Update go modules (main) (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/open-policy-agent/opa	v1.12.3 → v1.13.1
github.com/open-policy-agent/regal	v0.37.0 → v0.38.1

---

Release Notes

open-policy-agent/opa (github.com/open-policy-agent/opa)

v1.13.1

Compare Source

v1.13.1

This bug fix release addresses an issue found in the new array.flatten built-in function

• Fix issue in array.flatten handling of single item arrays (#​8273) (#​8272) authored by @​anderseknert

v1.13.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new immediate upload trigger mode in the Decision Logger
• A new array.flatten built-in function
• Numerous performance improvements

Immediate Upload Trigger Mode in Decision Logger (#​8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate.
When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling

• cmd/fmt: Do not overwrite file on fmt without changes (#​8222) authored by @​Loic-R
• cmd/test: Enable sorting JSON test results by duration (#​7444) authored by @​sspaink
• profiler: nil *Profiler should not report Enabled() (#​8256) authored by @​anderseknert
• rego: Add Data function to simplify adding data from map (#​5961) authored by @​majiayu000 reported by @​anderseknert
• runtime: Correct naming & docs for version checking (#​8191) authored by @​charlieegan3

Compiler, Topdown and Rego

• ast: Body.String() doesn't panic on empty body (#​8244) authored by @​srenatus
• ast: Improve type error message when referencing functions (#​6840) authored by @​sspaink
• ast: Type Checker recognizes when a variable has multiple assignments but is an undefined function (#​7463) authored by @​sspaink reported by @​anderseknert
• ast/parser: Avoid duplicate loc copies (#​8142) authored by @​srenatus
• topdown: Add array.flatten built-in function (#​8226) authored by @​anderseknert
• topdown: Fix issue where numbers.range_step built-in could erroneously return undefined value (#​8194) authored by @​thevilledev
• topdown: Remove hard-coded missing key error in strings.render_template built-in (#​7931) authored by @​colinjlacy reported by @​anderseknert
• topdown: Re-introduce cancellation-awareness for regex.replace built-in (#​8179) authored by @​srenatus
  from having been reverted in v1.12.1
• topdown: Support arrays as input for json.match_schema (#​6615) authored by @​sspaink reported by @​mscudlik

Performance

• ast: Improved annotations parsing (#​8210) authored by @​anderseknert
• ast: Reinstate zero-alloc paths in Ref.String() (#​8202) authored by @​anderseknert
• ast: Replace regex implementation in IsVarCompatibleString (#​8164) authored by @​anderseknert
• ast: Optimize Set.Intersect and Set.Diff (#​8167) authored by @​thevilledev
• ast: Optimize Set.Union (#​8172) authored by @​thevilledev
• ast: Reduce allocations in Expr.MarshalJSON (#​8204) authored by @​thevilledev
• ast: Reduce allocations in Rule.MarshalJSON (#​8205) authored by @​thevilledev
• ast: Reduce allocations in Term.MarshalJSON (#​8200) authored by @​thevilledev
• ast: Reduce allocations in With.MarshalJSON (#​8206) authored by @​thevilledev
• perf: String() implementations using appenders (#​8192) authored by @​anderseknert
• topdown: Avoid redundancy in builtinTrim (#​8237) authored by @​thevilledev
• topdown: Eliminate closure allocations in Set and virtual doc enumeration (#​8242) authored by @​alex60217101990
• topdown: Fast paths for array.reverse (#​8177) authored by @​thevilledev
• topdown: Optimize json.remove and json.filter (#​8193) authored by @​thevilledev
• topdown: Optimize object built-ins (#​8175) authored by @​thevilledev
• topdown: Optimize union built-in (#​8173) authored by @​thevilledev
• topdown: Pre-alloc in various built-ins (#​8198) authored by @​thevilledev
• topdown: Reduce allocs in float sum/product (#​8235) authored by @​thevilledev
• topdown: Skip set copy in getObjectKeysParam (#​8176) authored by @​thevilledev

Docs, Website, Ecosystem

• docs: Add authz-spring-boot-starter to Spring Security API ecosystem entry (#​8234) authored by @​francois-eckert
• docs: Add header for crypto example to make (#​8259) authored by @​charlieegan3
• docs: Add notes for automated agents (#​8147, #​8203) authored by @​charlieegan3
• docs: Add opa-wasm-zig to the ecosystem (#​8163) authored by @​burdzwastaken
• docs: Add scripts to import docs from source (#​8148) authored by @​charlieegan3
• docs: Explain how to use the SDK without a initialising a server (#​8248) authored by @​andrewcameronsims
• docs: Fix a number of redirecting links (#​8165 authored by @​charlieegan3
• docs: Fix template-expression examples (#​8199) authored by @​johanfylling
• docs/ocp: Mention source prefix/path options (#​8238) authored by @​srenatus
• website: Add redirect section for immutable referrers (#​8262) authored by @​charlieegan3 reported by @​KraLeoD
• website: Display 2025 survey results on the website (#​8258) authored by @​charlieegan3
• website: Show breadcrumbs in search results (#​8207) authored by @​charlieegan3

