go module fixes

.gitleaks.toml

@@ -1,3 +1,19 @@
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
 [allowlist]
   description = "Project allowlist"
 

.tool-versions

@@ -1 +1 @@
-golang 1.24.4
+golang 1.24.6

Dockerfile

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM docker.io/library/golang:1.24.4 AS build
+FROM docker.io/library/golang:1.24.6 AS build
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile.dist

@@ -16,7 +16,7 @@
 
 ## Build
 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.24.4@sha256:3ce6311380d5180599a3016031a9112542d43715244816d1d0eabc937952667b AS build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24.6 AS build
 
 ARG TARGETOS
 ARG TARGETARCH

acceptance/acceptance_test.go

@@ -148,7 +148,7 @@ func TestMain(t *testing.M) {
 	v := t.Run()
 
 	// After all tests have run `go-snaps` can check for not used snapshots
-	snaps.Clean(t)
+	_, _ = snaps.Clean(t)
 
 	os.Exit(v)
 }

acceptance/crypto/keys.go

@@ -101,7 +101,7 @@ func SignerWithKey(ctx context.Context, keyName string) (signature.SignerVerifie
 		return nil, err
 	}
 
-	return cosign.LoadPrivateKey(key.PrivateBytes, key.Password())
+	return cosign.LoadPrivateKey(key.PrivateBytes, key.Password(), nil)
 }
 
 // PublicKeysFrom returns a map of all public keys encoded in PEM format

docs/modules/ROOT/pages/ec_opa_bench.adoc

@@ -14,6 +14,7 @@ Example with bundle and input data:
 	opa bench -b ./policy-bundle -i input.json 'data.authz.allow'
 
 To run benchmarks against a running OPA server to evaluate server overhead use the --e2e flag.
+To enable more detailed analysis use the --metrics and --benchmem flags.
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 

docs/modules/ROOT/pages/ec_opa_build.adoc

@@ -64,14 +64,14 @@ The 'build' command supports targets (specified by -t):
             original policy or data files.
 
     plan    The plan target emits a bundle containing a plan, i.e., an intermediate
-            representation compiled from the input files for each specified entrypoint.
-            This is for further processing, OPA cannot evaluate a "plan bundle" like it
-            can evaluate a wasm or rego bundle.
+			representation compiled from the input files for each specified entrypoint.
+			This is for further processing, OPA cannot evaluate a "plan bundle" like it
+			can evaluate a wasm or rego bundle.
 
-The -e flag tells the 'build' command which documents (entrypoints) will be queried by 
-the software asking for policy decisions, so that it can focus optimization efforts and 
+The -e flag tells the 'build' command which documents (entrypoints) will be queried by
+the software asking for policy decisions, so that it can focus optimization efforts and
 ensure that document is not eliminated by the optimizer.
-Note: Unless the --prune-unused flag is used, any rule transitively referring to a 
+Note: Unless the --prune-unused flag is used, any rule transitively referring to a
 package or rule declared as an entrypoint will also be enumerated as an entrypoint.
 
 Signing

docs/modules/ROOT/pages/ec_opa_exec.adoc

@@ -21,6 +21,7 @@ After: Decision Logs
 By default, the 'exec' command executes the "default decision" (specified in
 the OPA configuration) against each input file. This can be overridden by
 specifying the --decision argument and pointing at a specific policy decision,
+
 e.g., opa exec --decision /foo/bar/baz ...
 
 [source,shell]
@@ -30,15 +31,15 @@ ec opa exec <path> [<path> [...]] [flags]
 
 == Examples
   Loading input from stdin:
-    documentation exec [<path> [...]] --stdin-input [flags]
+    opa exec [<path> [...]] --stdin-input [flags]
 
 == Options
 
 -b, --bundle:: set bundle file(s) or directory path(s). This flag can be repeated.
 -c, --config-file:: set path of configuration file
 --decision:: set decision to evaluate
---fail:: exits with non-zero exit code on undefined result and errors (Default: false)
---fail-defined:: exits with non-zero exit code on defined result and errors (Default: false)
+--fail:: exits with non-zero exit code on undefined/empty result and errors (Default: false)
+--fail-defined:: exits with non-zero exit code on defined/non-empty result and errors (Default: false)
 --fail-non-empty:: exits with non-zero exit code on non-empty result and errors (Default: false)
 -f, --format:: set output format (Default: json)
 -h, --help:: help for exec (Default: false)

docs/modules/ROOT/pages/ec_opa_inspect.adoc

@@ -1,13 +1,13 @@
 = ec opa inspect
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s)
 
 == Synopsis
 
-Inspect OPA bundle(s) or Rego files.
+Inspect OPA bundle(s).
 
-The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file. Bundles are
-gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
+The 'inspect' command provides a summary of the contents in OPA bundle(s) or a single Rego file.
+Bundles are gzipped tarballs containing policies and data. The 'inspect' command reads bundle(s) and lists
 the following:
 
 * packages that are contributed by .rego files
@@ -23,10 +23,10 @@ Example:
     bundle.tar.gz
     $ opa inspect bundle.tar.gz
 
-You can provide exactly one OPA bundle, path to a bundle directory, or direct path to a Rego file to the 'inspect' command
-on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as a bundle
-and summarize its structure and contents. If you provide a path referring to a Rego file, the 'inspect' command will load
-that file and summarize its structure and contents.
+You can provide exactly one OPA bundle, to a bundle directory, or direct path to a Rego file to the 'inspect'
+command on the command-line. If you provide a path referring to a directory, the 'inspect' command will load that path as
+a bundle and summarize its structure and contents.  If you provide a path referring to a Rego file, the 'inspect' command
+will load that file and summarize its structure and contents.
 
 [source,shell]
 ----

docs/modules/ROOT/pages/ec_opa_run.adoc

@@ -4,7 +4,7 @@ Start OPA in interactive or server mode
 
 == Synopsis
 
-Start an instance of the Open Policy Agent (OPA).
+Start an instance of OPA.
 
 To run the interactive shell:
 

docs/modules/ROOT/pages/ec_opa_test.adoc

@@ -65,7 +65,7 @@ If used with the '--bench' option then tests will be benchmarked.
 
 Example benchmark run:
 
-	$ opa test --bench ./example/
+	$  opa test --bench ./example/
 
 The optional "gobench" output format conforms to the Go Benchmark Data Format.
 

docs/modules/ROOT/pages/ec_sigstore_initialize.adoc

@@ -42,6 +42,7 @@ ec initialize -mirror <url> -root <url>
 -h, --help:: help for initialize (Default: false)
 --mirror:: GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (Default: https://tuf-repo-cdn.sigstore.dev)
 --root:: path to trusted initial root. defaults to embedded root
+--root-checksum:: checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:<checksum>
 
 == Options inherited from parent commands
 

features/__snapshots__/opa.snap

@@ -14,7 +14,7 @@ Available Commands:
   eval         Evaluate a Rego query
   exec         Execute against input files
   fmt          Format Rego source files
-  inspect      Inspect OPA bundle(s) or Rego files.
+  inspect      Inspect OPA bundle(s)
   parse        Parse Rego source file
   run          Start OPA in interactive or server mode
   sign         Generate an OPA bundle signature