artifacts (AUR, Docker, etc.).

v2.1.0

Compare Source

1. Enhancements
   • Add an option to display absolute paths (--path-mode=abs)
   • Add configuration path placeholder (${config-path})
   • Add warn-unused option for fmt command
   • Colored diff for fmt command (golangci-lint fmt --diff-colored)
2. New linters
   • Add funcorder linter https://github.com/manuelarte/funcorder
3. Linters new features or changes
   • go-errorlint: from 1.7.1 to 1.8.0 (automatic error comparison and type assertion fixes)
   • ⚠️ goconst: ignore-strings is deprecated and replaced by ignore-string-values
   • goconst: from 1.7.1 to 1.8.1 (new options: find-duplicates, eval-const-expressions)
   • govet: add httpmux analyzer
   • nilnesserr: from 0.1.2 to 0.2.0 (detect more cases)
   • paralleltest: from 1.0.10 to 1.0.14 (checks only _test.go files)
   • revive: from 1.7.0 to 1.9.0 (support kebab case for setting names)
   • sloglint: from 0.9.0 to 0.11.0 (autofix, new option msg-style, suggest slog.DiscardHandler)
   • wrapcheck: from 2.10.0 to 2.11.0 (new option report-internal-errors)
   • wsl: from 4.6.0 to 4.7.0 (cgo files are always excluded)
4. Linters bug fixes
   • fatcontext: from 0.7.1 to 0.7.2
   • gocritic: fix importshadow checker
   • gosec: from 2.22.2 to 2.22.3
   • ireturn: from 0.3.1 to 0.4.0
   • loggercheck: from 0.10.1 to 0.11.0
   • nakedret: from 2.0.5 to 2.0.6
   • nonamedreturns: from 1.0.5 to 1.0.6
   • protogetter: from 0.3.12 to 0.3.13
   • testifylint: from 1.6.0 to 1.6.1
   • unconvert: update to HEAD
5. Misc.
   • Fixes memory leaks when using go1.(N) with golangci-lint built with go1.(N-X)
   • Adds golangci-lint-fmt pre-commit hook
6. Documentation
   • Improvements
   • Updates section about vscode integration

v2.0.2

Compare Source

1. Misc.
   • Fixes flags parsing for formatters
   • Fixes the filepath used by the exclusion source option
2. Documentation
   • Adds a section about flags migration
   • Cleaning pages with v1 options

v2.0.1

Compare Source

1. Linters/formatters bug fixes
   • golines: fix settings during linter load
2. Misc.
   • Validates the version field before the configuration
   • forbidigo: fix migration

v2.0.0

Compare Source

1. Enhancements
   • 🌟 New golangci-lint fmt command with dedicated formatter configuration
   • ♻️ New golangci-lint migrate command to help migration from v1 to v2 (cf. Migration guide)
   • ⚠️ New default values (cf. Migration guide)
   • ⚠️ No exclusions by default (cf. Migration guide)
   • ⚠️ New default sort order (cf. Migration guide)
   • 🌟 New option run.relative-path-mode (cf. Migration guide)
   • 🌟 New linters configuration (cf. Migration guide)
   • 🌟 New output format configuration (cf. Migration guide)
   • 🌟 New --fast-only flag (cf. Migration guide)
   • 🌟 New option linters.exclusions.warn-unused to log a warning if an exclusion rule is unused.
2. New linters/formatters
   • Add golines formatter https://github.com/segmentio/golines
3. Linters new features
   • ⚠️ Merge staticcheck, stylecheck, gosimple into one linter (staticcheck) (cf. Migration guide)
   • go-critic: from 0.12.0 to 0.13.0
   • gomodguard: from 1.3.5 to 1.4.1 (block explicit indirect dependencies)
   • nilnil: from 1.0.1 to 1.1.0 (new option: only-two)
   • perfsprint: from 0.8.2 to 0.9.1 (checker name in the diagnostic message)
   • staticcheck: new quickfix set of rules
   • testifylint: from 1.5.2 to 1.6.0 (new options: equal-values, suite-method-signature, require-string-msg)
   • wsl: from 4.5.0 to 4.6.0 (new option: allow-cuddle-used-in-block)
4. Linters bug fixes
   • bidichk: from 0.3.2 to 0.3.3
   • errchkjson: from 0.4.0 to 0.4.1
   • errname: from 1.0.0 to 1.1.0
   • funlen: fix ignore-comments option
   • gci: from 0.13.5 to 0.13.6
   • gosmopolitan: from 1.2.2 to 1.3.0
   • inamedparam: from 0.1.3 to 0.2.0
   • intrange: from 0.3.0 to 0.3.1
   • protogetter: from 0.3.9 to 0.3.12
   • unparam: from 8a5130c to 0df0534
5. Misc.
   • 🧹 Configuration options renaming (cf. Migration guide)
   • 🧹 Remove options (cf. Migration guide)
   • 🧹 Remove flags (cf. Migration guide)
   • 🧹 Remove alternative names (cf. Migration guide)
   • 🧹 Remove or replace deprecated elements (cf. Migration guide)
   • Adds an option to display some commands as JSON:
     • golangci-lint config path --json
     • golangci-lint help linters --json
     • golangci-lint help formatters --json
     • golangci-lint linters --json
     • golangci-lint formatters --json
     • golangci-lint version --json
6. Documentation
   • Migration guide

v1.64.8

Compare Source

• Detects use of configuration files from golangci-lint v2

v1.64.7

Compare Source

1. Linters bug fixes
   • depguard: from 2.2.0 to 2.2.1
   • dupl: from 3e9179a to f665c8d
   • gosec: from 2.22.1 to 2.22.2
   • staticcheck: from 0.6.0 to 0.6.1
2. Documentation
   • Add GitLab documentation

v1.64.6

Compare Source

1. Linters bug fixes
   • asciicheck: from 0.4.0 to 0.4.1
   • contextcheck: from 1.1.5 to 1.1.6
   • errcheck: from 1.8.0 to 1.9.0
   • exptostd: from 0.4.1 to 0.4.2
   • ginkgolinter: from 0.19.0 to 0.19.1
   • go-exhaustruct: from 3.3.0 to 3.3.1
   • gocheckcompilerdirectives: from 1.2.1 to 1.3.0
   • godot: from 1.4.20 to 1.5.0
   • perfsprint: from 0.8.1 to 0.8.2
   • revive: from 1.6.1 to 1.7.0
   • tagalign: from 1.4.1 to 1.4.2

v1.64.5

Compare Source

1. Bug fixes
   • Add missing flag new-from-merge-base-flag
2. Linters bug fixes
   • asciicheck: from 0.3.0 to 0.4.0
   • forcetypeassert: from 0.1.0 to 0.2.0
   • gosec: from 2.22.0 to 2.22.1

v1.64.4

Compare Source

1. Linters bug fixes
   • gci: fix standard packages list for go1.24

v1.64.3

Compare Source

1. Linters bug fixes
   • ginkgolinter: from 0.18.4 to 0.19.0
   • go-critic: from 0.11.5 to 0.12.0
   • revive: from 1.6.0 to 1.6.1
   • gci: fix standard packages list for go1.24
2. Misc.
   • Build Docker images with go1.24

v1.64.2

Compare Source

This is the last minor release of golangci-lint v1.
The next release will be golangci-lint v2.

1. Enhancements
   • 🎉 go1.24 support
   • New issues.new-from-merge-base option
   • New run.relative-path-mode option
2. Linters new features
   • copyloopvar: from 1.1.0 to 1.2.1 (support suggested fixes)
   • exptostd: from 0.3.1 to 0.4.1 (handles golang.org/x/exp/constraints.Ordered)
   • fatcontext: from 0.5.3 to 0.7.1 (new option: check-struct-pointers)
   • perfsprint: from 0.7.1 to 0.8.1 (new options: integer-format, error-format, string-format, bool-format, and hex-format)
   • revive: from 1.5.1 to 1.6.0 (new rules: redundant-build-tag, use-errors-new. New option early-return.early-return)
3. Linters bug fixes
   • go-errorlint: from 1.7.0 to 1.7.1
   • gochecknoglobals: from 0.2.1 to 0.2.2
   • godox: from 006bad1 to 1.1.0
   • gosec: from 2.21.4 to 2.22.0
   • iface: from 1.3.0 to 1.3.1
   • nilnesserr: from 0.1.1 to 0.1.2
   • protogetter: from 0.3.8 to 0.3.9
   • sloglint: from 0.7.2 to 0.9.0
   • spancheck: fix default StartSpanMatchersSlice values
   • staticcheck: from 0.5.1 to 0.6.0
4. Deprecations
   • ⚠️ tenv is deprecated and replaced by usetesting.os-setenv: true.
   • ⚠️ exportloopref deprecation step 2
5. Misc.
   • Sanitize severities by output format
   • Avoid panic with plugin without description
6. Documentation
   • Clarify depguard configuration

