Skip to content

Update openpolicyagent/opa Docker tag to v1.17.0 (main)#1708

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-openpolicyagent-opa-1.x
Open

Update openpolicyagent/opa Docker tag to v1.17.0 (main)#1708
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-openpolicyagent-opa-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 31, 2026

This PR contains the following updates:

Package Type Update Change
openpolicyagent/opa (source) stage minor 1.15.21.17.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

open-policy-agent/opa (openpolicyagent/opa)

v1.17.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new future.keywords.not import that adds improved semantics to the not keyword.
  • Rule Labels in Decision Logs
  • Published json schema for IR and bundle manifest
  • Dropped automaxprocs and x/net dependencies
Improved Negation Semantics (#​8387)

This OPA release introduces a new future.keywords.not import
that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like
not f(g(input.x)) into a series of sub-expressions evaluated before the
not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g
produces an undefined result — the entire rule fails rather than the not succeeding.
This is unintuitive: the user's intent is "the condition does not hold," but
an undefined intermediate value causes a silent failure instead of the expected
not result.

With import future.keywords.not, composite-expression negation wraps the full compiler
expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable
and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#​2089)

Rule annotations now support a labels field. Labels from all successfully evaluated
rules are collected and included in each decision log entry as a top-level rule_labels
array. Each element is the merged label map for one successfully evaluated rule, with
inner-scope-wins precedence across the rule's annotation chain
(subpackages < package < document < rule). Merged maps are deduplicated
across rules so that identical label sets collapse to a single entry.

# METADATA
# scope: package

# labels:
#   service: authz

#   severity: info
package myapp

# METADATA

# labels:
#   severity: low

#   team: platform
allow if input.role == "admin"

The resulting decision log entry will contain:

{"rule_labels": [{"service": "authz", "severity": "low", "team": "platform"}]}

Note how severity: info from the package scope is overridden by severity: low from
the rule scope. Queries against rule_labels can now rely on each entry carrying the
full label context for a single rule, rather than one entry per contributing scope.

Both the runtime and the Go SDK now process metadata annotations by default.

Authored by @​srenatus, reported by @​tsandall

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case to ast.InternedValue (#​8707) authored by @​anderseknert
  • build: go install -> go install tool to control checksums (#​8646) authored by @​srenatus
  • build: Push edge binaries to bucket (#​8668) authored by @​charlieegan3
  • workflows: Fix benchmarks workflow (replace action, avoid stackoverflow) (#​8655) authored by @​srenatus
  • workflows: Note improvements in benchmark comments (#​8673) authored by @​srenatus
  • Generate a JSON Schema for the IR plan (#​8662) authored by @​sspaink reported by @​kroekle
  • Generate a JSON Schema for the bundle manifest (#​8661) authored by @​sspaink reported by @​kroekle
  • Dependency updates; notably:
    • build(deps): Remove automaxprocs dependency (#​8696) authored by @​anderseknert
    • build(deps): Remove direct x/net dependency (#​8697) authored by @​anderseknert
    • build(deps): Bump github.com/bytecodealliance/wasmtime-go from 43.0.2 to 44.0.0 (8652) authored by @​srenatus
    • build(deps): Bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1
    • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.40.2 to 1.41.0
    • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1
    • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.32 to 2.5.33
    • build(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.0
    • build(deps): Bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2

v1.16.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.26.3;
addressing a number of vulnerabilities.

v1.16.1

Compare Source

This is a patch release addressing a regression (#​8590) in the plugin manager that may cause the service to hang on shutdown.

v1.16.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • New uri.parse and uri.is_valid built-in functions
  • Data API Request/Response Metadata
  • Prometheus metrics exported via OTLP
  • Formatter improvements

NOTE:

In v1.15.x, OPA was dropping logs for bundle downloads, print() calls and other plugin-originated logs.
Users are advised to update, v1.16.0 fixes this bug in (#​8544).

