chore(conftest): merge upstream v0.60.0 (#3)

* build(deps): bump github.com/moby/buildkit from 0.18.0 to 0.18.1 (open-policy-agent#1024)

* build(deps): bump golang from 1.23.3-alpine to 1.23.4-alpine (open-policy-agent#1025)

* build(deps): bump alpine from 3.20.3 to 3.21.0 (open-policy-agent#1026)

* build(deps): bump github.com/magiconair/properties from 1.8.7 to 1.8.9 (open-policy-agent#1027)

Bumps [github.com/magiconair/properties](https://github.com/magiconair/properties) from 1.8.7 to 1.8.9.
- [Release notes](https://github.com/magiconair/properties/releases)
- [Commits](magiconair/properties@v1.8.7...v1.8.9)

---
updated-dependencies:
- dependency-name: github.com/magiconair/properties
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.1 to 0.9.2 (open-policy-agent#1028)

Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml)
- [Commits](CycloneDX/cyclonedx-go@v0.9.1...v0.9.2)

---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: set jsonnet VM stack limits and add test coverage

- Set MaxStack to 500 frames to prevent deep recursion
- Set MaxStackTraceSize to 20 for cleaner errors
- Add test for stack overflow prevention
- Improve test structure with table-driven pattern

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: improve handling for YAML version directives

The YAML parser was incorrectly splitting documents with version directives
(e.g. '%YAML 1.1') by treating the first '---' marker as a document separator.
This caused the version directive to be separated from its document,
resulting in parsing errors. Fixed document separation logic to keep
version directive with its document.

Added test cases for various YAML scenarios and improved test coverage.

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: add output and tests for GitHub and Azure DevOps

Added missing test cases for GitHub and AzureDevOps output formats in
output_test.go. Also added OutputAzureDevOps to the list of available
output formats in Outputs().

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: remove redundant error check in push command

Remove an unnecessary error check for configDesc creation in the push command.
The NewDescriptorFromBytes function does not return an error, so checking for
one was redundant and could never be triggered.

Signed-off-by: Ville Vesilehto <[email protected]>

* build(deps): bump golang from 1.23.4-alpine to 1.23.5-alpine

Bumps golang from 1.23.4-alpine to 1.23.5-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: prevent policy file overwrite on downloads (open-policy-agent#1039)

File existence check before downloading policies. Errors out
and no overwrites. Maintains data integrity by preventing
accidental policy overwrites.

Added a test which verified the behaviour.

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: max stack size already set by jsonnet.MakeVM()

Signed-off-by: Ville Vesilehto <[email protected]>

* build(deps): bump cuelang.org/go from 0.11.0 to 0.12.0

Bumps cuelang.org/go from 0.11.0 to 0.12.0.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump github.com/moby/buildkit from 0.18.1 to 0.19.0

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.18.1 to 0.19.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.18.1...v0.19.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump alpine from 3.21.0 to 3.21.2

Bumps alpine from 3.21.0 to 3.21.2.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump github.com/hashicorp/go-getter from 1.7.6 to 1.7.8

Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.6 to 1.7.8.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](hashicorp/go-getter@v1.7.6...v1.7.8)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore: optimize yaml document separator handling

Based on PR feedback:

- use byte slices instead of string concat
- set common byte sequences as vars

Signed-off-by: Ville Vesilehto <[email protected]>

* feat: enable relative jsonnet imports by setting a path-aware importer

- Introduce a new `PathAwareParser` interface that extends `Parser` with `SetPath(path string)`.
- Update `parseConfigurations` to detect if a parser implements `PathAwareParser`, and call `SetPath(path)`.
- Implement `SetPath` in the Jsonnet parser, setting the JPath to the file’s directory.
- Add tests to ensure that relative imports in Jsonnet now work as expected.

