v1.11.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• More efficient connection management in the http.send built-in function
• More performant loading of large bundles containing multiple Rego files

Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling

• v1/ast: Fix Call parsing Text attribute including an extra character (#7989) authored by @schmitd
• ast: Export built-in deprecated field (#7912) authored by @colinjlacy
• ast: Intern common var values + some parser improvements (#8028) authored by @anderseknert
• ast: Support custom builtins in CompileModulesWithOpt (#8061) authored by @sspaink
• bundle: Concurrent Rego parsing in bundle loader (#8067) authored by @anderseknert
• cmd: Support --ignore in eval cmd when using bundle flag (--bundle) (#8062) authored by @sspaink
• storage/inmem: Allow passing triggers (AST) data without conversion (#7958) authored by @anderseknert

Compiler, Topdown and Rego

• topdown: Avoid unnecessary use of custom http.Transport in http.send built-in (#7927) authored by @sykesm
• topdown: New custom SemVer implementation (#8010) authored by @anderseknert
• topdown: Use sync.Pool for eval func objects (#8054) authored by @anderseknert

Docs, Website, Ecosystem

• docs: Add example for Compile API's table mapping (#8017) authored by @srenatus
• docs: Address pages with similar titles (#8046) authored by @charlieegan3
• docs: Address some broken links (#8022) authored by @charlieegan3
• docs: Bump glob dep (CVE-2025-64756) (#8056) authored by @srenatus
• docs: Improve ground value and assignment docs (#8047) authored by @charlieegan3
• docs: Make iteration content flow better (#8064) authored by @charlieegan3
• docs: Note package repos are community maintained (#8053) authored by @charlieegan3
• docs: Update terraform guide with notes about plan (#8043) authored by @charlieegan3
• docs: Update the archive to have an edge link (#8011) authored by @charlieegan3
• docs: Update the policy language intro (#8050) authored by @charlieegan3
• docs/ocp: Datasource example uses wrong AWS S3 URL (#8039) authored by @SuchSkill
• docs/regal: Replicate sidebar fixes (#8036) authored by @charlieegan3
• website: Various fixes and improvements by @charlieegan3

Miscellaneous

• Bump golangci-lint, more gocritic linters (#8052) authored by @anderseknert
• Tidy up and unify sync pool handling (#8068) authored by @anderseknert
• builtins: Add StringOperandByteSlice helper (#8048) authored by @anderseknert
• test: Add test cases for consistent cache behavior (#8015) authored by @DFrenkel
• util/performance: Remove math.Log10, remove unused KeysCount (#8041) authored by @srenatus
• workflow: Add Benchmarks workflow (#8072) authored by @srenatus
• workflows/pull-request: Update macos versions (#8030) authored by @srenatus
• Dependency updates; notably:
  • build: golang 1.25.3 -> 1.25.4 (#8051) authored by @srenatus
  • build(deps): Bump github.com/bytecodealliance/wasmtime-go from v37.0.0 to v39.0.1 (#8075) authored by @srenatus
  • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.4 to 2.2.0
  • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.37.0 to 1.38.1
  • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.11 to 3.0.12
  • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.30 to 2.5.31 (#8027) authored by @johanfylling
  • build(deps): Bump golang.org/x/crypto from 0.43.0 to 0.45.0
  • build(deps): Bump golang.org/x/net from 0.44.0 to 0.45.0
  • build(deps): Bump golang.org/x/time from 0.13.0 to 0.14.0
  • build(deps): Bump google.golang.org/grpc from 1.75.1 to 1.76.0
  • build(deps): Bump google.golang.org/protobuf from 1.36.9 to 1.36.10

v1.10.1

This is a bugfix release for the split builtin: In v1.10.0, it was looping infinitely when used with an empty-string delimiter.

Reported by @SignalRichard, authored by @srenatus

The release is otherwise identical to v1.10.0.

v1.10.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Non-static arm64 executables for linux and darwin, supporting Wasm evaluation
• Performance improvements to the formatter, compiler, and runtime
• A new --fail-on-empty flag for opa test
• Support for IS NOT NULL query statements in the Compile API

Non-static OPA binaries for linux/arm64 and darwin/arm64

Starting with this release, OPA will ship non-static arm64 executables for linux and darwin.
These binaries have support for Wasm evaluation.
Furthermore, the openpolicyagent/opa:latest docker image is a multi-platform image with arm64 support.