v1.64.1

Compare Source

Cancelled due to CI failure.

v1.64.0

Compare Source

Cancelled due to CI failure.

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.13.1

Compare Source

v1.13.1

This bug fix release addresses an issue found in the new array.flatten built-in function

• Fix issue in array.flatten handling of single item arrays (#​8273) (#​8272) authored by @​anderseknert

v1.13.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new immediate upload trigger mode in the Decision Logger
• A new array.flatten built-in function
• Numerous performance improvements

Immediate Upload Trigger Mode in Decision Logger (#​8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate.
When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling

• cmd/fmt: Do not overwrite file on fmt without changes (#​8222) authored by @​Loic-R
• cmd/test: Enable sorting JSON test results by duration (#​7444) authored by @​sspaink
• profiler: nil *Profiler should not report Enabled() (#​8256) authored by @​anderseknert
• rego: Add Data function to simplify adding data from map (#​5961) authored by @​majiayu000 reported by @​anderseknert
• runtime: Correct naming & docs for version checking (#​8191) authored by @​charlieegan3

Compiler, Topdown and Rego

• ast: Body.String() doesn't panic on empty body (#​8244) authored by @​srenatus
• ast: Improve type error message when referencing functions (#​6840) authored by @​sspaink
• ast: Type Checker recognizes when a variable has multiple assignments but is an undefined function (#​7463) authored by @​sspaink reported by @​anderseknert
• ast/parser: Avoid duplicate loc copies (#​8142) authored by @​srenatus
• topdown: Add array.flatten built-in function (#​8226) authored by @​anderseknert
• topdown: Fix issue where numbers.range_step built-in could erroneously return undefined value (#​8194) authored by @​thevilledev
• topdown: Remove hard-coded missing key error in strings.render_template built-in (#​7931) authored by @​colinjlacy reported by @​anderseknert
• topdown: Re-introduce cancellation-awareness for regex.replace built-in (#​8179) authored by @​srenatus
  from having been reverted in v1.12.1
• topdown: Support arrays as input for json.match_schema (#​6615) authored by @​sspaink reported by @​mscudlik

Performance

• ast: Improved annotations parsing (#​8210) authored by @​anderseknert
• ast: Reinstate zero-alloc paths in Ref.String() (#​8202) authored by @​anderseknert
• ast: Replace regex implementation in IsVarCompatibleString (#​8164) authored by @​anderseknert
• ast: Optimize Set.Intersect and Set.Diff (#​8167) authored by @​thevilledev
• ast: Optimize Set.Union (#​8172) authored by @​thevilledev
• ast: Reduce allocations in Expr.MarshalJSON (#​8204) authored by @​thevilledev
• ast: Reduce allocations in Rule.MarshalJSON (#​8205) authored by @​thevilledev
• ast: Reduce allocations in Term.MarshalJSON (#​8200) authored by @​thevilledev
• ast: Reduce allocations in With.MarshalJSON (#​8206) authored by @​thevilledev
• perf: String() implementations using appenders (#​8192) authored by @​anderseknert
• topdown: Avoid redundancy in builtinTrim (#​8237) authored by @​thevilledev
• topdown: Eliminate closure allocations in Set and virtual doc enumeration (#​8242) authored by @​alex60217101990
• topdown: Fast paths for array.reverse (#​8177) authored by @​thevilledev
• topdown: Optimize json.remove and json.filter (#​8193) authored by @​thevilledev
• topdown: Optimize object built-ins (#​8175) authored by @​thevilledev
• topdown: Optimize union built-in (#​8173) authored by @​thevilledev
• topdown: Pre-alloc in various built-ins (#​8198) authored by @​thevilledev
• topdown: Reduce allocs in float sum/product (#​8235) authored by @​thevilledev
• topdown: Skip set copy in getObjectKeysParam (#​8176) authored by @​thevilledev

