build(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.58.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 0.48.0 to 0.58.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.58.0

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#2562) authored by @​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#6307) authored by @​anderseknert
• cmd/fmt: Don't format functions without a value to include = true as it is implied (#6323) authored by @​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated since v0.23.0 (#2266) authored by @​ashutosh-narkar
• Add support for configurable prometheus buckets for the http_request_duration_seconds metric (#6238) authored by @​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#6311) authored by @​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#6277) authored by @​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#6338) authored by @​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#6339) authored by @​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#6021) authored by @​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#6335) authored by @​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve faster walk-ing (#6267) authored by @​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#6318) authored by @​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#6298) authored by @​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#6264) authored by @​dennisg
• Provide a more clear description of negation in the policy language section (#6275) authored by @​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#6269) authored by @​charlieegan3

Miscellaneous

• ci: Remove hub tool in GitHub workflows in favor of GitHub CLI tool (#6326) authored by @​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#6292) authored by @​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerability GHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

v0.57.1

This is a bug fix release addressing the following security issues:

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.58.0

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases. This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user, either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#2562) authored by @​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#6307) authored by @​anderseknert
• cmd/fmt: Don't format functions without a value to include = true as it is implied (#6323) authored by @​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated since v0.23.0 (#2266) authored by @​ashutosh-narkar
• Add support for configurable prometheus buckets for the http_request_duration_seconds metric (#6238) authored by @​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#6311) authored by @​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#6277) authored by @​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#6338) authored by @​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#6339) authored by @​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#6021) authored by @​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#6335) authored by @​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve faster walk-ing (#6267) authored by @​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#6318) authored by @​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#6298) authored by @​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#6264) authored by @​dennisg
• Provide a more clear description of negation in the policy language section (#6275) authored by @​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#6269) authored by @​charlieegan3

Miscellaneous

• ci: Remove hub tool in GitHub workflows in favor of GitHub CLI tool (#6326) authored by @​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#6292) authored by @​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerability GHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

0.57.1

... (truncated)

Commits

• 69a381c Prepare v0.58.0 release
• 132cc4b docs: Update generated CLI docs
• a470a21 Rename --future-compat CLI flag
• d7e9d13 topdown: Fixing issues with optimizing rules with refs in the head
• 98c300c Rename future.compat import
• 483d941 build(deps): bump aquasecurity/trivy-action from 0.12.0 to 0.13.0 (#6347)
• 2bd8d58 build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0
• 89e02ef build(deps): bump oras.land/oras-go/v2 from 2.3.0 to 2.3.1 (#6337)
• 1246ad2 build(deps): bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
• 544fd03 ast+rego: disable compiler stages for IR-based eval paths (#6335)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)