fix(deps): update module github.com/open-policy-agent/opa to v1.14.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/open-policy-agent/opa	v1.13.1 → v1.14.0

---

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.14.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improved rule indexing of variable assignments and x in {...} expressions
• Support for --h2c with unix domain socket for opa run
• A new glossary tooltip for technical terms in the docs
• Fixes published in the v1.13.1 and v1.13.2 releases

Improved rule indexing of variable assignments and x in {...} expressions (#​1841)

With this change, the rule indexer will index expressions like:

allow if input.role in {"admin", "user"}

On lookup, the rule body will only be returned if input.role is either one of "admin" or "user".

The reverse case is also indexed:

allow if "admin" in input.roles

in which the searched collection is unknown.

Authored by @​srenatus reported by @​nischalsheth

Runtime, SDK, Tooling

• cmd,run: Support --h2c with unix domain socket (UDS) (#​8282) authored by @​srenatus reported by @​theJC
• cmd,tester: Add line number next to test file in pretty format (#​8328) authored by @​sspaink reported by @​anderseknert
• plugins: Fix race accessing registeredTriggers (#​8363) reported and authored by @​szuecs
• rego: Add ResultValue[T]() helper method (#​8320) authored by @​srenatus
• runtime: Add custom storage backend registration API (#​8277) authored and reported by @​alex60217101990
• topdown: Add config option to disable named inter-query built-in cache (#​7519) authored by @​sspaink reported by @​johanfylling

Compiler, Topdown and Rego

• ast: Add index else == nil test, fix it (#​8348) authored by @​srenatus

• ast: Add scaffolding to introspect and skip compiler stages (#​8304) (authored by @​srenatus)

• ast: Ensure term values implement ast.StringLengther (#​8374) authored by @​charlieegan3

• ast: Fix double-fix for refs["with-a"].dash as package (#​8286) authored by @​srenatus

• ast: Optimized template-expression handling of values known to be defined (#​8310) authored by @​anderseknert

• ast: Put rule indices into rule tree, change Values to []*Rule (#​8298) authored by @​srenatus

• ast: Replace true expr when appending to empty body (#​8299) authored by @​anderseknert

• ast: Return correct location of unsafe var in object (#​7935) authored by @​sspaink reported by @​anderseknert

• ast: Use StageID in WithStageAfterID, also for QueryCompiler (follow-up) (#​8306) authored by @​srenatus

• compile: Add StringLength to lazy object (#​8369) authored by @​charlieegan3 reported by @​robmyersrobmyers

• parser: Add test to verify filename interning in Location (#​8322) authored by @​anderseknert

• perf: Allocate less in array unification (#​8351) authored by @​anderseknert

• perf: Various minor eval performance tweaks (#​8290) authored by @​anderseknert

• perf: json.patch + interning improvements (#​8289) authored by @​anderseknert

• topdown: Optimize bindings allocation with dynamic pre-sizing (#​7266) authored by @​alex60217101990

• topdown: Preserve original package name with special characters in optimized builds (#​8284) authored by @​sspaink reported by @​at50989

• wasm: Updates (LLVM+tools) (#​8295) authored by @​srenatus

Docs, Website, Ecosystem

• docs: Add examples to glob.match built-in documentation (#​8252) authored by @​sibasispadhi reported by @​anderseknert
• docs: Add workflow to auto update Regal docs (#​8318) authored by @​charlieegan3
• docs: Document metrics for http.send, regex, and glob built-ins (#​6730) authored by @​anivar reported by @​rudrakhp
• docs: Fix json.patch target description (#​8271) authored by @​anderseknert
• docs: Update broken links (#​8285) authored by @​charlieegan3
• docs: Update bundle signing docs to clarify key config (#​8307) authored by @​charlieegan3
• docs: Update faulty example using bundle optimize (#​5379) authored by @​sspaink reported by @​bluebrown
• docs: Update interface{} -> any in golang snippets (#​8373) authored by @​srenatus
• docs/website: Add a new KubeCon event page (#​8311) authored by @​charlieegan3
• docs/website: Add formatting and linting checks (#​8288) authored by @​charlieegan3
• docs/website: Allow Regal import to use local dir (#​8312) authored by @​charlieegan3
• docs/website: Implement new GlossaryTooltip component (#​8367) authored by @​charlieegan3
• docs/website: Markdown linting and spell checking for documentation (#​8292) authored by @​charlieegan3
• docs/website: Redirect /docs/latest/ecosystem (#​8315) authored by @​charlieegan3 reported by @​tweekSun1

Miscellaneous

• maintainers: Moving nilekhc to emeritus, and renew maintainer terms (#​8276) authored by @​JaydipGabani
• ast: Add public method to extend the compliance test cases with IR plans (#​7556) authored by @​sspaink reported by @​shomron
• ast: Tiny nitpicky cleanup (#​8309) authored by @​srenatus
• chore: Clean up bundle storage tests (#​8267) authored by @​anderseknert
• chore: Remove unnecessary comment from bundle JWT verification impl (#​8354) authored by @​johanfylling
• ci: Bump golangci-lint (v2.9.0), fix issues (#​8314) authored by @​srenatus
• ci: Harden and update all GH Actions workflows (#​8356, #​8377, #​8368 authored by @​philipaconrad and @​srenatus
• go: Cleanup old build flags (#​8314) authored by @​srenatus
• rego: Remove superfluous package import of plugins (#​6754) authored by @​srenatus reported by @​oxisto
• tests: Extract runtime Info to new package (#​8362) authored by @​charlieegan3
• tests: Fix BenchmarkFunctionArgumentCounts query (#​8327) authored by @​alex60217101990
• tests: Disable rule indexing for benchmark (#​8375) authored by @​srenatus
• workflows: Add nightly vuln checks for released versions/images (#​8336 #​8339) authored by @​srenatus
• Dependency updates; notably:
  • build: bump golang from 1.25.6 to 1.26.0
  • build(deps): build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0
    Applying fix for GHSA-9h8m-3fm2-qjrq
  • build(deps): bump github.com/dgraph-io/badger/v4 from 4.9.0 to 4.9.1
  • build(deps): bump github.com/huandu/go-sqlbuilder from 1.39.0 to 1.39.1
  • build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
  • build(deps): bump golang.org/x/text from 0.33.0 to 0.34.0
  • build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
  • build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0

v1.13.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.25.7.
That version of the Go standard library contains a fix for GO-2026-4337.

Full Changelog: open-policy-agent/opa@v1.13.1...v1.13.2

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.47.0 -> v0.48.0
golang.org/x/net	v0.49.0 -> v0.50.0
github.com/huandu/go-sqlbuilder	v1.39.0 -> v1.39.1
golang.org/x/term	v0.39.0 -> v0.40.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.56%. Comparing base (06dcf0e) to head (4db8763).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5468   +/-   ##
=======================================
  Coverage   65.56%   65.56%           
=======================================
  Files         172      172           
  Lines       14295    14295           
=======================================
  Hits         9372     9372           
  Misses       4250     4250           
  Partials      673      673           

Flag	Coverage Δ
unittests	65.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.