New uri.parse and uri.is_valid built-in functions (#​8263)

Two new built-in functions have been added: uri.parse for parsing a given URI, and uri.is_valid for verifying the structure of a given URI.

uri.parse

Parses a URI and returns an object containing its components according to RFC 3986. Empty components are omitted.

package example

test_uri if {
	uri.parse("https://example.com:8080/api?q=1#top") == {
		"scheme": "https",
		"hostname": "example.com",
		"port": "8080",
		"path": "/api",
		"raw_path": "/api",
		"raw_query": "q=1",
		"fragment": "top",
	}
}
uri.is_valid

Returns true if the input can be parsed as a URI, false otherwise.

package example

deny contains "invalid URI" if {
    not uri.is_valid("http://[invalid")
}

Authored by @​charlieegan3 reported by @​anivar

Data API Request/Response Metadata (#​8570)

Wrapping projects can now attach custom metadata to Data API requests and have evaluation produce response metadata.

Two distinct metadata paths are introduced:

  • Request metadata: parsed from extra top-level keys in the request body, made available to builtins via BuiltinContext.RequestMetadata. Logged in the decision log under Custom["request_metadata"].

  • Response metadata: a separate map (BuiltinContext.ResponseMetadata) that builtins can populate during evaluation. Only included in the API response and decision log if non-empty.

In vanilla OPA, no builtins write response metadata, so responses are unchanged. The request metadata map is only allocated when the request carries extra fields; the response map is one empty map per request.

To avoid conflicts with future OPA top-level keys, callers should use a namespaced key: {"input": {...}, "com.example.opa/md": {...}}.

Request with metadata:

curl -H 'Content-Type: application/json' \
  -d '{"input": {"user": "alice"}, "com.example.opa/metadata": {"corp-id": "acme-42"}}' \
  http://localhost:8181/v1/data/example/allow

Response (response metadata included if, for example, set by a custom builtin):

{
  "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135",
  "result": true,
  "com.example.opa/response": {
    "snapshot_version": "v3"
  }
}

Decision log entry:

{
  "custom": {
    "request_metadata": {
      "com.example.opa/metadata": {
        "corp-id": "acme-42"
      }
    },
    "response_metadata": {
      "com.example.opa/response": {
        "snapshot_version": "v3"
      }
    }
  },
  "decision_id": "04789f85-de5a-477b-8aa5-6d59d7742135",
  "input": { "user": "alice" },
  "msg": "Decision Log",
  "path": "example/allow",
  "result": true
}

Authored by @​srenatus

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • build: Exclude domains that cause false positives (#​8533) (#​8495) authored by @​charlieegan3
  • e2e/cli: Add test for debug print() logging (#​8567) authored by @​srenatus
  • e2e/cli: Start CLI E2E tests (#​8545) authored by @​srenatus
  • github: declare formatted rego as rego (#​8564) authored by @​srenatus
  • Security policy update (#​8479) authored by @​anderseknert
  • Dependency updates; notably:
    • build: bump go 1.26.2 (#​8497) authored by @​sspaink
    • build(deps): bump wasmtime-go from v39.0.1 to v43.0.2
    • build(deps): bump go.opentelemetry.io deps from 1.40.0/0.65.0 to 1.43.0/0.68.0
    • build(deps): bump github.com/containerd/containerd/v2 from 2.2.1 to 2.2.3
    • build(deps): bump ithub.com/huandu/go-sqlbuilder from 1.39.1 to 1.40.2
    • build(deps): bump golang.org/x/net from 0.51.0 to 0.53.0
    • build(deps): bump golang.org/x/text from 0.34.0 to 0.36.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Update openpolicyagent/opa Docker tag to v1.17.0
3fe744e 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot added the v3.x Issues and Pull Requests related to the major version v3 label May 31, 2026
@renovate renovate Bot requested a review from a team as a code owner May 31, 2026 02:15
@renovate renovate Bot added the v3.x Issues and Pull Requests related to the major version v3 label May 31, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 31, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.00%. Comparing base (622e7d3) to head (3fe744e).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1708   +/-   ##
=======================================
  Coverage   85.00%   85.00%           
=======================================
  Files         104      104           
  Lines       13579    13579           
=======================================
  Hits        11543    11543           
  Misses       1522     1522           
  Partials      514      514

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 622e7d3...3fe744e. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

v3.x Issues and Pull Requests related to the major version v3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants