Merge branch 'main' into token_eddsa

johanfylling · web-flow · commit e5d4af75dab3 · 2025-08-12T18:39:26.000+02:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -49,7 +49,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -65,4 +65,4 @@ jobs:
         make build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -93,7 +93,7 @@ jobs:
       # Equivalent to:
       # $ trivy image openpolicyagent/opa:edge-static
       - name: Run Trivy scan on image
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
         with:
           image-ref: 'openpolicyagent/opa:edge-static'
           format: table
@@ -123,7 +123,7 @@ jobs:
       # Equivalent to:
       # $ trivy fs .
       - name: Run Trivy scan on repo
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.32.0
         with:
           scan-type: fs
           format: table
diff --git a/.github/workflows/post-merge.yaml b/.github/workflows/post-merge.yaml
@@ -168,7 +168,7 @@ jobs:
         timeout-minutes: 60
 
       - name: Download release binaries
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           pattern: binaries-*
           merge-multiple: true
diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml
@@ -108,7 +108,7 @@ jobs:
         run: echo "TAG_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
 
       - name: Download release binaries
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           pattern: binaries-*
           merge-multiple: true
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -173,7 +173,7 @@ jobs:
       if: matrix.os == 'darwin'
 
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
 
@@ -224,7 +224,7 @@ jobs:
         go-version: ${{ steps.go_version.outputs.go_version }}
 
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
 
@@ -270,7 +270,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
 
@@ -294,7 +294,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
 
@@ -314,7 +314,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
 
@@ -338,7 +338,7 @@ jobs:
         platforms: arm64
 
     - name: Download release binaries
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         pattern: binaries-*
         merge-multiple: true
@@ -388,7 +388,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Download release binaries
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: binaries-${{ matrix.os }}-${{ matrix.arch }}
         path: _release
@@ -413,7 +413,7 @@ jobs:
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Download generated artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: generated
     - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
         with:
           sarif_file: results.sarif
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.24.4
+1.24.6
diff --git a/cmd/exec_test.go b/cmd/exec_test.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"maps"
+	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -1460,13 +1461,14 @@ func TestExecWithInvalidInputOptions(t *testing.T) {
 
 func TestExecTimeoutWithMalformedRemoteBundle(t *testing.T) {
 	test.WithTempFS(map[string]string{}, func(dir string) {
+		bundlePath := "/bundles/bundle.tar.gz"
 		// Note(philipc): We add the "raw bundles" flag so that we can stuff a
 		// malformed bundle into the mock bundle server. Otherwise, the server
 		// will just return 503 errors forever, because it won't be able to
 		// build the bundle on its end.
 		s := sdk_test.MustNewServer(
 			sdk_test.RawBundles(true),
-			sdk_test.MockBundle("/bundles/bundle.tar.gz", map[string]string{
+			sdk_test.MockBundle(bundlePath, map[string]string{
 				"example.rego": `
 				package example
 
@@ -1476,12 +1478,22 @@ func TestExecTimeoutWithMalformedRemoteBundle(t *testing.T) {
 
 		defer s.Stop()
 
+		// Wait for the bundle server to be ready before running exec
+		bundleURL := s.URL() + bundlePath
+		test.EventuallyOrFatal(t, 1*time.Second, func() bool {
+			resp, err := http.Get(bundleURL)
+			if resp != nil {
+				defer resp.Body.Close()
+			}
+			return err == nil && resp.StatusCode == 200
+		})
+
 		var buf bytes.Buffer
 		params := exec.NewParams(&buf)
 		_ = params.OutputFormat.Set("json")
 		params.ConfigOverrides = []string{
 			"services.test.url=" + s.URL(),
-			"bundles.test.resource=/bundles/bundle.tar.gz",
+			"bundles.test.resource=" + bundlePath,
 		}
 
 		// Note(philipc): We can set this timeout almost arbitrarily high or
diff --git a/docs/docs/policy-language.md b/docs/docs/policy-language.md
@@ -1322,6 +1322,12 @@ apps_not_in_prod contains name if {
 
 <RunSnippet files="#example_data.rego" command="data.negation.apps_not_in_prod"/>
 
+:::info
+Logical OR/AND in Rego is structured differently from other languages you might
+be familiar with. See the notes here on [Logical OR](../docs/#logical-or) or
+here for [Logical AND](../docs/#basic-syntax) for more details.
+:::
+
 ## Universal Quantification (FOR ALL)
 
 Rego allows for several ways to express universal quantification.
@@ -2454,19 +2460,19 @@ comment block containing the YAML document is finished
 
 ### Annotations
 
-| Name              | Type                                                        | Description                                                                                               |
-| ----------------- | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| scope             | string; one of `package`, `rule`, `document`, `subpackages` | The scope for which the metadata applies. Read more [here](./#scope).                                     |
-| title             | string                                                      | A human-readable name for the annotation target. Read more [here](#title).                                |
-| description       | string                                                      | A description of the annotation target. Read more [here](#description).                                   |
-| related_resources | list of URLs                                                | A list of URLs pointing to related resources/documentation. Read more [here](#related-resources).         |
-| authors           | list of strings                                             | A list of authors for the annotation target. Read more [here](#authors).                                  |
-| organizations     | list of strings                                             | A list of organizations related to the annotation target. Read more [here](#organizations).               |
-| schemas           | list of object                                              | A list of associations between value paths and schema definitions. Read more [here](#schemas).            |
-| entrypoint        | boolean                                                     | Whether or not the annotation target is to be used as a policy entrypoint. Read more [here](#entrypoint). |
-| custom            | mapping of arbitrary data                                   | A custom mapping of named parameters holding arbitrary data. Read more [here](#custom).                   |
-
-### Scope
+| Name              | Type                                                        | Description                                                                                                        |
+| ----------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| scope             | string; one of `package`, `rule`, `document`, `subpackages` | The scope for which the metadata applies. Read more [here](#metadata-scope).                                       |
+| title             | string                                                      | A human-readable name for the annotation target. Read more [here](#metadata-title).                                |
+| description       | string                                                      | A description of the annotation target. Read more [here](#metadata-description).                                   |
+| related_resources | list of URLs                                                | A list of URLs pointing to related resources/documentation. Read more [here](#metadata-related_resources).         |
+| authors           | list of strings                                             | A list of authors for the annotation target. Read more [here](#metadata-authors).                                  |
+| organizations     | list of strings                                             | A list of organizations related to the annotation target. Read more [here](#metadata-organizations).               |
+| schemas           | list of object                                              | A list of associations between value paths and schema definitions. Read more [here](#metadata-schemas).            |
+| entrypoint        | boolean                                                     | Whether or not the annotation target is to be used as a policy entrypoint. Read more [here](#metadata-entrypoint). |
+| custom            | mapping of arbitrary data                                   | A custom mapping of named parameters holding arbitrary data. Read more [here](#metadata-custom).                   |
+
+### Metadata `Scope`
 
 Annotations can be defined at the rule or package level. The `scope` annotation in
 a metadata block determines how that metadata block will be applied. If the
diff --git a/go.mod b/go.mod
@@ -1,8 +1,8 @@
 module github.com/open-policy-agent/opa
 
-go 1.23.8
+go 1.23.12
 
-toolchain go1.24.3
+toolchain go1.24.6
 
 require (
 	github.com/bytecodealliance/wasmtime-go/v3 v3.0.2
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -138,7 +138,8 @@ func subEnvVars(s string) string {
 		// Lookup the variable in the environment. We do not
 		// play by bash rules: if its undefined we'll keep it
 		// as-is, it could be replaced somewhere down the line.
-		if lu := os.Getenv(varName); lu != "" {
+		// If it's set to "", we'll return that.
+		if lu, ok := os.LookupEnv(varName); ok {
 			return lu
 		}
 		return s
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -96,7 +96,7 @@ func TestSubEnvVarsVarsSubMissingEnvVar(t *testing.T) {
 	envKey := setTestEnvVar(t, "var1", "foo")
 	configYaml := fmt.Sprintf("field1: '${%s}'", envKey)
 
-	// Remove the env var and expect the system to sub in ""
+	// Remove the env var and expect the system to keep the key as-is
 	os.Unsetenv(envKey)
 	expected := configYaml // untouched
 
