Squashed commit of the following:

commit dbf3e9c9817ea625e0868d83c6e56ebd75e8c248 Merge: 6572cf6e 24050684 Author: Justin Lindh <justin.lindh@webfilings.com> Date: Wed Jan 12 14:07:56 2022 -0700 Merge branch 'reachable_paths' of github.com:justinlindh-wf/opa into reachable_paths Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 6572cf6e040dbff50e4518ba646429b9ba0414ce Author: Justin Lindh <justin.lindh@webfilings.com> Date: Wed Jan 12 14:07:47 2022 -0700 ast: remove unnecessary array nesting and cleanup tests Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 2405068419e9299b12c43cdd09828e0009ba3fbd Merge: dd39b4bd 38d0df0 Author: Justin Lindh <justin.lindh@workiva.com> Date: Wed Jan 12 11:08:10 2022 -0700 Merge branch 'main' into reachable_paths commit dd39b4bdf340f46182a34058490f1ed1bd3dacf9 Author: Justin Lindh <justin.lindh@workiva.com> Date: Wed Jan 12 11:04:42 2022 -0700 Update docs/content/policy-reference.md Co-authored-by: Stephan Renatus <stephan@styra.com> commit 38d0df0 Author: Anders Eknert <anders@eknert.com> Date: Tue Jan 11 09:24:31 2022 +0100 cicd: Update release notes mentions (open-policy-agent#4207) Since Github will automatically link to user profiles mentioned by their username, _and_ create a "Contributors" section for the release notes with user avatars, it seems good to follow that convention. Signed-off-by: Anders Eknert <anders@eknert.com> commit c676a7e Author: wasm-updater <wasm-updater@github.com> Date: Tue Jan 11 06:49:24 2022 +0000 wasm: Update generated binaries commit 3250a2c Author: Kristian Svalland <54534849+kristiansvalland@users.noreply.github.com> Date: Tue Jan 11 07:47:33 2022 +0100 wasm: Add native support for json.is_valid (open-policy-agent#4204) wasm: Add support for WASM and simple tests. internal: Add opa_json_is_valid to map of wasm built-ins. docs: Indicate that WASM support is now available for json.is_valid. Fixes open-policy-agent#4140 Signed-off-by: Kristian Svalland <kristian.svalland@gmail.com> commit abc08cd8977cb677cbb28c6c55afe9e17658cf3a Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 16:44:09 2022 -0700 ast: rename test cases from yml to yaml Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 3fdce9e23406422a24b82f21a792c2ac92b8f650 Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 14:17:02 2022 -0700 ast: graph.reachable_paths is SDK-dependant Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 79d86d0a1af1c220eb4da180e85b6ebccab7738e Merge: 791f1bbc 04425f05 Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 13:13:31 2022 -0700 Merge branch 'reachable_paths' of github.com:justinlindh-wf/opa into reachable_paths commit 791f1bbc952919660f024f094b7e2579895c26e0 Merge: fe6fef47 6090608 Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 13:12:13 2022 -0700 Merge branch 'main' of github.com:open-policy-agent/opa into reachable_paths commit fe6fef470f4aea8035d7ab175ce20a53deab2052 Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 13:11:54 2022 -0700 ast: add graph.reachable_paths Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 04425f0543ba149cefde7a6880abac7d8161354b Merge: 1afc295c 6090608 Author: Justin Lindh <justin.lindh@workiva.com> Date: Mon Jan 10 12:56:34 2022 -0700 Merge branch 'main' into reachable_paths commit 6090608 Author: Anders Eknert <anders@eknert.com> Date: Mon Jan 10 20:51:39 2022 +0100 opa inspect: unhide command (open-policy-agent#4194) People aren't going to find it unless we show it's there. Signed-off-by: Anders Eknert <anders@eknert.com> commit 1afc295c6b246eecd383a02afb6c79a118bd7ffd Author: Justin Lindh <justin.lindh@webfilings.com> Date: Mon Jan 10 12:50:27 2022 -0700 ast: add graph.reachable_paths Signed-off-by: Justin Lindh <justin.lindh@webfilings.com> commit 8b33bca Author: Kristian Svalland <54534849+kristiansvalland@users.noreply.github.com> Date: Mon Jan 10 20:04:30 2022 +0100 topdown: Use `json.Valid` instead of `util.UnmarshalJSON` to avoid unnecessary allocations. (open-policy-agent#4203) Signed-off-by: Kristian Svalland <kristian.svalland@gmail.com> commit 4985e4b Author: Anders Eknert <anders@eknert.com> Date: Mon Jan 10 10:39:55 2022 +0100 docs: Consistent indentation (open-policy-agent#4201) Must have missed these last iteration.. Signed-off-by: Anders Eknert <anders@eknert.com> commit 75ba6bf Author: Corey Hinkle <bugg123@gmail.com> Date: Fri Jan 7 15:56:13 2022 -0500 Add detail-tab for collapsable markdown (open-policy-agent#4199) Default markdown renderer does not allow for unsafe combinations. Shortcode provided to wrap markdown that may contain URLs as opposed to allowing unsafe rendering. Signed-off-by: Corey Hinkle <bugg123@gmail.com> commit 3cf8839 Author: Dan Oliver <djoliver89@gmail.com> Date: Fri Jan 7 12:52:37 2022 +0000 docs/management-bundles: add hint that S3 regional endpoint should be used (open-policy-agent#4196) Global endpoints lead to 307 responses until they're fully provisioned; that in turn causes the Authorization header to not be forwarded, and the GET request thus fails. Signed-off-by: Dan Oliver <dan.oliver@iress.com> commit 829086a Author: Anders Eknert <anders@eknert.com> Date: Fri Jan 7 13:18:09 2022 +0100 Ensure http.send caching works in system.authz (open-policy-agent#4195) Fixes open-policy-agent#3946 Signed-off-by: Anders Eknert <anders@eknert.com> commit cf37313 Author: Anders Eknert <anders@eknert.com> Date: Fri Jan 7 09:50:24 2022 +0100 opa eval: add description to all formats (open-policy-agent#4191) Add description for `--format=source` and `--format=raw` to `opa eval -h` output. Signed-off-by: Anders Eknert <anders@eknert.com> commit 61c0c46 Author: Peter ONeill <33669114+peteroneilljr@users.noreply.github.com> Date: Fri Jan 7 08:29:58 2022 +0200 docs/ssh-and-sudo-authorization: Add Missing Filename (open-policy-agent#4192) Signed-off-by: Peter ONeill <peteroneilljr@gmail.com> commit b3ef19e Author: Matt Mahnke <mattmahn@users.noreply.github.com> Date: Thu Jan 6 15:03:31 2022 -0600 docs: fix typo for tls-cert-refresh-period (open-policy-agent#4190) Signed-off-by: Matt Mahnke <mattmahn@users.noreply.github.com> commit 52ddfd9 Author: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com> Date: Thu Jan 6 17:58:27 2022 +0900 topdown: Support indexof_n built-in function (open-policy-agent#4172) Fixes open-policy-agent#4155 Signed-off-by: shuheiktgw <s-kitagawa@mercari.com> commit 449fdfe Author: José Carlos Chávez <jcchavezs@gmail.com> Date: Thu Jan 6 09:13:57 2022 +0100 chore: improves auth plugin resolution. (open-policy-agent#4175) * chore: improves auth plugin resolution. Currently when aiming to use a Plugin in credentials section, if the plugin is known then it will be resolved, if it isn't, it will be passed to the supported credentials and tried to be cast as HTTPAuthPlugin which ends up in a casting issue without further feedback on what was the plugin string. Signed-off-by: José Carlos Chávez <jcchavezs@gmail.com> commit 16f85a4 Author: Stephan Renatus <stephan.renatus@gmail.com> Date: Thu Jan 6 08:49:39 2022 +0100 website: update redirects (open-policy-agent#4103) The "Option 5" redirect never worked, the fragment (i.e. behind the #) never reaches the server, it's a client-side thing. Adds a redirect for the renamed contrib section. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com> commit c0a692d Author: Vlad Iovanov <vlad@aserto.com> Date: Thu Jan 6 08:42:22 2022 +0200 logging: Remove logger GetFields function (open-policy-agent#4116) This removes the GetFields function from the logger interface, as mentioned in open-policy-agent#4114. GetFields used to be called in one place, creating a new logger using fields from an http client afaict. I am not sure if my changes have the desired effect in that case, or how this was desired to work - since the fields of the client are always changing when making requests. Fixes open-policy-agent#4114. Signed-off-by: viovanov <vlad@aserto.com> commit ca6259c Author: Anders Eknert <anders@eknert.com> Date: Wed Jan 5 18:54:55 2022 +0100 docs: Fix integration policy (open-policy-agent#4185) `some id` left after policy cleanup caused the Rego compiler to rightfully protest when I tried integrating OPA as a library today. Signed-off-by: Anders Eknert <anders@eknert.com> commit 78f0ae2 Author: rvalkenaers <rien.valkenaers@gmail.com> Date: Wed Jan 5 16:57:59 2022 +0100 docs: fix configuration example (open-policy-agent#4184) Signed-off-by: rvalkenaers <rien.valkenaers@gmail.com> commit f22e9cc Author: Anders Eknert <anders@eknert.com> Date: Wed Jan 5 07:51:08 2022 +0100 Apply credentials masking on opa.runtime().config (open-policy-agent#4165) In order to prevent sensitive data to accidentally leak out into policies, reuse masking logic previously serving the /v1/config endpoint. Fixes open-policy-agent#4159 Signed-off-by: Anders Eknert <anders@eknert.com> commit 50dc871 Author: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com> Date: Wed Jan 5 15:34:16 2022 +0900 topdown: Improve the builtin indexof function performance (open-policy-agent#4169) Signed-off-by: shuheiktgw <s-kitagawa@mercari.com> commit d3fbd53 Author: Anders Eknert <anders@eknert.com> Date: Tue Jan 4 19:22:53 2022 +0100 Build darwin/arm64 in post tag workflow (open-policy-agent#4182) Signed-off-by: Anders Eknert <anders@eknert.com> commit 67def9b Author: Anders Eknert <anders@eknert.com> Date: Tue Jan 4 18:35:32 2022 +0100 Prepare v0.37.0 development (open-policy-agent#4180) Signed-off-by: Anders Eknert <anders@eknert.com> commit c2b2c62 Author: Anders Eknert <anders@eknert.com> Date: Tue Jan 4 16:49:24 2022 +0100 Prepare v0.36.0 release (open-policy-agent#4178) Signed-off-by: Anders Eknert <anders@eknert.com> commit 0ddf1db Author: Anders Eknert <anders@eknert.com> Date: Thu Dec 30 20:25:32 2021 +0100 Add Open Service Mesh to ecosystem (open-policy-agent#4171) Also: * Add some links to Kubernetes authorization item * Add SPIFFE/SPIRE blog * Extend Rego tests to verify added/modified YAML files as valid The last point was intended to be for the integrations.yaml file only, but thinking more about it made sense not to limit the check to a single file. Signed-off-by: Anders Eknert <anders@eknert.com> commit 06664d0 Author: Shuhei Kitagawa <shuheiktgw@users.noreply.github.com> Date: Tue Dec 28 16:43:28 2021 +0900 ci: Update golangci-lint to v1.43.0 (open-policy-agent#4173) Signed-off-by: shuheiktgw <s-kitagawa@mercari.com> commit 31422b4 Author: wasm-updater <wasm-updater@github.com> Date: Mon Dec 27 11:49:38 2021 +0000 wasm: Update generated binaries commit 6f81c4a Author: Kristian Svalland <54534849+kristiansvalland@users.noreply.github.com> Date: Mon Dec 27 12:47:39 2021 +0100 Add `array.reverse(array)` and `strings.reverse(string)` built-in functions. (open-policy-agent#4161) The function `array.reverse` takes an array as an argument, and returns an array with a reversed order of elements. The function `strings.reverse` takes a string as an argument, and returns a string with a reversed order of unicode code points. WASM support is included for both built-ins. Fixes open-policy-agent#3736 Signed-off-by: Kristian Svalland <kristian.svalland@gmail.com> commit 328ffcd Author: yilinzeng <36651058+yzeng25@users.noreply.github.com> Date: Fri Dec 24 23:33:23 2021 +0800 docs/website add blog links for apisix blog (open-policy-agent#4168) Signed-off-by: yilin <yzeng25@wisc.edu>
justinlindh-wf · Jan 12, 2022 · 15cc9d5 · 15cc9d5
1 parent 48b8be3
commit 15cc9d5
Show file tree