Runtime, Tooling

• cmd: Add opa test --fail-on-empty to allow making bad -r or empty folders fail (#7943) reported and authored by @grosser
• format: Performance improvements in formatter (#7967) authored by @anderseknert
• repl: Check usage of with keyword (#7942) authored by @sspaink
• server/failtracer: don't assume only being fed two-elem calls (#7995) authored by @srenatus
• storage: Improve performance of storage operations (#7957) authored by @anderseknert
• storage: Some small improvements to inmem storage (#7944) authored by @anderseknert
• util: Fix race condition in ReadMaybeCompressedBody (#7966) authored by @anderseknert

Compiler, Topdown and Rego

• ast: Fix undeclared error when printing nested comprehension (#7647) authored by @schmitd reported by @charlesdaniels
• ast: Raise parse error on infix operator in rule name (#7433) authored by @mmzzuu
• ast: Refactor hash key equality function (#7969) authored by @anderseknert
• ast,topdown: Ref String() and greatly improved builtin lookup cost (#7961) authored by @anderseknert
• compile: Add support for "any value at all", as IS NOT NULL (#7998) authored by @srenatus
• eval: Lazy init of eval.Time term (#7968) authored by @anderseknert
• perf: Zero alloc AST store lookups of interned path terms (#7979) authored by @anderseknert
• perf: Cheaper split built-in calls (#7962) authored by @anderseknert

Docs, Website, Ecosystem

• docs: Add Compile API data filtering docs (#7939) authored by @srenatus
• docs: Add ecosystem project Moat (#7963) authored by @jcoenraadts
• docs: Address broken anchors (#8000) authored by @charlieegan3
• docs: Correction in OCP docs information regarding supported datasources (#7964) authored by @irodzik
• docs: Moving CLI Reference to Operations in TOC (#8001) authored by @johanfylling
• docs: OCP HTTP API updates (#7951) authored by @srenatus
• docs: Remove k8s primer line numbers comments (#7946) authored by @charlieegan3
• docs: Update based on Slack feedback (#7990) authored by @charlieegan3
• docs: Update link checker config (#7949) authored by @charlieegan3
• docs: Updated AI guidelines (#7945) authored by @charlieegan3
• docs/ocp/deployment: Add segment on database migrations (#7952) authored by @srenatus
• website: Fix build issues (#7999) authored by @charlieegan3
• website: FOUC squashing on the homepage (#7948) authored by @charlieegan3
• website: Show latest release rather than edge (#7988) authored by @charlieegan3
• website: Update docusaurus (#7947) authored by @charlieegan3

Miscellaneous

• ast/capabilities: Remove stale comment (#7994) authored by @srenatus
• build: Non-static images for linux/arm64 (#7977) authored by @srenatus
• ci: Add zig to post-merge github action (#7983) authored by @sspaink
• e2e/authz,topdown: Fix benchmarks (#7980) authored by @srenatus
• runtime: Fixing tests by closing watcher & set default GracefulShutdownPeriod (#7991) authored by @rMaxiQp
• test/e2e: move http.DefaultTransport fix to init() (#7955) authored by @srenatus
• Remove vendor/ (#7975) authored by @srenatus
• Modernize analyzer fixes (#7965) authored by @anderseknert
• Dependency updates; notably:
  • build: bump golang 1.25.1 -> 1.25.3 authored by @srenatus
  • build(deps): Bump github.com/olekukonko/tablewriter from 0.0.5 to 1.1.0 (#7937) authored by @jh125486
    This is a major version update containing breaking API changes. If you're affected by this, please consult the tablewriter migration guide.
  • deps(build): Bump github.com/bytecodealliance/wasmtime-go from v3.0.2 to v37.0.0 authored by @srenatus

v1.9.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Compile API extensions ported from EOPA
• Improved rule indexing

Compile Rego Queries Into SQL Filters (#7887)

Compile API extensions with support for SQL filter generation previously exclusive to EOPA has been ported into OPA.

Example

With OPA running with this policy, we'll compile the query data.filters.include into SQL filters:

package filters

# METADATA
# scope: document
# compile:
#   unknowns: [input.fruits]
include if input.fruits.name == input.favorite

Example Request

POST /v1/compile/filters/include HTTP/1.1
Content-Type: application/json
Accept: application/vnd.opa.sql.postgresql+json

{
  "input": {
    "favorite": "pineapple"
  }
}

Example Response

HTTP/1.1 200 OK
Content-Type: application/vnd.opa.sql.postgresql+json

{
  "result": {
    "query": "WHERE fruits.name = E'pineapple'"
  }
}

See the documentation for more details.

Authored by @srenatus and @philipaconrad

Improved Rule Indexing For "Naked" Refs (#7897)

OPA's rule indexer is a means by which OPA can optimize evaluation performance.
Briefly, the indexer can in some cases determine that a rule won't successfully evaluate before it's evaluated based on the query input.
The indexer previously only considered terms in certain compound expressions, ignoring single terms; e.g. an expression containing a sole "naked" ref. This has now changed!

Example

Given a policy with an allow rule containing two "naked" refs: input.foo and input.bar:

package example

allow if {
    input.foo
    input.bar
}

and the input document:

{
    "foo": 1
}

before this improvement, when evaluating the query data.example.allow, we get the trace log:

query:1           Enter data.example.allow = _
query:1           | Eval data.example.allow = _
query:1           | Index data.example.allow (matched 1 rule, early exit)
policy.rego:3     | Enter data.example.allow
policy.rego:5     | | Eval input.foo
policy.rego:6     | | Eval input.bar
policy.rego:6     | | Fail input.bar
policy.rego:5     | | Redo input.foo
query:1           | Fail data.example.allow = _

Here, we can see that the allow rule is evaluated, but fails on the input.bar expression, as it's referencing an undefined value.

With the improvement to the indexer, we instead get:

query:1     Enter data.example.allow = _
query:1     | Eval data.example.allow = _
query:1     | Index data.example.allow (matched 0 rules, early exit)
query:1     | Fail data.example.allow = _

Where we can see that the allow rule was never evaluated, since the input doesn't meet the conditions established by the indexer; i.e. both input.foo and input.bar must have defined values.

Authored by @srenatus

Runtime, Tooling

• cmd: Print eval errors to stderr (#6749) authored by @sspaink reported by @janorn
• plugin/decision: Encoder immediately returns when event same size as limit (#7928) authored by @sspaink
• plugin/decision: Refactor size buffer into its own type (#7884) authored by @sspaink
• plugins/bundle: Return callback error for manually triggered bundle downloads through the SDK (#7869) authored by @sspaink reported by @victoraugustolls
• runtime: Fix possible panic in opa run when loading bundles in watch-mode (--watch) (#7870) authored by @sspaink reported by @johanfylling

Compiler, Topdown and Rego

• perf: Don't invoke future parser for Rego v1 (#7909) authored by @anderseknert
• topdown: Add counter metric for http.send network requests (#7851) authored by @anivar
• topdown: Update numbers.range_step built-in error message (#7882) authored by @charlieegan3

Docs, Website

• docs: Add every and not examples (#7901) authored by @charlieegan3
• docs: Add examples for io.jwt and time built-ins (#7892) authored by @charlieegan3
• docs: Add examples for regex and string built-ins (#7890) authored by @charlieegan3
• docs: Add guide for common Rego errors (#7896) authored by @charlieegan3
• docs: Add missing anchors and example data (#6205) authored by @mmzzuu reported by @johanfylling
• docs: Add Rego keyword examples (#7889) authored by @charlieegan3
• docs: Add Rego language comparison pages (#7893) authored by @charlieegan3
• docs: Add Style Guide to policy authoring docs (#7932) authored by @charlieegan3
• docs: Generative AI policy example fix (#7885) authored by @msorens
• docs: Remove integration from build-security (#7899) authored by @ieugen
• docs: Update Envoy tutorial for new versions and images (#7911) authored by @CharlieTLe
• docs: Update references to cheat sheet and awesome-opa (#7930) authored by @charlieegan3
• docs: Add OCP docs (#7875) authored by @charlieegan3
  • docs/ocp: Update docs on Azure object storage (#7921) authored by @minajevs
  • docs/ocp: Fix inline-transform example (#7913) authored by @srenatus
  • docs/ocp: Fix wrong example on concepts page (#7907) authored by @srenatus
  • docs/ocp: Update API reference (#7906) authored by @srenatus
  • docs/ocp: Update OCP api-key (#7904) authored by @charlieegan3
  • docs/ocp: Update OCP install instructions (#7910) authored by @ashutosh-narkar
• docs: Add Regal docs to OPA site (#7874) authored by @charlieegan3
  • docs/regal: Update docs following 0.36.0 (#7891) authored by @charlieegan3
• docs/deploy: Add OPA deployment docs (#7898) authored by @charlieegan3
• docs/website: Update references to Styra (#7877) authored by @charlieegan3

Miscellaneous

• Bump golangci-lint to v2.4.0 (#7878) authored by @sspaink
• Community Guidelines: update email list (#7900) authored by @srenatus
• ci: port binary tests to testscript (#7865) authored by @srenatus
• dependabot: Updating e2e go deps together with core OPA deps (#7923) authored by @johanfylling
• github_actions: Add working directory in arguments for Link Checker (#7883) authored by @sspaink
• rego: Add comprehensive WASM performance benchmarks (#7841) authored by @anivar
• Dependency updates; notably:
  • build: Bump go to 1.25.1
  • build(deps): Add github.com/huandu/go-sqlbuilder 1.37.0
  • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.0.10 to 3.0.11
  • build(deps): Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2
  • build(deps): Bump golang.org/x/net from 0.43.0 to 0.44.0
  • build(deps): Bump golang.org/x/time from 0.12.0 to 0.13.0
  • build(deps): Bump google.golang.org/grpc from 1.75.0 to 1.75.1
  • build(deps): Bump google.golang.org/protobuf from 1.36.8 to 1.36.9
  • build(deps): bump go.opentelemetry.io deps from 1.37.0/0.62.0 to 1.38.0/0.63.0

v1.8.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for EdDSA signatures in io.jwt built-ins, including a new io.jwt.verify_eddsa built-in.

EdDSA Support in built-ins (#7824)

Support for the EdDSA signing algorithm has been added to built-in functions in the io.jwt namespace.

This introduces the new io.jwt.verify_eddsa built-in function, and adds EdDSA support for the following built-ins:

• io.jwt.decode_verify
• io.jwt.encode_sign
• io.jwt.encode_sign_raw

This feature benefited greatly from the groundwork laid by @lestrrat in (#7638). 👏 🎉 🥳

Authored by @johanfylling reported by @aromeyer

Runtime

• cmd: Add back default cmd.RootCommand definition. (#7811) authored by @philipaconrad
  Fixing a breaking change to the go API introduced in OPA v1.7.0.
• cmd: Fix opa exec parameters (#7850, #7840) authored by @srenatus
  Fixing regressions introduced in OPA v1.7.0, where the --fail-non-empty and --stdin-input flags were dropped.
• config: accept env vars set to "", discern from unset (#7831) authored by @srenatus reported by @ManuelNowackConfinale
• handlers: Add thread-safe initialization for gzipPool (#7828) authored by @charlieegan3
• plugins: Address race in config access (#7825) authored by @charlieegan3
• plugin/bundle: Correct bundle delay behavior (#7812) authored by @charlieegan3
• runtime: Update server init check (#7818) authored by @charlieegan3

Topdown

• perf: Performance greatly improved for Object.Insert on existing key (#7820) authored by @anderseknert
• topdown,bundle,plugins: Upgrade interned jwx (0.9.x) with github.com/lestrrat-go/jwx/v3 (#7638) authored by @lestrrat

Docs, Website

• Update website to build from tip of main (#7848) authored by @tsandall
• ast/builtins: Remove space from count description (#7836) authored by @charlieegan3
• docs: Add link to logic-or/and on docs index (#7826) authored by @charlieegan3
• docs: Add note on using LLM in PR discussions (#7859) authored by @anderseknert
• docs: Fix broken anchor links in annotations (#7827) authored by @charlieegan3
• docs: Use set in the Python code example for consistence (#7860) authored by @durnik-ivo
• docs: Update frontpage (#7847) authored by @tsandall
• docs/rest-api: Add notes about policy IDs (#7837) authored by @charlieegan3
• website: Use latest release rather than edge (#7781) authored by @charlieegan3