@@ -118,6 +118,20 @@ func TestSubEnvVarsVarsSubEmptyVarName(t *testing.T) {
 	}
 }
 
+func TestSubEnvVarsVarsSubEmptyEnvVar(t *testing.T) {
+	envKey := setTestEnvVar(t, "var1", "foo")
+	configYaml := fmt.Sprintf("field1: '${%s}'", envKey)
+
+	t.Setenv(envKey, "")
+	expected := "field1: ''"
+
+	actual := subEnvVars(configYaml)
+
+	if actual != expected {
+		t.Errorf("Expected: '%s'\nActual: '%s'", expected, actual)
+	}
+}
+
 func TestMergeValuesNoOverride(t *testing.T) {
 	dest := map[string]any{}
 	src := map[string]any{
diff --git a/internal/prometheus/prometheus_test.go b/internal/prometheus/prometheus_test.go
@@ -155,6 +155,7 @@ func TestJSONSerialization(t *testing.T) {
 			"go_godebug_non_default_behavior_x509rsacrt_events_total",
 			"go_godebug_non_default_behavior_gotestjsonbuildtext_events_total",
 			"go_godebug_non_default_behavior_rsa1024min_events_total",
+			"go_godebug_non_default_behavior_allowmultiplevcs_events_total", // added in 1.24.6
 		},
 		"SUMMARY": {
 			"go_gc_duration_seconds",
diff --git a/v1/download/download.go b/v1/download/download.go
@@ -61,8 +61,8 @@ type Downloader struct {
 	respHdrTimeoutSec  int64
 	wg                 sync.WaitGroup
 	logger             logging.Logger
-	mtx                sync.Mutex
 	stopped            bool
+	stopOnce           sync.Once
 	persist            bool
 	longPollingEnabled bool
 	lazyLoadingMode    bool
@@ -204,16 +204,11 @@ func (d *Downloader) Stop(context.Context) {
 		return
 	}
 
-	d.mtx.Lock()
-	defer d.mtx.Unlock()
-
-	if d.stopped {
-		return
-	}
-
-	done := make(chan struct{})
-	d.stop <- done
-	<-done
+	d.stopOnce.Do(func() {
+		done := make(chan struct{})
+		d.stop <- done
+		<-done
+	})
 }
 
 func (d *Downloader) loop(ctx context.Context) {
@@ -231,13 +226,18 @@ func (d *Downloader) loop(ctx context.Context) {
 			return
 		}
 
+		// Note: MaxDelaySeconds, MinDelaySeconds and LongPollingTimeoutSeconds
+		// are scaled from int seconds to ns in ValidateAndInjectDefaults.
 		if err != nil {
+			// when there was an error, use a delay that's based on the retry count
 			delay = util.DefaultBackoff(float64(minRetryDelay), float64(*d.config.Polling.MaxDelaySeconds), retry)
 		} else if !d.longPollingEnabled || d.config.Polling.LongPollingTimeoutSeconds == nil {
 			// revert the response header timeout value on the http client's transport
 			if *d.client.Config().ResponseHeaderTimeoutSeconds == 0 {
 				d.client = d.client.SetResponseHeaderTimeout(&d.respHdrTimeoutSec)
 			}
+
+			// when polling, use a jittered delay based on min and max delay config
 			min := float64(*d.config.Polling.MinDelaySeconds)
 			max := float64(*d.config.Polling.MaxDelaySeconds)
 			delay = time.Duration(((max - min) * rand.Float64()) + min)
@@ -263,7 +263,6 @@ func (d *Downloader) loop(ctx context.Context) {
 func (d *Downloader) oneShot(ctx context.Context) error {
 	m := metrics.New()
 	resp, err := d.download(ctx, m)
-
 	if err != nil {
 		d.etag = ""
 
diff --git a/v1/plugins/bundle/plugin_test.go b/v1/plugins/bundle/plugin_test.go
diff --git a/v1/runtime/runtime_test.go b/v1/runtime/runtime_test.go
diff --git a/v1/test/e2e/print/print_test.go b/v1/test/e2e/print/print_test.go
diff --git a/v1/util/backoff.go b/v1/util/backoff.go
