Log message:
opa: Update to 0.64.1

Changes:
v0.64.1
This is a bug fix release addressing the following issues:

- plugins/discovery: Update comparison logic used in the discovery
  plugin for handling overrides. This fixes a panic that resulted from
  the comparison of uncomparable types

v0.64.0
This release contains a mix of features, a new builtin function
`json.marshal_with_options()`, performance improvements, and bugfixes.

### Breaking Change

#### Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle
downloading and status reporting could not be configured manually. The
reason for this was to prevent OPAs being deployed that could not be
controlled through discovery. It's possible that the system serving the
discovered config is unaware of all options locally available in OPA.
Hence, we relax the configuration check when discovery is enabled so
that the bootstrap configuration can contain plugin configurations. In
case of conflicts, the bootstrap configuration for plugins wins. These
local configuration overrides from the bootstrap configuration are
included in the Status API messages so that management systems can get
visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered
configuration. Previously this was not the case for all configuration
fields. For example, if the discovered configuration changes the
`labels` section, only labels that are additional compared to the
bootstrap configuration are used, all other changes are ignored. This
implies labels in the bootstrap configuration override those in the
discovered configuration. But for fields such as `default_decision`,
`default_authorization_decision`, `nd_builtin_cache`, the discovered
configuration would override the bootstrap configuration. Now the
behavior is more consistent for the entire configuration and helps to
avoid accidental configuration errors.

### Add `rego_version` attribute to the bundle manifest

A new global `rego_version` attribute is added to the bundle manifest,
to inform the OPA runtime about what Rego version (`v0`/`v1`) to use
while parsing/compiling contained Rego files. There is also a new
`file_rego_versions` attribute which allows individual files to
override the global Rego version specified by `rego_version`.

When the version of the contained Rego is advertised by the bundle
through this attribute, it is not required to run OPA with the
`--v1-compatible` (or future `--v0-compatible`) flag in order to
correctly parse, compile and evaluate the bundle's modules.

A bundle's `rego_version` attribute takes precedence over any applied
`--v1-compatible`/`--v0-compatible` flag.
([#6578](https://github.com/open-policy-agent/opa/issues/6578))
authored by @johanfylling

v0.63.0
This release contains a mix of features, performance improvements, and
bugfixes.

Log message:
Revbump all Go packages after go121 update

Log message:
opa: Update to 0.62.1

Changes:
v0.62.1
-------
This is a security fix release for the fixes published in Go
1.22.1.

OPA servers using `--authentication=tls` would be affected: crafted
malicious client certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in
bundle plugin, status and decision logs; and `http.send` calls that
verify TLS.

This is CVE-2024-24783.

Note that there are other security fixes in this Golang release, but
whether or not OPA is affected is harder to assess. An update is
advised.

v0.62.0
-------
This release contains a mix of improvements and bugfixes.

Log message:
opa: Update to 0.16.0

Changes:
0.61.0
------
This release contains a mix of new features and bugfixes.

Runtime, SDK
------------
- Adding `--v1-compatible` flag to all previously unsupported command line
  commands
- Don't load files in tarball exceeding `size_limit_bytes`
- Allow TLS cipher suites to be set for the OPA server
- Removing deprecated fields and functions related to rego-v1 compatibility

Topdown
-------
- topdown: Clean expired `http.send` cache entries periodically

Log message:
Revbump all Go packages after go121 update

Log message:
Revbump all Go packages after go121 update

Log message:
opa: Update to 0.60.0

Changes:
v0.60.0
-------
### Runtime, Tooling, SDK
- OPA can be run in 1.0 compatibility mode by using the new
  `--v1-compatible` flag. When this mode is enabled, the current release
  of OPA will behave as OPA `v1.0` will eventually behave by default.
  This flag is currently supported on the `build`, `check`, `fmt`, `eval`
  and `test` commands
- Extend the telemetry report to include the minimum compatible version
  of policies loaded into OPA
- server: Support fsnotify based reloading of certificate, key and CA
  cert pool when they change on disk
- Add option on the unit test runner to surface builtin errors. This
  should help with debugging errors generated while running unit tests
- Fix issue in `opa fmt` where the assignment operator and term in the
  rule head of chain rules are removed from the re-written rule head
- cmd/fmt: Replace dependency on `diff` tool with an external golang
  library function

### Topdown and Rego
- topdown/providers: Preserve user provided http headers in the
  `providers.aws.sign_req` builtin command
- rego: Allow custom builtin function registration to provide a
  description for the builtin
- ast+cmd: Allow bundle to contain calls to unknown functions when
  inspected

v0.59.0
-------
This release adds tooling to help prepare existing policies for the
upcoming OPA 1.0 release.  It also contains a mix of improvements,
bugfixes and security fixes for third-party libraries.

### Rego v1
The upcoming release of OPA 1.0, which will be released at a future
date, will introduce breaking changes to the Rego language. Most
notably:

* the keywords that currently must be imported through
  `import future.keywords` into a module before use will be part of the
  Rego language by default, without the need to first import them.
* the `if` keyword will be required before the body of a rule.
* the `contains` keyword will be required when declaring a multi-value
  rule (partial set rule).
* deprecated built-in functions will be removed.

This current release (`0.59.0`) introduces a new `--rego-v1` flag to
the `opa fmt` and `opa check` commands to facilitate the transition of
existing policies to be compatible with the 1.0 syntax.

When used with `opa fmt`, the `--rego-v1` flag will format the
module(s) according to the new Rego syntax in OPA 1.0.  Formatted
modules are compatible with both the current version of OPA and 1.0.
Modules using deprecated built-ins will terminate formatting with an
error. Future versions of OPA will support rewriting applicable
function calls with equivalent Rego compatible with 1.0.

When used with `opa check`, the `--rego-v1` flag will check that the
modules are compatible with both the current version of OPA and 1.0.

v0.58.0
-------
This release contains a mix of performance improvements, bugfixes and
security fixes for third-party libraries.

v0.57.1
-------
This is a bug fix release addressing the following security issues:

- Golang security fix GO-2023-2102
- OpenTelemetry-Go Contrib security fix CVE-2023-45142

Log message:
Revbump all Go packages after go121 update

Log message:
Revbump all Go packages after go121 update

Log message:
Revbump all Go packages because go121 is now the default