build(deps): bump github.com/open-policy-agent/opa from 1.15.2 to 1.17.0

[dependabot]

Bumps github.com/open-policy-agent/opa from 1.15.2 to 1.17.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

🟢 Coverage ∅ diff coverage · -0.02% coverage variation

Metric	Results
Coverage variation	✅ -0.02% coverage variation (-1.00%)
Diff coverage	✅ ∅ diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (31340e3)	81367	18680	22.96%
Head commit (dc0d9fc)	81367 (+0)	18664 (-16)	22.94% (-0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#2858)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}