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: correct linters-settings in .golangci.yaml to enable misspell

* Fix typo in `.golangci.yaml` to enable linter settings
* Fix marshal/unmarshal spelling across codebase

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: add nilness check to govet linter

* Add nilness check to govet linter configuration

See open-policy-agent#1041 for an example

Signed-off-by: Ville Vesilehto <[email protected]>

* test(registry): add test for credentials store init failure

Add a test case that verifies SetupClient returns an error when the
Docker config file is not readable due to permissions. This ensures the
credentials store initialization failure is properly handled.

Signed-off-by: Ville Vesilehto <[email protected]>

* feature: Documentation command (open-policy-agent#1009)

* feat: parse the annotations

Signed-off-by: Alexandre Couedelo <[email protected]>

refactor: change the way we access annotations

I am testing different way to generate the doc. Having the compiler object is much easier than the annotation set only

Signed-off-by: Alexandre Couedelo <[email protected]>

* feat: generate section that can be used to generate documentations

Signed-off-by: Alexandre Couedelo <[email protected]>

* feat: generate the documentation file

Signed-off-by: Alexandre Couedelo <[email protected]>

* feat: add the command doc to conftest

Signed-off-by: Alexandre Couedelo <[email protected]>

fix: make title coherent in submodules documentation

Signed-off-by: Alexandre Couedelo <[email protected]>

* chore: improve test case

Signed-off-by: Alexandre Couedelo <[email protected]>

chore: ignore golden files in git

Signed-off-by: Alexandre Couedelo <[email protected]>

chore: document and test the custom template feature

Signed-off-by: Alexandre Couedelo <[email protected]>

chore: linting

Signed-off-by: Alexandre Couedelo <[email protected]>

* build(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 0.69.0 (open-policy-agent#1010)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.68.0 to 0.69.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.68.0...v0.69.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Alexandre Couedelo <[email protected]>

* chore: Fixed changes requested by @boranx

build(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 0.69.0 (open-policy-agent#1010)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.68.0 to 0.69.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.68.0...v0.69.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Alexandre Couedelo <[email protected]>

chore: go mod tidy

* test: refactor to use Document instead of []Section

Signed-off-by: Alexandre Couedelo <[email protected]>

* chore: improve doc string in code

Signed-off-by: Alexandre Couedelo <[email protected]>

* chore: address changes requested by @
jalseth

Signed-off-by: Alexandre Couedelo <[email protected]>

* chore: remove error handling on file close

Signed-off-by: Alexandre Couedelo <[email protected]>

* fix: revert bad renaming

Signed-off-by: Alexandre Couedelo <[email protected]>

* fix: go mod tidy

Signed-off-by: Alexandre Couedelo <[email protected]>

* fix: update template in acceptance test

the name of the variable has changed to be more meaningful

Signed-off-by: Alexandre Couedelo <[email protected]>

---------

Signed-off-by: Alexandre Couedelo <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* test(policy): improve engine test coverage (open-policy-agent#1055)

* test(policy): improve engine test coverage

Add TestLoadWithData and TestNamespaces to increase test coverage for the
policy engine. Tests a few edge cases such as duplicate namespaces.

Signed-off-by: Ville Vesilehto <[email protected]>

* refactor(policy): replace memfs with testing/fstest

Migrate tests to use Go's standard library fstest.MapFS instead of
custom memfs implementation.

- Update TestProblematicIf and TestNamespaces to use fstest.MapFS
- Remove memfs import and dependency
- Convert test file content handling to use MapFile structs
- Maintain existing test functionality while using official FS impl

Signed-off-by: Ville Vesilehto <[email protected]>

* docs: explain fstest.MapFS conversion in tests

The type conversion from map[string]*fstest.MapFile to fstest.MapFS triggers
an 'unnecessary conversion' linter warning. Add explanatory comment to
document why this conversion is required - it ensures proper fs.FS interface
implementation needed by loader.WithFS.