Miscellaneous

• Decoupled the Rego job check from the Go job checks in the Github PR workflow (#​8203) authored by @​SeanLedford
• build: Format pr_check.rego with opa fmt (#​8201) authored by @​thevilledev
• build: Migrate PR check to OPA policy (#​8183) authored by @​SeanLedford
• build: Run go get against main to spot redacted (#​8146) authored by @​charlieegan3
• deps: Switch to maintained go.yaml.in/yaml/v3 yaml library (#​8182) authored by @​mrueg
• test/cases: Increase yaml test coverage for some regex and string builtins (#​8152) authored by @​srenatus
• Dependency updates; notably:
  • build: bump golang from 1.25.5 to 1.25.6 (#​8224) authored by @​srenatus
  • build(deps): bump go.opentelemetry.io deps from 1.38.0/0.63.0 to 1.39.0/0.64.0
  • build(deps): bump klauspost/compress from v1.18.1 to v1.18.2 (#​8184) authored by @​srenatus
    because of redaction warning
  • build(deps): bump github.com/go-ini/ini from v1.67.0 to gopkg.in/ini.v1 v1.67.1 (#​8208) authored by @​gabrpt

open-policy-agent/regal (github.com/open-policy-agent/regal)

v0.38.1

Compare Source

This patch release fixes several bugs including some found in the recent v0.38.0 release, as well some other improvements.

Bug Fixes

• Fix for prefer-equals-comparison fixer failing to parse policies with multiple "=" in expressions (#​1824, fixes #​1818 reported by @​gusega)
• Fix for incorrect fixable violation count display in lint output (#​1825, fixes #​1813 reported by @​gusega)
• Fix for false positive in prefer-equals-comparison rule with comprehension term vars (#​1828, fixes #​1826 reported by @​SeanLedford)
• bundle: Surface configured rule notices as messages in lint output (#​1827, fixes #​1795 reported by @​ghmer)

Improvements

• Code action for prefer-equals-comparison fixer now available in the language server (#​1810)
• New option for prefer-value-in-head rule to count interpolated strings as scalars (#​1817)
• Minor performance improvement for any_set_item, used for selecting items from sets (#​1815)

Changelog

• f1c5f74: bundle: Improve performance of any_set_item (#​1815) (@​charlieegan3)
• 9300420: Implemented Code action for prefer-equals-comparison fixer (#​1810) (@​SeanLedford)
• 28121f0: build(deps): bump github/codeql-action in the dependencies group (#​1823) (@​dependabot[bot])
• 54cdcb6: Add prefer-value-in-head option to count interpolated string as scalar (#​1817) (@​anderseknert)
• e68184d: Fix false positivie in prefer-equals-comparison (#​1828) (@​anderseknert)
• 593e221: fix: Prefer-Equals-Comparison Edge Case With Multiple "=" (#​1824) (@​SeanLedford)
• 3dc28bb: bundle: Surface configured rule notices (#​1827) (@​charlieegan3)
• aac9618: Updated lint reporter to track fixable violation count separate from fixable violation Set (#​1825) (@​SeanLedford)
• fd6dd4d: Updated example for prefer-equals-comparison edge case to not include false positive (#​1829) (@​SeanLedford)

v0.38.0

Compare Source

Happy New Year from the Regal maintainers!

Feature: String Interpolation Support

v0.38.0 of your favorite Rego linter, debugger and language server brings full support for OPA's new string interpolation feature. This means not only that Regal lints code found inside interpolated strings, but that you'll have access to all your favorite language server features within them too — like code completions, tooltips on hover, or document highlighting. You can even use the debugger to step through interpolated expressions! If you haven't yet tried it out, grab OPA v1.12.2, Regal v0.38.0 and enjoy an absolutely awesome addition to the Rego language!

In addition to this, we have a number of fun new features and performance improvements.

New Rule: disallow-rego-v1

Category: custom

This optional new rule flags the use of import rego.v1 in Rego policies (#​1778). Since OPA v1.0 (December 2024), this import is a no-op and no longer needed. The rule helps users maintain clean code by preventing this outdated import from appearing in new policies. Teams standardizing on OPA 1.0+ can enable this rule to enforce modern Rego standards.

package example

import rego.v1 # <-- Happy 2026! Time to stop doing this!

Authored by @​SeanLedford.

New Fixers

@​SeanLedford has also done some great work to help expand Regal's auto-fixing capabilities by having regal fixers added for three more rules.

• prefer-equals-comparison
• redundant-existence-check
• constant-condition

See (#​1790) and (#​1794) for more details.