Hide file tree

Showing 59 changed files with 5,030 additions and 109 deletions.
diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml
@@ -57,7 +57,7 @@ jobs:
           go-version: ${{ steps.go_version.outputs.go_version }}
 
       - name: Build Darwin
-        run: make ci-build-darwin
+        run: make ci-build-darwin ci-build-darwin-arm64-static
         timeout-minutes: 30
         env:
           TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}

diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -287,11 +287,11 @@ jobs:
         uses: infracost/setup-opa@v1
 
       - name: Test policies
-        run: opa test .github/policy
+        run: opa test build/policy
 
       - name: Run policy checks on changed files
         run: |
           curl --silent --fail --header 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
           https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files \
-          | opa eval --data .github/policy/files.rego --format values --stdin-input --fail-defined 'data.files.deny[message]'
+          | opa eval --bundle build/policy/ --format values --stdin-input --fail-defined 'data.files.deny[message]'
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,103 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+## 0.36.0
+
+This release contains a number of fixes and enhancements.
+
+### OpenTelemetry and opa exec
+
+This release adds OpenTelemetry support to OPA. This makes it possible to emit spans to an OpenTelemetry collector via 
+gRPC on both incoming and outgoing (i.e. http.send) calls in the server. See the updated docs on 
+[monitoring](https://www.openpolicyagent.org/docs/latest/monitoring/) for more information and configuration options
+([#1469](https://github.com/open-policy-agent/opa/issues/1469)) authored by @[rvalkenaers](https://github.com/rvalkenaers)
+
+This release also adds a new `opa exec` command for doing one-off evaluations of policy against input similar to 
+`opa eval`, but using the full capabilities of the server (config file, plugins, etc). This is particularly useful in 
+contexts such as CI/CD or when enforcing policy for infrastructure as code, where one might want to run OPA with remote 
+bundles and decision logs but without having a running server. See the updated docs on
+[Terraform](https://www.openpolicyagent.org/docs/latest/terraform/) for an example use case.
+([#3525](https://github.com/open-policy-agent/opa/issues/3525))
+
+### Built-in Functions
+
+- Four new functions for working with HMAC (`crypto.hmac.md5`, `crypto.hmac.sha1`, `crypto.hmac.sha256`, and `crypto.hmac.sha512`) was added ([#1740](https://github.com/open-policy-agent/opa/issues/1740)) reported by @[jshaw86](https://github.com/jshaw86)
+- `array.reverse(array)` and `strings.reverse(string)` was added for reversing arrays and strings ([#3736](https://github.com/open-policy-agent/opa/issues/3736)) authored by @[kristiansvalland](https://github.com/kristiansvalland) and @[olamiko](https://github.com/olamiko)
+- The `http.send` built-in function now uses a metric for counting inter-query cache hits ([#4023](https://github.com/open-policy-agent/opa/issues/4023)) authored by @[mirayadav](https://github.com/mirayadav)
+- An overflow issue with dates very far in the future has been fixed in the `time.*` built-in functions ([#4098](https://github.com/open-policy-agent/opa/issues/4098)) reported by @[morgante](https://github.com/morgante)
+
+### Tooling
+
+- A problem with future keyword import of `in` was fixed for `opa fmt` ([#4111](https://github.com/open-policy-agent/opa/issues/4111)) reported by @[keshavprasadms](https://github.com/keshavprasadms)
+- An issue with `opa fmt` when refs contained operators was fixed (authored by @[jaspervdj-luminal](https://github.com/jaspervdj-luminal))
+- Fix file renaming check in optimization using `opa build` (authored by @[davidmarne-wf](https://github.com/davidmarne-wf))
+- The `allow_net` capability was added, allowing setting limits on what hosts can be reached in built-ins like `http.send` and `net.lookup_ip_addr` ([#3665](https://github.com/open-policy-agent/opa/issues/3665))
+
+### Server
+
+- A new credential provider for AWS credential files was added ([#2786](https://github.com/open-policy-agent/opa/issues/2786)) reported by @[rgueldem](https://github.com/rgueldem)
