Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump OPA version from v0.68.0 to v0.69.0 and Set new accepted minimum to v0.69.0 #1348

Merged
merged 6 commits into from
Oct 3, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Oct 1, 2024

🗣 Description

  • This pull request was created by a GitHub Action to bump ScubaGear's Open Policy Agent (OPA) executable version dependency.
  • Updated to also set then new minimum version to v0.69.0 for the UTF8 strip BOM if found fix.
  • Updated the OPA workflow to handle update case when only a single version is found.

💭 Motivation and context

🧪 Testing

  • Currently a human should still check if bumping the OPA version affects ScubaGear.
  • After importing ScubaGear Import-Module .\PowerShell\ScubaGear run Install-OPAforSCuBA to download the latest version.`
  • Ran Invoke-SCuBA against a few of the tenants no issues.
  • Ran OPA unit tests no issues.
  • See this forked PR for how the workflow updates were tested.

📷 Screenshots

Passing unit tests.
unitTests

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant functional tests passed.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • Feature branch has been rebased against changes from parent branch, as needed

    Use Rebase branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch

  • Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@github-actions github-actions bot added the version bump This issue or pull request increments the version number label Oct 1, 2024
@buidav buidav self-assigned this Oct 1, 2024
@buidav buidav changed the title Bump OPA version from v0.68.0 to v0.69.0 Bump OPA version from v0.68.0 to v0.69.0 and Set new minimum to v0.69.0 Oct 1, 2024
@buidav buidav changed the title Bump OPA version from v0.68.0 to v0.69.0 and Set new minimum to v0.69.0 Bump OPA version from v0.68.0 to v0.69.0 and Set new accepted minimum to v0.69.0 Oct 1, 2024
@buidav buidav added this to the Jellyfish milestone Oct 1, 2024
@buidav buidav requested review from adhilto and schrolla October 2, 2024 00:14
@schrolla
Copy link
Collaborator

schrolla commented Oct 2, 2024

@buidav Do we want to prevent use of previous versions of OPA and start anew with 0.69? Our NoBOM fixes means ScubaGear is still compatible with previous versions, and 0.69 wasn't a security fix release.

@buidav
Copy link
Collaborator

buidav commented Oct 2, 2024

@buidav Do we want to prevent use of previous versions of OPA and start anew with 0.69? Our NoBOM fixes means ScubaGear is still compatible with previous versions, and 0.69 wasn't a security fix release.

Yes. From a previous discussion, the thought there was to start anew with the new version as an extra layer of assurance that the BOM issue will never appear again.

@schrolla
Copy link
Collaborator

schrolla commented Oct 2, 2024

@buidav During testing/review I also noticed a small error (not directly from this update) that caused the error message from Install-OPAforSCuBA to not correctly list acceptable versions if asked to install a specific version outside the list due to a variable name typo. Added that fix to this PR as it is straightforward and related. Hope you don't mind.

@buidav
Copy link
Collaborator

buidav commented Oct 2, 2024

@buidav During testing/review I also noticed a small error (not directly from this update) that caused the error message from Install-OPAforSCuBA to not correctly list acceptable versions if asked to install a specific version outside the list due to a variable name typo. Added that fix to this PR as it is straightforward and related. Hope you don't mind.

huh that's probably been there for a while. Good find!

Copy link
Collaborator

@schrolla schrolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ran Install-OPAforSCuBA with default options and -ExpectedVersion outside the acceptable list. Worked as expected (after fixing error message with commit).
Also ran Initialize-SCuBA which calls same function to confirm it would update older OPA versions as expected as well. Worked as expected.
Invoke-SCuBA and unit tests all ran and passed as expected with 0.69 version of OPA Rego engine as well.
Seems reasonable to cut the acceptable list to the latest at this time to prevent further issues with the BOM and to trim support for older releases at this time.

Copy link
Collaborator

@adhilto adhilto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran Invoke-Scuba before upgrading my OPA, then ran Initialize-SCuBA to upgrade, then ran Invoke-Scuba again. Results of the two runs matched.

I also ran Invoke-ScubaCached with an old provider output JSON I had that had the BOM. Our favorite unable to parse input: yaml error happened when run with the old OPA executable but ran successfully with the latest version!

@buidav
Copy link
Collaborator

buidav commented Oct 2, 2024

@nanda-katikaneni ready to merge

@schrolla schrolla force-pushed the opa-version-bump-0.69.0 branch from 92f06d4 to 9ee9bfc Compare October 3, 2024 13:55
@nanda-katikaneni nanda-katikaneni merged commit 9d9b1d2 into main Oct 3, 2024
26 checks passed
@nanda-katikaneni nanda-katikaneni deleted the opa-version-bump-0.69.0 branch October 3, 2024 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
version bump This issue or pull request increments the version number
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants