Manually upgrade github.com/open-policy-agent/opa -> v1.4.0

[jkylekelly]

OPA v1.1.0 is pulled in as an indirect dependency through cosign v2.5.0, which actually supports up to v1.4.2. The version downgrade occurs because this fork also includes sigstore/policy-controller as a module, and policy-controller has not upgraded its OPA dependency from v1.1.0. Go's module resolution selects v1.1.0 as the minimum version that satisfies both cosign's and policy-controller's requirements.

Manually bumping this due to GHSA-6m8w-jc87-6cr7 even though it does not affect this repository. The advisory is only relevant when OPA is deployed as a standalone server.

[Copilot]

Pull Request Overview

This PR bumps the github.com/open-policy-agent/opa indirect dependency from v1.1.0 to v1.4.0 (manually overriding the minimum version selected by Go modules) and updates several other indirect module versions to their latest patch releases.

• Manually override OPA to v1.4.0 to address advisory GHSA-6m8w-jc87-6cr7
• Update grpc, grpc-gateway, otelhttp, opencontainers/image-spec, and other indirect dependencies
• Added newer indirect modules pulled in by transitive dependencies

Comments suppressed due to low confidence (2)

go.mod:224

• [nitpick] Add a brief comment above the OPA require line linking to the advisory (GHSA-6m8w-jc87-6cr7) or PR description to clarify why this indirect dependency is being overridden.

-	github.com/open-policy-agent/opa v1.1.0 // indirect

go.mod:1

• Run go mod tidy after these changes to prune any unused indirect dependencies and ensure the module file is clean.

module github.com/your/repo

[Copilot]

Consider upgrading OPA to the latest supported patch release (v1.4.2) instead of v1.4.0 to include all bug fixes and stay aligned with cosign's supported range.

Suggested change

	github.com/open-policy-agent/opa v1.4.0 // indirect
	github.com/open-policy-agent/opa v1.4.2 // indirect