+- The new `--tls-cert-refresh-period` flag can now be provided to `opa run`. If used with a positive duration, such as "5m" (5 minutes), 
+  "24h", etc, the server will track the certificate and key files' contents. When their content changes, the certificates will be 
+  reloaded ([#2500](https://github.com/open-policy-agent/opa/issues/2500)) reported by @[patoarvizu](https://github.com/patoarvizu)
+- A new `v1/status` endpoint was added, providing the same data as the status plugin would send to a remote endpoint ([#4089](https://github.com/open-policy-agent/opa/issues/4089))
+- The HTTP router of OPA is now exposed to the plugin manager ([#2777](https://github.com/open-policy-agent/opa/issues/2777)) authored by @[bhoriuchi](https://github.com/bhoriuchi) reported by @[mneil](https://github.com/mneil)
+- Calling `print` now works in decision masking policies
+- An unintended switch between long/regular polling on 304 HTTP status was fixed ([#3923](https://github.com/open-policy-agent/opa/issues/3923)) authored by @[floriangasc](https://github.com/floriangasc)
+- The error message about prohibited config in the discovery plugin has been improved
+- The discovery plugin no longer panics in Trigger() if downloader is nil
+- The bundle plugin now ignores service errors for file:// resources
+- The bundle plugin file loader was updated to support directories
+- A timer to HTTP request was added to the downloader
+- The requested_by field in the logging plugin is now optional
+
+### Rego
+
+- The error message raised when using `-` with a number and a set is now more specific (as opposed to the correct usage with two sets, or two numbers) ([#1643](https://github.com/open-policy-agent/opa/issues/1643))
+- Fixed an edge case when using print and arrays in unification ([#4078](https://github.com/open-policy-agent/opa/issues/4078))
+- Improved performance of some array operations by caching an array's groundness bit ([#3679](https://github.com/open-policy-agent/opa/issues/3679))
+- ⚠️ Stricter check of arity in undefined function stage ([#4054](https://github.com/open-policy-agent/opa/issues/4054)). 
+  This change will fail evaluation in some unusual cases where it previously would succeed, but these policies should be very uncommon.
+
+  An example policy that previously would succeed but no longer will (wrong arity):
+
+```rego
+package policy
+
+default p = false
+p {
+    x := is_blue()
+    input.bar[x]
+}
+
+is_blue(fruit) = y { # doesn't use fruit
+    y := input.foo
+}
+```
+
+### SDK
+
+- The `opa.runtime()` built-in is now made available to the SDK ([#4050](https://github.com/open-policy-agent/opa/issues/4050) authored by @[oren-zohar](https://github.com/oren-zohar) and @[cmschuetz](https://github.com/cmschuetz)
+- Plugins are now exposed on the SDK object
+- The SDK now supports graceful shutdown ([#3980](https://github.com/open-policy-agent/opa/issues/3980)) reported by @[brianchhun-chime](https://github.com/brianchhun-chime)
+- `print` output is now sent to the configured logger
+
+### Website and Documentation
+
+- All pages in the docs now have a feedback button ([#3664](https://github.com/open-policy-agent/opa/issues/3664)) authored by @[alan-ma](https://github.com/alan-ma)
+- The Kafka docs have been updated to use the new Kafka plugin, and to use the OPA management APIs
+- The Terraform tutorial was updated to use `opa exec` ([#3965](https://github.com/open-policy-agent/opa/issues/3965))
+- The docs on Contributing as well as the Vendor Guidelines have been updated
+- The term "whitelist" has been replaced by "allowlist" across the docs
+- A simple destructuring assignment example was added to the docs
+- The docs have been reviewed on the use of assignment, equality and comparison operators, to make sure they follow best practice
+
+### CI
+
+- SHA256 checksums of CI builds now published to release directory ([#3448](https://github.com/open-policy-agent/opa/issues/3448)) authored by @[johanneslarsson](https://github.com/johanneslarsson) reported by @[raesene](https://github.com/raesene)
+- golangci-lint upgraded to v1.43.0 (authored by @[shuheiktgw](https://github.com/shuheiktgw))
+- The build now creates an executable for darwin/arm64. This should work as expected, but is currently tested in the CI pipeline like the other binaries
+- PRs targeting the [ecosystem](https://www.openpolicyagent.org/docs/latest/ecosystem/) page are now checked for mistakes using Rego policies
+
 ## 0.35.0
 