Docs, Website, Ecosystem

• docs: Add authz-spring-boot-starter to Spring Security API ecosystem entry (#​8234) authored by @​francois-eckert
• docs: Add header for crypto example to make (#​8259) authored by @​charlieegan3
• docs: Add notes for automated agents (#​8147, #​8203) authored by @​charlieegan3
• docs: Add opa-wasm-zig to the ecosystem (#​8163) authored by @​burdzwastaken
• docs: Add scripts to import docs from source (#​8148) authored by @​charlieegan3
• docs: Explain how to use the SDK without a initialising a server (#​8248) authored by @​andrewcameronsims
• docs: Fix a number of redirecting links (#​8165 authored by @​charlieegan3
• docs: Fix template-expression examples (#​8199) authored by @​johanfylling
• docs/ocp: Mention source prefix/path options (#​8238) authored by @​srenatus
• website: Add redirect section for immutable referrers (#​8262) authored by @​charlieegan3 reported by @​KraLeoD
• website: Display 2025 survey results on the website (#​8258) authored by @​charlieegan3
• website: Show breadcrumbs in search results (#​8207) authored by @​charlieegan3

Miscellaneous

• Decoupled the Rego job check from the Go job checks in the Github PR workflow (#​8203) authored by @​SeanLedford
• build: Format pr_check.rego with opa fmt (#​8201) authored by @​thevilledev
• build: Migrate PR check to OPA policy (#​8183) authored by @​SeanLedford
• build: Run go get against main to spot redacted (#​8146) authored by @​charlieegan3
• deps: Switch to maintained go.yaml.in/yaml/v3 yaml library (#​8182) authored by @​mrueg
• test/cases: Increase yaml test coverage for some regex and string builtins (#​8152) authored by @​srenatus
• Dependency updates; notably:
  • build: bump golang from 1.25.5 to 1.25.6 (#​8224) authored by @​srenatus
  • build(deps): bump go.opentelemetry.io deps from 1.38.0/0.63.0 to 1.39.0/0.64.0
  • build(deps): bump klauspost/compress from v1.18.1 to v1.18.2 (#​8184) authored by @​srenatus
    because of redaction warning
  • build(deps): bump github.com/go-ini/ini from v1.67.0 to gopkg.in/ini.v1 v1.67.1 (#​8208) authored by @​gabrpt

v1.12.3

Compare Source

v1.12.3

This is a bug fix release addressing two issues:

Bundle polling is being misconfigured when discovery bundle is updated (#​8215)

This is an issue where the polling interval for discovery (discovery.polling.min_delay_seconds and discovery.polling.max_delay_seconds) were misinterpreted on reconfiguration, causing extremely long update intervals.

Reported by @​loganmiller-chime, authored by @​sspaink

Decision log size buffer buffer_size_limit_bytes misconfigured during reconfiguration (#​8213)

This is a regression in the decision log, where the decision_logs.reporting.buffer_size_limit_bytes was mistakenly assigned the value of decision_logs.reporting.upload_size_limit_bytes during reconfiguration.
This issue is only present when decision_logs.reporting.buffer_type is set to size, which is the default value.

Authored by @​sspaink

v1.12.2

Compare Source

This bug fix release address issues found in the new string interpolation feature

• Add (*TemplateString).Copy() method (#​8159) authored by @​anderseknert
• Fix template string not serialized with escaped { (#​8161)
  authored by @​anderseknert
• fix(ast): skip template string vars in ref safety (#​8174)
  authored by @​thevilledev
• fix(ast): use original var names in template error (#​8180)
  authored by @​thevilledev

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

• Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for String Interpolation in the Rego language
• Faster compilation and runtime
• Fixes published in the v1.11.1 release