Signed-off-by: Ville Vesilehto <[email protected]>

---------

Signed-off-by: Ville Vesilehto <[email protected]>

* build(deps): bump github.com/open-policy-agent/opa from 0.70.0 to 1.1.0 (open-policy-agent#1050)

* build(deps): bump github.com/open-policy-agent/opa from 0.70.0 to 1.1.0

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.70.0 to 1.1.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.70.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* ci: Disable deprecated code check for golangci-lint

This is currently blocking the upgrade to the OPA v1 package, and as a
general rule I don't think hard blocking updates and releases on use of
deprecated but still working code is good.

Signed-off-by: James Alseth <[email protected]>

* document: Use V1 AST

The V0 path is currently missing the BuildAnnotationSet function which
breaks the build. This will be fixed, but the V0 path is an alias to the
V1 path, so this is effectively the same. This does not have an impact
on the required Rego for conftest users.

Signed-off-by: James Alseth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Alseth <[email protected]>

* build(deps): bump golang from 1.23.5-alpine to 1.23.6-alpine (open-policy-agent#1062)

Bumps golang from 1.23.5-alpine to 1.23.6-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(engine): add query metadata to evaluation results (open-policy-agent#1061)

* feat(engine): add query metadata to evaluation results

Add query information to result metadata to enable output formatters to
utilize the originating query in their output. This helps track which
policy rule triggered each result.

The change:
- Adds query metadata to both string and map return types
- Ensures metadata map is properly initialized
- Adds comprehensive tests covering single and multiple results

Signed-off-by: Ville Vesilehto <[email protected]>

* test: split checks in TestQueryMetadata

Check msg and meta in separate blocks, with separate err

Signed-off-by: Ville Vesilehto <[email protected]>

---------

Signed-off-by: Ville Vesilehto <[email protected]>

* engine: Refactor to allow for Rego version to be specified (open-policy-agent#1059)

Signed-off-by: James Alseth <[email protected]>

* feat(parser): handle UTF-8 BOM in JSON input (open-policy-agent#1065)

Strip UTF-8 BOM (byte order mark) from JSON input before parsing, allowing
users to directly use files containing BOM with conftest. Matches OPA's
implementation.

Signed-off-by: Ville Vesilehto <[email protected]>

* test(plugin): add comprehensive plugin package tests (open-policy-agent#1056)

* test(plugin): add comprehensive plugin package tests

Add tests for Load, FindAll and plugin Exec functionality. Includes test
coverage for plugin loading, discovery and command execution.

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: proper file paths for plugin tests

CacheDirectory() will resolve to current working directory if
pre-defined directory structure is missing.

Signed-off-by: Ville Vesilehto <[email protected]>

---------

Signed-off-by: Ville Vesilehto <[email protected]>

* feat: Implement SARIF output (open-policy-agent#1042)

* feat: add SARIF output format support

Add Static Analysis Results Interchange Format (SARIF) v2.1.0 output support
to conftest. SARIF is a standard JSON format for static analysis tools.

- SARIF v2.1.0 schema compliance
- Includes file locations and rule metadata
- Tracks execution timing and status
- Test coverage
- Documentation

Signed-off-by: Ville Vesilehto <[email protected]>

* feat(output): implement SARIF output using go-sarif library

Add Static Analysis Results Interchange Format (SARIF) v2.1.0 output support
using the go-sarif library. This provides a standard JSON format for static
analysis results with proper schema compliance.

Key changes:
- Use go-sarif/v2 library instead of custom implementation
- Support all result types (failures, warnings, exceptions, successes)
- Add comprehensive test coverage with JSON comparison
- Document new output format in options.md

The SARIF output includes:
- File locations and rule metadata
- Proper result levels (error/warning/note/none)
- Execution status and exit codes
- Rule properties from result metadata

Signed-off-by: Ville Vesilehto <[email protected]>

* refactor: address pr comments

- refactor: remove getRuleIndex
  Use direct map lookups instead

- refactor: succinct map lookups
  Map lookup with a fallback

- refactor: move result type logic to addResult func
  Cleaner code, while not really idiomatic due to go-sarif
  library design.

- fix: treat exceptions as success
  A file with only exceptions will be treated as a success. Exceptions
  will still be logged (with level "note") for visibility. The exit code
  will be 0 (success) when there are only exceptions.

- refactor: simplify hasFailures and hasWarnings
  Risk of typo is too high

- refactor: treat exceptions as successes in SARIF output
  Exceptions are now treated as successes in the SARIF output, removing
  the separate exception handling.

- test: type safe test input for SARIF
  Probably helps writing further test cases, instead of bare JSON

- refactor: use google/go-cmp for json diff
  Based on PR comment

Signed-off-by: Ville Vesilehto <[email protected]>

---------

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: Change empty interface{} to any throughout the codebase (open-policy-agent#1057)

The any type is a clearer intent than an empty interface.

Signed-off-by: James Alseth <[email protected]>

* chore: Update all examples to OPA V1 syntax (open-policy-agent#1058)

Signed-off-by: James Alseth <[email protected]>

* refactor(output): Add CheckResults type and helpers (open-policy-agent#1063)

Adding a new type for a slice of CheckResult to add helper methods for
checking if there were failures, warnings, or exceptions.

Signed-off-by: James Alseth <[email protected]>

* feat(test): Enable inter-query cache (open-policy-agent#1073)

This improves performance for some Rego policies, such as those that use
the http.send builtin. This is only enabled for the "conftest test"
comamnd to avoid introducing flaky unit tests with "conftest verify" due
to the caching.

Signed-off-by: James Alseth <[email protected]>

* build(deps): bump github.com/open-policy-agent/opa from 1.1.0 to 1.2.0 (open-policy-agent#1080)

* build(deps): bump github.com/open-policy-agent/opa from 1.1.0 to 1.2.0

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build: Run `go mod tidy`.

Signed-off-by: James Alseth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Alseth <[email protected]>

* build(deps): bump alpine from 3.21.2 to 3.21.3 (open-policy-agent#1072)

Bumps alpine from 3.21.2 to 3.21.3.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/moby/buildkit from 0.19.0 to 0.20.0 (open-policy-agent#1076)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.19.0 to 0.20.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* refactor(ci): replace Makefile-based Docker builds with GitHub Action… (open-policy-agent#1075)

* refactor(ci): replace Makefile-based Docker builds with GitHub Actions for easier maintenance

Signed-off-by: Jesse Amamgbu <[email protected]>

* build(deps): bump golang from 1.23.6-alpine to 1.24.0-alpine (open-policy-agent#1071)

* build(deps): bump golang from 1.23.6-alpine to 1.24.0-alpine

Bumps golang from 1.23.6-alpine to 1.24.0-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build: Bump Go to 1.24.

Signed-off-by: James Alseth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Alseth <[email protected]>

* feat: add --absolute-paths flag to pull command (open-policy-agent#1078)

Add a new flag to the pull command that allows preserving absolute paths
when downloading policies. By default, absolute paths in the --policy flag
are treated as relative paths from the current directory. With the new
--absolute-paths flag, users can specify absolute paths to download
policies to.

Signed-off-by: Ville Vesilehto <[email protected]>

* docs: clarify --trace flag behavior with --output flag (open-policy-agent#1060)

Improve documentation to make it clear that when both --trace and --output
flags are specified, the output format takes priority over tracing. This
helps users understand that they cannot combine tracing with custom output
formats like JSON or table.

Signed-off-by: Ville Vesilehto <[email protected]>

* fix: Conftest can now successfully load files using a file URL (e.g., `file:///C:/path/to/data.yaml`) on windows (open-policy-agent#999)

* fix:
    Conftest encounters errors on Windows when loading file paths that include drive letters (e.g., `C:/path/to/data.yaml`).
    Even when using a file URL (e.g., `file:///C:/path/to/data.yaml`), we still face issues.
    With these code changes, Conftest can now successfully load files using a file URL (e.g., `file:///C:/path/to/data.yaml`).
    We opted for file URLs instead of paths with drive letters (e.g., `C:/path/to/data.yaml`) because OPA does not support file paths with drive letters. For more details, see [this issue comment](open-policy-agent/opa#6922 (comment)).

    Resolves: open-policy-agent#979

Signed-off-by: Punith C K <[email protected]>

* fix:
Removing WithProcessAnnotation(true) which is not needed for loading data files

Signed-off-by: Punith C K <[email protected]>

* fix: Conftest can now successfully load files using a file URL (e.g., file:///C:/path/to/data.yaml) on windows
Removing duplicate code

Signed-off-by: Punith C K <[email protected]>

---------

Signed-off-by: Punith C K <[email protected]>
Signed-off-by: Punith C K <[email protected]>
Co-authored-by: Punith C K <[email protected]>

* ci: Revert "replace Makefile-based Docker builds with GitHub Action… (open-policy-agent#1075)" (open-policy-agent#1081)

This reverts commit 854183b.

Signed-off-by: James Alseth <[email protected]>

* build(deps): bump github.com/moby/buildkit from 0.20.0 to 0.20.1 (open-policy-agent#1083)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.20.0 to 0.20.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.20.0...v0.20.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: add documentation feature to the navigation bar (open-policy-agent#1087)

Signed-off-by: boranx <[email protected]>

* feat: add pre-commit hook support (open-policy-agent#1077)

* feat: add pre-commit hook support

Add pre-commit integration to validate configurations against OPA policies:
- Create .pre-commit-hooks.yaml with conftest test/verify hook configs
- Add pre-commit hook tests using bats
- Install pre-commit in CI workflow

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: add teardown to pre-commit test

Add teardown function so we clean up the test config.

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: remove verbose from pre-commit test

Test checks the return code only

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: suggestions from the pr

Co-authored-by: Boran Seref <[email protected]>

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: add Makefile step for installing deps

Since acceptance tests require pre-commit lets make sure
it's available - if not, install with pip. This is bundled
with the 'make test-acceptance' step so that local and CI
environments behave the same way.

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: use isolated temp repo for testing pre-commit

- Create a temporary Git repository for each test run
- Configure Git with test-specific user info and disabled signing
- Use absolute paths for pre-commit hook configuration
- Clean up test artifacts properly after each run
- Remove dependency on main repository state

Signed-off-by: Ville Vesilehto <[email protected]>

---------

Signed-off-by: Ville Vesilehto <[email protected]>

* build(deps): bump golang from 1.24.0-alpine to 1.24.1-alpine (open-policy-agent#1086)

Bumps golang from 1.24.0-alpine to 1.24.1-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/BurntSushi/toml from 1.4.0 to 1.5.0 (open-policy-agent#1089)

Bumps [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/BurntSushi/toml/releases)
- [Commits](BurntSushi/toml@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/BurntSushi/toml
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: Remove PR workflow access to all permissions from GITHUB_TOKEN (open-policy-agent#1088)

Signed-off-by: James Alseth <[email protected]>

* build(deps): bump github.com/moby/buildkit from 0.20.1 to 0.20.2 (open-policy-agent#1091)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.20.1 to 0.20.2.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.20.1...v0.20.2)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 (open-policy-agent#1092)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump golang from 1.24.1-alpine to 1.24.2-alpine (open-policy-agent#1096)

Bumps golang from 1.24.1-alpine to 1.24.2-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.24.2-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump cuelang.org/go from 0.12.0 to 0.12.1 (open-policy-agent#1094)

Bumps cuelang.org/go from 0.12.0 to 0.12.1.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-version: 0.12.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/magiconair/properties from 1.8.9 to 1.8.10 (open-policy-agent#1097)

Bumps [github.com/magiconair/properties](https://github.com/magiconair/properties) from 1.8.9 to 1.8.10.
- [Release notes](https://github.com/magiconair/properties/releases)
- [Commits](magiconair/properties@v1.8.9...v1.8.10)