Miscellaneous

• Update organization affiliations (#7842) authored by @tsandall
• test/e2e: Avoid port exhaustion in concurrent tests (#7862) authored by @anderseknert
• server: Make TestCertReloading less verbose (#7823) authored by @charlieegan3
• cmd: Exec test wait for bundle server to start (#7821) authored by @charlieegan3
• cmd: Update tests to run sync when ready (#7835) authored by @charlieegan3
• cmd: Move accidental pkg var to local var (#7813) authored by @philipaconrad
• internal/report: Allow overriding GitHub repo (#7867) authored by @srenatus
• release: Adding Dockerfile for image used in *-patch build targets (#7864) authored by @johanfylling
• Dependency updates; notably:
  • build: Bump go to 1.24.6 (#7834, #7839) authored by @johanfylling and @thevilledev
  • build(deps): Bump go-viper/mapstructure/v2 from v2.3.0 to v2.4.0 (#7857) authored by @deeglaze
  • build(deps): Bump github.com/containerd/containerd/v2 from 2.1.3 to 2.1.4
  • build(deps): Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0

v1.7.1

This is a bug fix release addressing two issues for users that include OPA's CLI in their own application's CLI:

• A missing symbol in the cmd package (cmd.RootCommand)
• A possible panic in the opa parse command

v1.7.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improved OPA SDK/API for better extensibility

SDK Improvements

The OPA SDK/API has been improved to provide better extensibility an more points of integration for developers.

• ast: Add DefaultModuleLoader (#7794) authored by @srenatus
• ast: Add feature registration from the outside (#7782) authored by @srenatus
• bundle: Add support for bundle store and activation plugins (#7771) authored by @philipaconrad
• cmd: Allow branding (#7797) authored by @srenatus
• decisionlogs: Add custom fields grab bag (#7793) authored by @srenatus
• plugins: allow registering handlerfuncs with name+path (#7769) authored by @srenatus
• rego: Expose QueryTracers, tracing.Options and Cancel from QueryContext (#7767) authored by @philipaconrad
• rego: Pass along TracingOpts into EvalContext (#7778) authored by @srenatus
• runtime: add ExtraDiscoveryOpts to runtime.Params (#7766) authored by @srenatus
• sdk: Allow for setting default options for all instances (#7760) authored by @srenatus
• server: Add hooks wiring + new hooks for inter-query caches (#7775) authored by @srenatus
• server: Ensure that wrapped middlewares all support http.Flusher (#7772) authored by @srenatus
• server/authorizer: Allow adding paths to validator (#7792) authored by @philipaconrad
• server+plugins: Allow plugins to inject http handler middlewares (#7789) authored by @srenatus reported by @deeglaze
• store+runtime: Extension points for custom stores (#7779) authored by @srenatus
• test+eval: Add helper to smuggle compiler through context (#7790) authored by @srenatus
• tester: Support uint64 and float64 metrics in runBenchmark (#7761) authored by @srenatus

Runtime, Tooling

• build: Show a warning when .manifest is ignored (#7807) authored by @charlieegan3
• cli: Avoid os.Exit() in Run() funcs (#7788) authored by @srenatus
• config: Keep unknown env replacements (#7786) authored by @srenatus
• format: Not bracketing keywords in imports (#7742) authored by @johanfylling
• loader: Add bundle lazy loading mode across the runtime. (#7768) authored by @philipaconrad
• loader: Pass bundle name in AsBundle() (#7798) authored by @srenatus
• opa exec: stop plugins before exit (#7760) authored by @srenatus
• plugins/discovery: Make Factories() merge the factories (#7777) authored by @srenatus
• plugins/discovery: Replace environment variables after evaluation (#7787) authored by @philipaconrad
• plugins/logs: Add experimental intermediate results field (#7796) authored by @philipaconrad
• report: Fetching latest OPA release version from GitHub (#7756) authored by @johanfylling
  OPA will no longer send telemetry data when fetching the latest release version.
• runtime: Allow enabling NDBCache by default (#7780) authored by @srenatus
• server+logging: Add BatchDecisionID field to Decision Logs (#7791) authored by @philipaconrad
• store: Improve conflicting root error message (#7806) authored by @charlieegan3

Compiler, Topdown and Rego

• perf: AST compiler optimizations (#7740) authored by @anderseknert

Docs, Website

Note: While we have been working on the new website we have been showing
the edge documentation contents (as contents and framework changes often must
go hand in hand). Now that the website development pace has slowed and the
functionality is more stable, we will be returning to showing the documentation
content from the latest release instead. Please use the
edge documentation site
to review new changes. PR previews are also based on the latest branch commit.
This change will be made to show the v1.7.0 release shortly after publishing.