String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}

{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

[!TIP]
Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling

• oracle: Refactor Oracle better support some and every (#​8105, #​8131, #​8138) authored by @​charlieegan3
• plugins/bundle: Prevent ns-level polling by validating intervals (#​8082) authored by @​jjhwan-h
• plugins/discovery: Initialize plugins before downloading (#​8071) authored by @​jt28828
• topdown: Introduce sink for context cancellation
  • topdown: Make regex.replace respect cancellation (#​8089) authored by @​srenatus
  • topdown: Make replace and strings.replace_n respect cancellation (#​8089) authored by @​srenatus
  • topdown: Use sink for concat (#​8090) authored by @​srenatus
  • perf: Avoid extra allocation in sink if no cancel (#​8104) authored by @​anderseknert

Compiler, Topdown and Rego

• ast/compile: Deal with error limit without panic/defer (#​8087) authored by @​srenatus
• ast/parser: Check if we need to unescape at all (#​8135) authored by @​srenatus
• perf: Improved visitor implementation (10% faster compilation) (#​8078) authored by @​anderseknert
• perf: Reduce allocations handling terms (#​8116) authored by @​anderseknert
• perf: Type-checker performance improvements (#​8143) authored by @​anderseknert

Docs, Website, Ecosystem

• website: Add support for rego string interpolation syntax highlighting (#​8092) authored by @​charlieegan3
• docs/ocp: Update "concepts" for v0.3.0 (#​8117) authored by @​srenatus
• website: Show playground errors (#​8141) authored by @​charlieegan3
• website: Update a number of links to their new location (#​8100) authored by @​charlieegan3
• docs: Remove link to feedback form (#​8101) authored by @​charlieegan3
• website: Remove survey bar (#​8136) authored by @​charlieegan3
• docs: Update community contacts (#​8108) authored by @​charlieegan3

Miscellaneous

• ast/checks_test: Fix flaky tests (#​8111) authored by @​srenatus
• benchmarks: Install node v24 (#​8122) authored by @​srenatus
• download: Fix when compiling with tag opa_no_oci (#​8070) authored by @​srenatus reported by @​mg0083
• tests: Race in TestStatusUpdateBuffer (#​8133) authored by @​thevilledev
• workflow: Integrate benchmarks notebook (#​8121) authored by @​srenatus
• workflows: Skip all tests in benchmarks run (#​8086) authored by @​srenatus
• Dependency updates; notably:
  • build: Bump golang from 1.25.4 to 1.25.5 (#​8107) authored by @​srenatus
  • build(deps): Bump google.golang.org/grpc from 1.76.0 to 1.77.0

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public inter

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go get -t ./...
go: gopkg.in/go-jose/go-jose.v4@v4.1.3: parsing go.mod:
	module declares its path as: github.com/go-jose/go-jose/v4
	        but was required as: gopkg.in/go-jose/go-jose.v4