---
updated-dependencies:
- dependency-name: github.com/magiconair/properties
  dependency-version: 1.8.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* deps: Bump hcl2json to v0.6.7 (open-policy-agent#1074)

Signed-off-by: James Alseth <[email protected]>

* refactor(ci): replace Makefile-based Docker builds with GitHub Action (open-policy-agent#1082)

Signed-off-by: Jesse Amamgbu <[email protected]>

* docs: update default template link to use absolute URL (open-policy-agent#1099)

Change the relative link to the default template to use
an absolute URL pointing to the raw GitHub content for
better accessibility. Currently the link is broken since
the file from the relative path is not deployed to the
docs site.

Signed-off-by: Ville Vesilehto <[email protected]>

* chore: Update Github Actions via Dependabot (open-policy-agent#1100)

Signed-off-by: Manuel Rüger <[email protected]>

* build(deps): bump golangci/golangci-lint-action from 6 to 7 (open-policy-agent#1103)

* build(deps): bump golangci/golangci-lint-action from 6 to 7

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6 to 7.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v6...v7)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* ci: Run "golangci-lint migrate"

Signed-off-by: James Alseth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Alseth <[email protected]>

* build(deps): bump actions/setup-go from 4 to 5 (open-policy-agent#1102)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump bats-core/bats-action from 1.5.4 to 3.0.1 (open-policy-agent#1104)

Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 1.5.4 to 3.0.1.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](bats-core/bats-action@1.5.4...3.0.1)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: Move docker build to separate job in the PR workflow (open-policy-agent#1105)

This step is slow to run and only needs to be tested after everything
else.

Signed-off-by: James Alseth <[email protected]>

* feat(runner): add support for symlinks (open-policy-agent#1098)

Signed-off-by: Dieter Bocklandt <[email protected]>

* feat(output): redirect trace output to stderr (open-policy-agent#1084)

Signed-off-by: Ville Vesilehto <[email protected]>

* build(deps): bump github.com/moby/buildkit from 0.20.2 to 0.21.0 (open-policy-agent#1101)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.20.2 to 0.21.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.20.2...v0.21.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/moby/buildkit from 0.21.0 to 0.21.1 (open-policy-agent#1111)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.21.0 to 0.21.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.21.0...v0.21.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.21.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.1 (open-policy-agent#1113)

* build(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.1

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.3.0 to 1.4.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.3.0...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore: go mod tidy

Signed-off-by: James Alseth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Alseth <[email protected]>

* docs: Make examples in the docs compatible with v1 syntax (open-policy-agent#1115)

Signed-off-by: James Alseth <[email protected]>

* cli: Make Rego v1 syntax the default (open-policy-agent#1114)

Signed-off-by: James Alseth <[email protected]>

* build(deps): bump golangci/golangci-lint-action from 7 to 8 (open-policy-agent#1119)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/google/go-jsonnet from 0.20.0 to 0.21.0 (open-policy-agent#1120)

Bumps [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) from 0.20.0 to 0.21.0.
- [Release notes](https://github.com/google/go-jsonnet/releases)
- [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml)
- [Commits](google/go-jsonnet@v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-jsonnet
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: Update README.md to make it compatible with v1 syntax (open-policy-agent#1122)

Signed-off-by: William Burton <[email protected]>

* fix: revert makefile changes

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Ville Vesilehto <[email protected]>
Signed-off-by: Alexandre Couedelo <[email protected]>
Signed-off-by: James Alseth <[email protected]>
Signed-off-by: Jesse Amamgbu <[email protected]>
Signed-off-by: Punith C K <[email protected]>
Signed-off-by: Punith C K <[email protected]>
Signed-off-by: boranx <[email protected]>
Signed-off-by: Manuel Rüger <[email protected]>
Signed-off-by: Dieter Bocklandt <[email protected]>
Signed-off-by: William Burton <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ville Vesilehto <[email protected]>
Co-authored-by: Anders Eknert <[email protected]>
Co-authored-by: Alexandre Couedelo <[email protected]>
Co-authored-by: James Alseth <[email protected]>
Co-authored-by: Jesse Amamgbu <[email protected]>
Co-authored-by: pckvcode <[email protected]>
Co-authored-by: Punith C K <[email protected]>
Co-authored-by: Boran Seref <[email protected]>
Co-authored-by: Manuel Rüger <[email protected]>
Co-authored-by: Dieter Bocklandt <[email protected]>
Co-authored-by: William Burton <[email protected]>