 This release contains a number of fixes and enhancements.

diff --git a/Makefile b/Makefile
@@ -23,7 +23,7 @@ GOVERSION ?= $(shell cat ./.go-version)
 GOARCH := $(shell go env GOARCH)
 GOOS := $(shell go env GOOS)
 
-GOLANGCI_LINT_VERSION := v1.40.1
+GOLANGCI_LINT_VERSION := v1.43.0
 
 DOCKER_RUNNING := $(shell docker ps >/dev/null 2>&1 && echo 1 || echo 0)
 

diff --git a/ast/builtins.go b/ast/builtins.go
@@ -80,6 +80,7 @@ var DefaultBuiltins = [...]*Builtin{
 	// Arrays
 	ArrayConcat,
 	ArraySlice,
+	ArrayReverse,
 
 	// Conversions
 	ToNumber,
@@ -111,6 +112,7 @@ var DefaultBuiltins = [...]*Builtin{
 	Concat,
 	FormatInt,
 	IndexOf,
+	IndexOfN,
 	Substring,
 	Lower,
 	Upper,
@@ -127,6 +129,7 @@ var DefaultBuiltins = [...]*Builtin{
 	TrimSuffix,
 	TrimSpace,
 	Sprintf,
+	StringReverse,
 
 	// Numbers
 	NumbersRange,
@@ -208,6 +211,7 @@ var DefaultBuiltins = [...]*Builtin{
 	// Graphs
 	WalkBuiltin,
 	ReachableBuiltin,
+	ReachablePathsBuiltin,
 
 	// Sort
 	Sort,
@@ -717,6 +721,17 @@ var ArraySlice = &Builtin{
 	),
 }
 
+// ArrayReverse returns a given array, reversed
+var ArrayReverse = &Builtin{
+	Name: "array.reverse",
+	Decl: types.NewFunction(
+		types.Args(
+			types.NewArray(nil, types.A),
+		),
+		types.NewArray(nil, types.A),
+	),
+}
+
 /**
  * Conversions
  */
@@ -882,6 +897,18 @@ var IndexOf = &Builtin{
 	),
 }
 
+// IndexOfN returns a list of all the indexes of a substring contained inside a string
+var IndexOfN = &Builtin{
+	Name: "indexof_n",
+	Decl: types.NewFunction(
+		types.Args(
+			types.S,
+			types.S,
+		),
+		types.NewArray(nil, types.N),
+	),
+}
+
 // Substring returns the portion of a string for a given start index and a length.
 //   If the length is less than zero, then substring returns the remainder of the string.
 var Substring = &Builtin{
@@ -1080,6 +1107,17 @@ var Sprintf = &Builtin{
 	),
 }
 
+// StringReverse returns the given string, reversed.
+var StringReverse = &Builtin{
+	Name: "strings.reverse",
+	Decl: types.NewFunction(
+		types.Args(
+			types.S,
+		),
+		types.S,
+	),
+}
+
 /**
  * Numbers
  */
@@ -1970,6 +2008,26 @@ var ReachableBuiltin = &Builtin{
 	),
 }
 
+// ReachablePathsBuiltin computes the set of reachable paths in the graph from a set
+// of starting nodes.
+var ReachablePathsBuiltin = &Builtin{
+	Name: "graph.reachable_paths",
+	Decl: types.NewFunction(
+		types.Args(
+			types.NewObject(
+				nil,
+				types.NewDynamicProperty(
+					types.A,
+					types.NewAny(
+						types.NewSet(types.A),
+						types.NewArray(nil, types.A)),
+				)),
+			types.NewAny(types.NewSet(types.A), types.NewArray(nil, types.A)),
+		),
+		types.NewSet(types.NewArray(nil, types.A)),
+	),
+}
+
 /**
  * Sorting
  */