Performance

The fixer saw a 12% performance improvement by reusing the linter, reducing allocations from 2.3M to 2.0M operations (#​1783). Additional optimizations include:

• faster file filtering by avoiding recompiled ignore patterns (#​1758),
• better built-in function handling by registering Regal's functions globally only once (#​1788),
• and more efficient AST location serialization (#​1758)

To track ongoing performance work, a new post-merge benchmark-recording workflow was added (#​1793).

LSP: New Ignore Code Action

The language server now supports a code action to quickly add regal ignore configuration for specific rules directly from the editor (#​1777).

Changelog

• ac35695: Various performance improvements (#​1758) (@​anderseknert)
• 48cd03d: docs: Add custom head for regal index page (#​1761) (@​charlieegan3)
• 728ae28: build(deps): bump golangci/golangci-lint-action (#​1762) (@​dependabot[bot])
• 92cf6ca: explorer: allow hiding stages without an effect (+misc) (#​1760) (@​srenatus)
• c000994: docs: Correct sidebar labels (#​1763) (@​charlieegan3)
• bf0b621: build(deps): bump github.com/containerd/containerd/v2 in /e2e/testbuild (#​1753) (@​dependabot[bot])
• 18e7a89: build(deps): bump github.com/containerd/containerd/v2 (#​1754) (@​dependabot[bot])
• ccab7bd: Rename: encoding/util -> encoding/write (#​1764) (@​anderseknert)
• 54f7625: build: run windows in matrix with other jobs (#​1770) (@​charlieegan3)
• 5c9e6f0: update: Update version checking logic (#​1772) (@​charlieegan3)
• 5034776: build: Add badge update to readme script (#​1773) (@​charlieegan3)
• 95e8220: Added OPA installation as a Regal prerequisite, and fixed golangci-lint link. (#​1774) (@​SeanLedford)
• 149f71d: build(deps): bump js-yaml from 4.1.0 to 4.1.1 in /build (#​1775) (@​dependabot[bot])
• b8f8b7f: Enable more golangci-lint linters (@​anderseknert)
• e092627: build: Update mac runner (@​charlieegan3)
• 877884c: lsp: Add code action and command to ignore rule (#​1777) (@​charlieegan3)
• ece9ca2: build(deps): bump the dependencies group with 5 updates (@​dependabot[bot])
• bd37bbd: build(deps): bump golang.org/x/crypto in /build/lsp (@​dependabot[bot])
• 17cc429: build(deps): bump golang.org/x/crypto in /e2e/testbuild (@​dependabot[bot])
• 415b05f: build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (@​dependabot[bot])
• e1bb975: Improve fixer performance (@​anderseknert)
• 1b083ff: Added Rule: Disallow import rego.v1 (#​1778) (@​SeanLedford)
• 9e43c50: Optimize and improve code for built-in functions (@​anderseknert)
• 64ce2aa: build(deps): bump glob and markdownlint-cli in /build (#​1779) (@​dependabot[bot])
• 48fddeb: build(deps): bump github/codeql-action in the dependencies group (#​1787) (@​dependabot[bot])
• bc41f63: pkg/linter: use errgroup, set limits + context on it (@​srenatus)
• f22c2aa: Add fixer for prefer-equals-comparison rule (#​1790) (@​SeanLedford)
• cf88eb9: Fixers for redundant-existence-check and constant-condition rules (#​1794) (@​SeanLedford)
• 36401a2: build(deps): bump the dependencies group across 1 directory with 7 updates (#​1796) (@​dependabot[bot])
• ecb23d3: version: Add OPA version to version output (#​1798) (@​charlieegan3)
• 94ce038: build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /build/ws (#​1791) (@​dependabot[bot])
• 9ce1ddd: workflows: add post-merge benchmark-recording workflow (@​srenatus)
• e111443: workflows/benchmark: fix golang setup (@​srenatus)
• 4bb2d5a: docs: Update messy rule docs (@​charlieegan3)
• dec83ea: docs: Updates from opa website link scanner (@​charlieegan3)
• 8f544a6: fix typo in fix.go help message (#​1807) (@​gusega)
• 941b02e: build(deps): bump the dependencies group with 3 updates (#​1804) (@​dependabot[bot])
• 9f09e6e: build(deps): bump the dependencies group with 4 updates (#​1808) (@​dependabot[bot])
• 476ef89: OPA v1.12.2 and full string interpolation support (#​1811) (@​anderseknert)
• a9843ab: Move chained-rule-body to custom category (#​1812) (@​anderseknert)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/arl/statsviz	v0.7.2 -> v0.8.0
github.com/go-git/go-git/v5	v5.16.3 -> v5.16.4
github.com/open-policy-agent/opa	v1.12.1 -> v1.12.2
github.com/spf13/cobra	v1.10.1 -> v1.10.2

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.