Author: 13 people

.github/dependabot.yml

@@ -30,3 +30,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/release.yaml

@@ -4,6 +4,9 @@ on:
   push:
     tags:
       - 'v*'
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
   release:
@@ -42,14 +45,14 @@ jobs:
       #   run: make push TAG=$VERSION
 
       - name: setup go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.23.x"
+          go-version: "1.24.x"
 
       - name: release
         uses: goreleaser/goreleaser-action@v6
         with:
           args: release --clean
           version: "~> v1"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows_bak/pr.yaml

@@ -2,17 +2,12 @@ name: pr
 
 on: [pull_request]
 
-permissions:
-  actions: read
-  checks: none
-  contents: none
-  deployments: none
-  issues: none
-  packages: none
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
+
+permissions: {}
+
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
   style:
@@ -59,11 +54,11 @@ jobs:
       - name: setup go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.x"
+          go-version: "1.24.x"
           cache: false
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
           args: --timeout=5m --color=always --max-same-issues=0 --max-issues-per-linter=0
 
@@ -73,8 +68,16 @@ jobs:
       - name: unit test
         run: make test
 
+      # Ensure Actions runner has Python installed
+      # This is required for pre-commit tests to work
+      - name: setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
       - name: setup bats
-        uses: bats-core/bats-action@1.5.4
+        uses: bats-core/bats-action@3.0.1
         with:
           # Pin bats version to fix CI issue: https://github.com/bats-core/bats-action/pull/4
           bats-version: "1.10.0"
@@ -91,3 +94,23 @@ jobs:
 
       - name: test oci push/pull
         run: ./scripts/push-pull-e2e.sh
+
+  docker:
+    runs-on: ubuntu-latest
+    needs:
+      - validate
+    steps:
+      - name: checkout source
+        uses: actions/checkout@v4
+
+      - name: setup docker buildx
+        run: docker buildx create --name conftestbuild --use
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6 
+        with:
+          context: .
+          push: false
+          tags: |
+            ${{ env.IMAGE }}:latest
+          platforms: ${{ env.PLATFORMS }}

.golangci.yaml

@@ -1,23 +1,10 @@
-linters-settings:
-  misspell:
-    locale: US
-  govet:
-    enable:
-      - nilness
-  staticcheck:
-    checks:
-      - "all" # Include all checks except the ones below.
-      - "-SA1019" # Do not block the build if deprecated functions or packages are used.
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
     - errcheck
     - goconst
-    - gofmt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - makezero
@@ -26,8 +13,40 @@ linters:
     - predeclared
     - revive
     - staticcheck
-    - typecheck
     - unconvert
     - unparam
     - unused
     - wastedassign
+  settings:
+    govet:
+      enable:
+        - nilness
+    misspell:
+      locale: US
+    staticcheck:
+      checks:
+        # These are processed in order. It is important that the inclusion
+        # comes before the exclusion.
+        - all
+        - -SA1019
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.pre-commit-hooks.yaml

@@ -0,0 +1,19 @@
+- id: conftest-test
+  name: Conftest Test Policy Check
+  description: Validate configuration files against Open Policy Agent policies using Conftest
+  entry: conftest test
+  language: golang
+  pass_filenames: true
+  require_serial: true
+  minimum_pre_commit_version: "2.9.0"
+  stages: [pre-commit, pre-merge-commit, pre-push, manual]
+
+- id: conftest-verify
+  name: Conftest Verify Policy Tests
+  description: Run Rego unit tests for Conftest policies
+  entry: conftest verify
+  language: golang
+  pass_filenames: false
+  require_serial: true
+  minimum_pre_commit_version: "2.9.0"
+  stages: [pre-commit, pre-merge-commit, pre-push, manual]