diff --git a/build/changelog.py b/build/changelog.py
@@ -102,15 +102,15 @@ def get_github_id(commit_message, commit_id, token):
 def mention_author(commit_message, commit_id, token):
     username = get_github_id(commit_message, commit_id, token)
     if username not in org_members_usernames:
-        return "authored by @[{author}](https://github.com/{author})".format(author=username)
+        return "authored by @{author}".format(author=username)
     return ""
 
 def get_issue_reporter(issue_id, token):
     url = "https://api.github.com/repos/open-policy-agent/opa/issues/{issue_id}".format(issue_id=issue_id)
     issue_data = fetch(url, token)
     username = issue_data.get("user", "").get("login", "")
     if username not in org_members_usernames:
-        return "reported by @[{reporter}](https://github.com/{reporter})".format(reporter=username)
+        return "reported by @{reporter}".format(reporter=username)
     return ""
 
 def fixes_issue_id(commit_message):

diff --git a/.github/policy/files.rego → build/policy/files.rego b/.github/policy/files.rego → build/policy/files.rego
@@ -9,14 +9,19 @@ package files
 
 import future.keywords.in
 
-filenames := [f | f := input[_].filename]
+import data.helpers.endswith_any
+import data.helpers.last_indexof
+
+filenames := {f.filename | some f in input}
 
 changes := {filename: attributes |
-	c := input[_]
-	filename := c.filename
-	attributes := object.remove(c, ["filename"])
+	some change in input
+	filename := change.filename
+	attributes := object.remove(change, ["filename"])
 }
 
+get_file_in_pr(filename) = http.send({"url": changes[filename].raw_url, "method": "GET"}).raw_body
+
 deny["Logo must be placed in docs/website/static/img/logos/integrations"] {
 	"docs/website/data/integrations.yaml" in filenames
 
@@ -37,10 +42,14 @@ deny["Logo must be a .png file"] {
 	not endswith(filename, ".png")
 }
 
-last_indexof(string, search) = i {
-	all := [i | chars := split(string, ""); chars[i] == search]
-	count(all) > 0
-	i := all[count(all) - 1]
-} else = -1 {
-	true
+# Helper rule to work around not being able to mock functions yet
+yaml_file_contents := {filename: get_file_in_pr(filename) |
+	some filename in filenames
+	endswith_any(filename, [".yml", ".yaml"])
+}
+
+deny[sprintf("%s is an invalid YAML file", [filename])] {
+	some filename, content in yaml_file_contents
+	changes[filename].status in {"added", "modified"}
+	not yaml.is_valid(content)
 }
diff --git a/.github/policy/files_test.rego → build/policy/files_test.rego b/.github/policy/files_test.rego → build/policy/files_test.rego
@@ -42,3 +42,14 @@ test_deny_logo_if_not_png_file {
 		},
 	]
 }
+
+test_deny_invalid_yaml_file {
+	expected := "invalid.yaml is an invalid YAML file"
+	deny[expected] with data.files.yaml_file_contents as {"invalid.yaml": "{null{}}"}
+		 with data.files.changes as {"invalid.yaml": {"status": "modified"}}
+}
+
+test_allow_valid_yaml_file {
+	count(deny) == 0 with data.files.yaml_file_contents as {"valid.yaml": "foo: bar"}
+		 with data.files.changes as {"valid.yaml": {"status": "modified"}}
+}
diff --git a/build/policy/helpers.rego b/build/policy/helpers.rego
@@ -0,0 +1,16 @@
+package helpers
+
+import future.keywords.in
+
+last_indexof(string, search) = i {
+	all := [i | chars := split(string, ""); chars[i] == search]
+	count(all) > 0
+	i := all[count(all) - 1]
+} else = -1 {
+	true
+}
+
+endswith_any(string, suffixes) {
+	some suffix in suffixes
+	endswith(string, suffix)
+}
diff --git a/bundle/filefs.go b/bundle/filefs.go
@@ -1,3 +1,4 @@
+//go:build go1.16
 // +build go1.16
 
 package bundle

diff --git a/bundle/filefs_test.go b/bundle/filefs_test.go
@@ -1,3 +1,4 @@
+//go:build go1.16
 // +build go1.16
 
 package bundle