• docs: Add examples for crypto.sha256 and base64.encode built-in functions (#7762) authored by @ToluGIT
• docs: Break out the built-in categories in policy ref (#7722) authored by @sky3n3t
• docs: Correctly spell NetBSD (#7738) authored by @iamleot
• docs: Fix a number of minor docs typos (#7799) authored by @charlieegan3
• docs: Fix /docs/envoy-authorization/ 404 (#7755 authored by @charlieegan3
• docs: Remove link to OPA playground share (#7750) authored by @charlieegan3
• docs: Revise docs index page wording (#7805) authored by @charlieegan3
• docs: Update warning note in GraphQL API docs (#7737) authored by @charlieegan3
• website: Add wildcard CORS for data/versions.json (#7784) authored by @charlieegan3
• website: Ensure no hscroll on built-in tables (#7773) authored by @charlieegan3
• website: Render versions under /data/versions.json (#7783) authored by @charlieegan3
• website: Set mobile and desktop tab sizes (#7774) authored by @charlieegan3
• website: Show link to the edge release of the docs (#7776) authored by @charlieegan3

Miscellaneous

• Benchmark fixes (#7765) authored by @anderseknert

• Use Regal for linting Rego (#7752) authored by @anderseknert

• Use shorthand form for types (#7757) authored by @anderseknert

• .github: Use types for issues (#7751) authored by @charlieegan3

• build: Add top-level token permissions for workflows (#7795) authored by @timothyklee

• docs/build: Link checker fixes (#7743) authored by @charlieegan3

• Dependency updates; notably:

  • build(deps): bump github.com/containerd/containerd/v2 from 2.1.1 to 2.1.3
  • build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2
  • build(deps): bump go.opentelemetry.io deps from 1.36.0/0.61.0 to 1.37.0/0.62.0

v1.6.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Improvements to the OPA website and documentation
• Allowing keywords in Rego references
• Parallel test execution
• Faster built-in function execution

Modernized OPA Website (#7037)

We're continuing to modernize the OPA website with a new design and improved user experience.

Some highlights:

• Builtins: You can now search them on the docs page!
• Sidebar redesign: Making it easier to find what you're looking for in our docs
• Feedback forms: Closing the feedback loop between docs authors and readers -- Please let us know if you dislike, or like, a docs page.
• Downloads page: Find your OS' installation instructions on a less cluttered page!
• And much more

Authored by @sky3n3t and @charlieegan3

Allowing keywords in Rego references (#7709)

Previously, Rego references could not contain terms that conflict with Rego keywords such as package, if, else, not, etc.
in certain constructs:

package example

allow if {
    input.package.source         # not allowed (before v1.6.0)
    input["package"].destination # allowed
}

The constraints for valid Rego references have been relaxed to allow keywords.
The above example is now valid and will no longer cause a compilation error.

Authored by @johanfylling

Parallel Test Execution (#7442)

By default, OPA will now run tests in parallel (defaulting to one parallel execution thread per available CPU core), significantly speeding up test execution time for large test suites.
The performance boost is closely tied to the number of tests in your project and your selected parallelism level. For larger projects and default settings, 2-3x performance gains have been measured on a MacBook Pro.

Parallelism can be disabled to run tests sequentially by setting the --parallel flag to 1. E.g. opa test . --parallel=1.

Authored by @sspaink reported by @anderseknert

Faster Builtin Function Evaluation

The builtin context, an internal construct of OPA's evaluation engine, was previously provided to every builtin function.
As it turns out, only very few of them actually need it, for caching, cancellation, or lookups.
Those builtins are still provided with a builtin context, but for calls to all other builtins, we save the memory required by it.
The impact is tremendous: Even though the size of a single builtin context is only about 270 bytes, in an example application (Regal), this change brings about 360 MB of reduced memory usage!

Authored by @anderseknert

Runtime, Tooling, SDK

• cmd/check: opa check --bundle report virtual/base doc conflicts (#7701) authored by @anderseknert
  When opa check is used with the --bundle flag, an error will be reported if the provided json/yaml data has a conflicting overlap with the virtual documents generated by Rego rules. Such conflicts are ambiguous and can lead to unexpected evaluation results, and should be resolved.
• cmd/inspect: Fixing missing annotations location in opa inspect with JSON format (#7459) authored by @johanfylling reported by @mostealth
• cmd/parse: Expose --v0-compatible flag (#7668) authored by @tsandall
• cmd/refactor: Fix src:dst parsing to deal with colons (#7648) authored by @tsandall
• metrics: Fix restartable timer bug. (#7669) authored by @philipaconrad
• metrics: Prealloc maps + add benchmark (#7664) authored by @philipaconrad
• oracle: Add support for some and every (#7716) authored by @charlieegan3
• oracle: Support object refs in FindDefinition (#7711) authored by @charlieegan3
• plugin/decision: Check if event is too large after compression (#7526) authored by @sspaink
• runtime,server: Replace gorilla/mux dependency with http.ServeMux (#7676) authored by @anderseknert
  Note: This is a potentially breaking change for go API users directly interfacing with the OPA server's routing.
• server: Fix deferred metrics timers. (#7671) authored by @philipaconrad
• server: Fix query url when opa is served not from root path (#7644) authored by @olegKoshmeliuk
  Note: This is only applicable for the web UI hosted by OPA on its root path (/) and OPA is served at some other path than root.

Compiler, Topdown and Rego

• ast: Ensure surplus leading zeros always error (#7726) authored by @charlieegan3
  Note: Primitive Rego number values with leading zeros (e.g. 0123) are now considered invalid at time of parsing and will generate an error. If you're impacted by this change, please update your policies to not have numbers with leading zeros. E.g. 0123 should be changed to 123.
• ast: Fixing type-checker schema cache race condition for inlined schemas (#7679, 7571) authored by @johanfylling reported by @daniel-petrov-gig
• perf: Improve performance when referencing "global" in loop (#7654) authored by @anderseknert
• topdown: Fix issue where path in walk would get mutated (#7656) authored by @anderseknert reported by @robmyersrobmyers
• topdown/http: Lenient application/json Content-Type header (#6684) authored by @sspaink reported by @mrvanes

Docs, Website, Ecosystem

• adopters: add Pix4D as adopters for its RBAC service (#7645) authored by @marcaurele
• api: Expand docs for RegisterBuiltin — no thread-safety (#7667) authored by @anderseknert reported by @parth-mehta-989
• docs: Added a search function for the builtins section of policy-reference (#7704) authored by @sky3n3t
• docs: Add another OR note in AND section (#7706) authored by @charlieegan3
• docs: Add basic docs covering CI/CD use case (#7703) authored by @charlieegan3
• docs: Add current ecosystem contribution docs (#7678) authored by @charlieegan3
• docs: Add EvergreenCodeBlock for code with version (#7706) authored by @charlieegan3
• docs: Add feedback form for user reported issues (#7662) authored by @charlieegan3
• docs: Address broken links (#7661) authored by @charlieegan3
• docs: Archive explain that only latest patch is shown (#7682) authored by @charlieegan3
• docs: Fix bug where the search match respects case (#7713) authored by @sky3n3t
• docs: Hide feedback pop-up forever if dismissed (#7674) authored by @charlieegan3
• docs: Improve bundle structure documentation (#7683) authored by @charlieegan3
• docs: Improve explanations for initial examples (#7677) authored by @charlieegan3
• docs: Install/Download Instruction Update (#7687) authored by @charlieegan3
• docs: Move code example data inside the PlaygroundComponent (#7724) authored by @sky3n3t
• docs: policy-reference, update sig algs formatting (#7685) authored by @charlieegan3
• docs: Redirect old admission control link (#7730) authored by @charlieegan3
• docs: Refactored Networking Reference docs (#7686) authored by @sky3n3t
• docs: Revise sidebar order and layout (#7731) authored by @charlieegan3
• docs: Reworked existing policy examples to use PlaygroundExample (#7690) authored by @sky3n3t
• docs: Show a feedback popup on the docs site (#7663) authored by @charlieegan3
• docs: Show edge rather than latest release (#7717) authored by @charlieegan3
• docs: Show TOC on CLI page (#7712) authored by @charlieegan3
• docs: Update colors for feedback form in dark mode (#7691) authored by @charlieegan3
• docs: Update...