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.6-alpine as base
+FROM golang:1.24.2-alpine as base
 ARG TARGETARCH
 ARG VERSION
 ARG COMMIT
@@ -52,7 +52,7 @@ RUN go install cuelang.org/go/cmd/cue@latest
 WORKDIR /examples
 
 ## RELEASE ##
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 
 # Install git for protocols that depend on it when using conftest pull
 RUN apk add --no-cache git

Makefile

@@ -39,11 +39,15 @@ test-examples: build ## Runs the tests for the examples.
 	@bats acceptance.bats
 
 .PHONY: test-acceptance
-test-acceptance: build ## Runs the tests in the test folder.
+test-acceptance: build install-test-deps ## Runs the tests in the test folder.
 	@for testdir in $(TEST_DIRS) ; do \
 		cd $(CURDIR)/$$testdir && CONFTEST=$(ROOT_DIR)/$(BIN) bats test.bats || exit 1; \
 	done
 
+.PHONY: install-test-deps
+install-test-deps: ## Installs dependencies required for testing.
+	@command -v pre-commit >/dev/null 2>&1 || python -m pip install -r requirements-dev.txt
+
 .PHONY: test-oci
 test-oci: ## Runs the OCI integration test for push and pull.
 	@./scripts/push-pull-e2e.sh
@@ -75,4 +79,4 @@ help:
 # 	@test -n "$(TAG)" || (echo "TAG parameter not set." && exit 1)
 # 	@$(DOCKER) buildx build . --push --build-arg VERSION="$(TAG)" -t $(IMAGE):$(TAG) --platform $(DOCKER_PLATFORMS)
 # 	@$(DOCKER) buildx build . --push --build-arg VERSION="$(TAG)" -t $(IMAGE):latest --platform $(DOCKER_PLATFORMS)
-# 	@$(DOCKER) buildx build . --push --target examples -t $(IMAGE):examples --platform $(DOCKER_PLATFORMS)
+# 	@$(DOCKER) buildx build . --push --target examples -t $(IMAGE):examples --platform $(DOCKER_PLATFORMS)

README.md

@@ -15,14 +15,14 @@ Here's a quick example. Save the following as `policy/deployment.rego`:
 ```rego
 package main
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.template.spec.securityContext.runAsNonRoot
 
   msg := "Containers must not run as root"
 }
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.selector.matchLabels.app
 

acceptance.bats

@@ -521,3 +521,12 @@ EOF"
   [ "$status" -eq 1 ]
   [[ "$output" =~ "look up message type" ]]
 }
+
+@test "Can parse files from a symlinked directory" {
+  TMPDIR="$(mktemp -d -u)"
+  ln -s $(pwd)/examples/hcl2 ${TMPDIR}
+  run ./conftest test -p examples/hcl2/policy ${TMPDIR}
+  rm -rf ${TMPDIR}
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "10 tests, 3 passed, 0 warnings, 7 failures, 0 exceptions" ]]
+}

docs/debug.md

@@ -108,3 +108,17 @@ TRAC | Exit data.main.deny = _
 TRAC Redo data.main.deny = _
 TRAC | Redo data.main.deny = _
 ```
+
+## Using trace with other output formats
+
+You can use the `--trace` flag together with any output format. When using `--trace` with formats like `--output=table` or `--output=json`, the trace information will be written to stderr while the formatted output will be written to stdout. This allows you to capture trace information for debugging while still using your preferred output format.
+
+For example:
+
+```console
+# Output trace to stderr and table format to stdout
+$ conftest test --trace --output=table deployment.yaml
+
+# Capture trace output to a file while viewing table output
+$ conftest test --trace --output=table deployment.yaml 2>trace.log
+```