File name: tools/go.sum

Command failed: go get -t ./...
go: module helm.sh/helm/v4@v4.1.0 requires go >= 1.25.0; switching to go1.25.6
go: downloading github.com/daixiang0/gci v0.13.7
go: downloading github.com/golangci/golangci-lint v1.57.2
go: downloading github.com/google/addlicense v1.1.1
go: downloading github.com/tektoncd/chains v0.22.2
go: downloading github.com/tektoncd/cli v0.38.0
go: downloading k8s.io/kubernetes v1.34.2
go: downloading github.com/in-toto/attestation v1.1.0
go: downloading github.com/sigstore/cosign/v2 v2.4.0
go: downloading github.com/sigstore/sigstore v1.8.8
go: downloading golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
go: downloading github.com/hashicorp/go-version v1.8.0
go: downloading github.com/spf13/viper v1.19.0
go: downloading github.com/open-policy-agent/opa v0.70.0
go: downloading oras.land/oras-go v1.2.6
go: downloading github.com/google/go-containerregistry v0.20.2
go: downloading github.com/secure-systems-lab/go-securesystemslib v0.8.0
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8
go: downloading github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8
go: downloading github.com/spiffe/go-spiffe/v2 v2.5.0
go: downloading github.com/tektoncd/triggers v0.29.0
go: downloading github.com/tektoncd/hub v1.18.0
go: downloading sigs.k8s.io/kustomize/cmd/config v0.20.1
go: downloading github.com/ldez/gomoddirectives v0.8.0
go: downloading github.com/golangci/plugin-module-register v0.1.2
go: downloading github.com/sagikazarmark/locafero v0.6.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/cast v1.7.0
go: downloading github.com/olekukonko/tablewriter v0.0.5
go: downloading github.com/OneOfOne/xxhash v1.2.8
go: downloading go.opentelemetry.io/otel v1.37.0
go: downloading go.opentelemetry.io/otel/trace v1.37.0
go: downloading github.com/go-openapi/jsonpointer v0.21.1
go: downloading github.com/aws/aws-sdk-go-v2 v1.30.4
go: downloading github.com/aws/aws-sdk-go-v2/config v1.27.31
go: downloading github.com/aws/aws-sdk-go-v2/service/kms v1.35.5
go: downloading github.com/jellydator/ttlcache/v3 v3.3.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0
go: downloading cloud.google.com/go v0.121.2
go: downloading google.golang.org/api v0.239.0
go: downloading github.com/hashicorp/vault/api v1.14.0
go: downloading github.com/go-jose/go-jose/v4 v4.1.2
go: downloading github.com/zeebo/errs v1.4.0
go: downloading google.golang.org/grpc v1.76.0
go: downloading gocloud.dev v0.39.0
go: downloading gocloud.dev/docstore/mongodocstore v0.39.0
go: downloading cloud.google.com/go/storage v1.53.0
go: downloading gocloud.dev/pubsub/kafkapubsub v0.39.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b
go: downloading google.golang.org/genproto v0.0.0-20250603155806-513f23925822
go: downloading github.com/ldez/grignotin v0.10.1
go: downloading github.com/4meepo/tagalign v1.4.3
go: downloading github.com/Abirdcfly/dupword v0.1.7
go: downloading github.com/Antonboom/errname v1.1.1
go: downloading github.com/Antonboom/nilnil v1.1.1
go: downloading github.com/Antonboom/testifylint v1.6.4
go: downloading github.com/Djarvur/go-err113 v0.1.1
go: downloading github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0
go: downloading github.com/alexkohler/nakedret/v2 v2.0.6
go: downloading github.com/alexkohler/prealloc v1.0.1
go: downloading github.com/bombsimon/wsl/v4 v4.7.0
go: downloading github.com/breml/bidichk v0.3.3
go: downloading github.com/breml/errchkjson v0.4.1
go: downloading github.com/butuzov/ireturn v0.4.0
go: downloading github.com/catenacyber/perfsprint v0.10.1
go: downloading github.com/charithe/durationcheck v0.0.11
go: downloading github.com/ckaznocha/intrange v0.3.1
go: downloading github.com/firefart/nonamedreturns v1.0.6
go: downloading github.com/ghostiam/protogetter v0.3.18
go: downloading github.com/go-critic/go-critic v0.14.3
go: downloading github.com/golangci/misspell v0.7.0
go: downloading github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e
go: downloading github.com/gordonklaus/ineffassign v0.2.0
go: downloading github.com/gostaticanalysis/nilerr v0.1.2
go: downloading github.com/jgautheron/goconst v1.8.2
go: downloading github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af
go: downloading github.com/jjti/go-spancheck v0.6.5
go: downloading github.com/karamaru-alpha/copyloopvar v1.2.2
go: downloading github.com/kulti/thelper v0.7.1
go: downloading github.com/kunwardeep/paralleltest v1.0.15
go: downloading github.com/kyoh86/exportloopref v0.1.11
go: downloading github.com/ldez/tagliatelle v0.7.2
go: downloading github.com/lufeee/execinquery v1.2.1
go: downloading github.com/macabu/inamedparam v0.2.0