v1.5.1

This is a bug fix release addressing a regression to the walk built-in function, introduced in v1.5.0. See #7656 (authored by @anderseknert reported by @robmyersrobmyers)

v1.5.0

This release contains a mix of new features, performance improvements, and bugfixes. Among others:

• Support for AWS SSO credentials provider
• Support for signing client assertions with Azure Keyvault
• Faster object.get, walk and builtin-function evaluation
• Improved guardrails in the parser
• Improvements to decision logging

Modernized OPA Website (#7037)

The OPA website has been modernized with a new design and improved user experience.

The new site is based on Docusaurus and React which makes it easier to build live functionality and add non-documentation resources. This lays the groundwork for even more improvements in the future!

Documentation for older OPA versions are still available in the version archive.

Authored by @charlieegan3

Runtime, Tooling, SDK

• ast: Only use JSON-escaped literal when needed in ref to string convertion (#7550) reported and authored by @xubinzheng
• ast: Parser recursion depth guard (#7568) authored by @thevilledev
• ast: Retaining SomeDecl Location field when compiler resolves refs (#7543) authored by @johanfylling
• bundle: Setting default rego-version in bundle API (#7588) authored by @johanfylling reported by @xubinzheng
• perf: Improved "baseline" metrics of opa bench for trivial queries (#7580) authored by @anderseknert
• plugins/decision: Don't drop adaptive uncompressed size limit on upload (#7562) authored by @sspaink
• plugins/decision: Set config boundaries to upload_size_limit_bytes (#7563) (authored by @sspaink)
• plugins/rest: Add support for AWS SSO credentials provider (#7527) authored by @efiShtain
• plugins/rest: Support signing of client assertions with Azure Keyvault (#7462) reported and authored by @Od1nB
• plugins/status: Support graceful shutdown timeout (#7576) authored by @sspaink
• rego: Don't generate JSON values for wildcard/generated keys in result set (#7567) authored by @anderseknert
• runtime: Don't override user set version commit and timestamp (#7471) reported by @kastl-ars authored by @sspaink

Planner, Topdown and Rego

• planner: Deal with var-for-function replacement in indirect calls (#5311) authored by @srenatus
• topdown: Faster object.get built-in function (#7593) authored by @anderseknert
• topdown: Faster walk built-in function (#7612) authored by @anderseknert
• topdown: Improved default rule value inlining ( (#1418) authored by @johanfylling
• topdown: Improved GraphQL error handling (#7622) reported and authored by @robmyersrobmyers

Docs, Website, Ecosystem

• docs: Fix helm-kubernetes-quickstart bundle (#7606) reported and authored by @nejec
• docs: Add Swift-OPA to the Ecosystem Page (#7610) authored by @charlieegan3
• docs: Add Tutorial Redirects ([#7603]#7603) reported by @nataraj24 authored by @charlieegan3
• Fix links in README (#7633) authored by @ffjlabo

Miscellaneous

• github_actions: Adding monthly check for broken hyperlinks (#7537) authored by @sspaink
• perf: Extended interning (#7636) authored by @anderseknert
• perf: Ref.String() shortcut on single var term ref (#7595) authored by @anderseknert
• refactor: Don't return error from opaTest (#7560) authored by @sspaink
• refactor: Remove internal/gqlparser and use upstream dependency instead. (#7520) authored by @robmyersrobmyers
• test: Fix flaky TestContextErrorHandling (#7587) authored by @sspaink
• Apply modernize linter fixes (#7599) authored by @anderseknert
• Use any in place of interface{} (#7566) authored by @anderseknert
• Dependency updates; notably:
  • build: bump go from 1.24.0 to 1.24.3
  • build(deps): bump containerd to v2.1.1 (#7627) authored by @johanfylling reported by @robmyersrobmyers
  • build(deps): bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0
  • build(deps): bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0
  • build(deps): bump github.com/prometheus/client_model from 0.6.1 to 0.6.2
  • build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
  • build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0