go: downloading github.com/maratori/testableexamples v1.0.1
go: downloading github.com/maratori/testpackage v1.1.2
go: downloading github.com/mgechev/revive v1.13.0
go: downloading github.com/nunnatsa/ginkgolinter v0.21.2
go: downloading github.com/polyfloyd/go-errorlint v1.7.0
go: downloading github.com/ryancurrah/gomodguard v1.4.1
go: downloading github.com/sashamelentyev/usestdlibvars v1.29.0
go: downloading github.com/securego/gosec/v2 v2.22.11
go: downloading github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c
go: downloading github.com/sonatard/noctx v0.4.0
go: downloading github.com/stbenjam/no-sprintf-host-port v0.3.1
go: downloading github.com/tdakkota/asciicheck v0.3.0
go: downloading github.com/tetafro/godot v1.5.4
go: downloading github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67
go: downloading github.com/timonwong/loggercheck v0.11.0
go: downloading github.com/tomarrell/wrapcheck/v2 v2.12.0
go: downloading github.com/xen0n/gosmopolitan v1.3.0
go: downloading go-simpler.org/musttag v0.14.0
go: downloading go-simpler.org/sloglint v0.11.1
go: downloading mvdan.cc/gofumpt v0.9.2
go: downloading mvdan.cc/unparam v0.0.0-20251027182757-5beb8c8f8f15
go: downloading cuelang.org/go v0.10.0
go: downloading github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
go: downloading github.com/docker/cli v27.2.0+incompatible
go: downloading go.opentelemetry.io/otel/metric v1.37.0
go: downloading github.com/aws/smithy-go v1.20.4
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.17.30
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.22.5
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.30.5
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.1
go: downloading github.com/cenkalti/backoff/v3 v3.2.2
go: downloading github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c
go: downloading github.com/docker/docker-credential-helpers v0.8.2
go: downloading cloud.google.com/go/compute/metadata v0.8.0
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0
go: downloading go.opentelemetry.io/contrib/detectors/gcp v1.36.0
go: downloading go.opentelemetry.io/otel/sdk v1.37.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.37.0
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
go: downloading github.com/IBM/sarama v1.43.3
go: downloading github.com/docker/docker v27.2.0+incompatible
go: downloading github.com/ktr0731/go-fuzzyfinder v0.8.0
go: downloading github.com/alfatraining/structtag v1.0.0
go: downloading github.com/quasilyte/go-ruleguard v0.4.5
go: downloading github.com/ccojocar/zxcvbn-go v1.0.4
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/agnivade/levenshtein v1.2.0
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.15.1
go: downloading go.opentelemetry.io/auto/sdk v1.1.0
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
go: downloading github.com/hashicorp/go-sockaddr v1.0.6
go: downloading github.com/xanzy/go-gitlab v0.108.0
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0
go: downloading github.com/pierrec/lz4/v4 v4.1.21
go: downloading github.com/gdamore/tcell/v2 v2.7.4
go: downloading goa.design/goa/v3 v3.18.2
go: downloading golang.org/x/exp/typeparams v0.0.0-20251023183803-a4bb9ffd2546
go: downloading codeberg.org/chavacava/garif v0.2.0
go: downloading github.com/vbatts/tar-split v0.11.5
go: downloading github.com/golang-jwt/jwt/v5 v5.2.2
go: downloading github.com/envoyproxy/go-control-plane/envoy v1.32.4
go: downloading github.com/envoyproxy/go-control-plane v0.13.4
go: downloading github.com/go-chi/chi/v5 v5.1.0
go: downloading github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443
go: downloading github.com/golangci/gofmt v0.0.0-20251215234548-e7be49a5ab4d
go: downloading github.com/nunnatsa/ginkgolinter v0.22.0
go: downloading helm.sh/helm v2.17.0+incompatible
go: github.com/enterprise-contract/ec-cli/tools imports
	github.com/golangci/golangci-lint/cmd/golangci-lint imports
	github.com/golangci/golangci-lint/pkg/commands imports
	github.com/golangci/golangci-lint/pkg/lint/lintersdb imports
	github.com/golangci/golangci-lint/pkg/golinters imports
	github.com/golangci/gofmt/goimports: cannot find module providing package github.com/golangci/gofmt/goimports
go: github.com/enterprise-contract/ec-cli/tools imports
	github.com/golangci/golangci-lint/cmd/golangci-lint imports
	github.com/golangci/golangci-lint/pkg/commands imports
	github.com/golangci/golangci-lint/pkg/lint/lintersdb imports
	github.com/golangci/golangci-lint/pkg/golinters imports
	github.com/nunnatsa/ginkgolinter/types: cannot find module providing package github.com/nunnatsa/ginkgolinter/types

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.