A dead-simple version manager for Open Policy Agent (OPA).
opavm lets you install, pin, and switch OPA versions locally and per-project so your policies run against the same OPA version in dev, CI, and production.
No Docker. No magic. Just predictable binaries.
OPA is "just a single binary" until it isn't. Teams regularly run into:
- different OPA versions in CI vs local
- silent upgrades via package managers
- subtle behavior changes across releases
- ad-hoc scripts and manual downloads
opavm solves this by making OPA versioning explicit, reproducible, and boring.
- Install specific OPA versions (or
latest) - Install Regal (Rego linter/LSP) versions
- Set a global default version per tool (
opa/regal) - Pin per project with
.opa-versionor.regal-version - Automatically switch versions by directory
- CI-safe execution without PATH hacks
- Rich progress bar UI for installs
- Show recent OPA/Regal releases in a Rich table (
opavm releases) - Zero runtime services, zero configuration files
v0.1 supports:
- macOS (
amd64,arm64) - Linux (
amd64,arm64) - Windows (
amd64)
Install as a Python package (recommended with pipx):
pipx install opavmOr with pip:
pip install opavmThen add the shim directory to your shell.
macOS/Linux:
export PATH="$HOME/.opavm/shims:$PATH"Windows PowerShell:
$env:Path = "$HOME\.opavm\shims;$env:Path"opavm uses fixed upstream repos:
open-policy-agent/opafor OPA release lookupStyraInc/regalfor Regal release lookup
If you hit GitHub API rate limits, set OPAVM_GITHUB_TOKEN.
Install OPA:
opavm install 0.62.1Set a global default:
opavm use 0.62.1
opavm use 0.38.1 --tool regalNow:
opa versionuses OPA 0.62.1.
Inside a repo that requires a specific version:
opavm pin 0.61.0
opavm pin 0.38.1 --tool regalIf that version is not installed, opavm prompts to install it.
This creates tool-specific version files:
.opa-version # OPA
.regal-version # Regal
Anywhere inside that repo:
opa versionautomatically resolves to 0.61.0.
Outside the repo, your global version is used again.
Install versions:
opavm install 0.62.1
opavm install latest
opavm install regal 0.38.1
opavm install regal latestList installed versions:
opavm list
opavm list --tool regalSwitch global version:
opavm use 0.63.0
opavm use 0.38.1 --tool regalSee what's active (and why):
opavm current
opavm current --tool regalGet the actual binary path:
opavm which
opavm which --tool regalopavm which prints the resolved binary as an absolute path.
Show recent OPA releases:
opavm releases --limit 10
opavm releases --tool regal --limit 10Run OPA without relying on PATH (CI-safe):
opavm exec -- test -v ./policy
opavm exec --tool regal -- lint policy/Remove a version:
opavm uninstall 0.59.0
opavm uninstall 0.38.1 --tool regalWhen you resolve a tool with current, which, or exec:
- Look for the tool pin file in the current directory or parents
- Use
.opa-versionfor OPA,.regal-versionfor Regal - If found, use that version
- Otherwise, use the global default for that tool
- If neither exists, error with guidance
This behavior is deterministic and transparent.
~/.opavm/
|- versions/
| |- 0.62.1/opa
| `- 0.63.0/opa
|- tools/
| `- regal/
| `- versions/
| `- 0.38.1/regal
|- shims/
| `- opa (or opa.cmd on Windows)
`- state.json
.opa-version and .regal-version files live in your project repos and should usually be committed.
You don't need shell shims in CI:
opavm install 0.62.1
opavm exec -- test ./policyThis guarantees the correct OPA version regardless of environment.
opavmverifies downloaded binaries by executing<tool> versionafter install.- For releases that provide
*.sha256assets (for example OPA),opavmvalidates SHA256 before completing install. - GitHub error handling includes actionable messages for:
- proxy misconfiguration (
HTTP_PROXY/HTTPS_PROXY) - rate limit exhaustion
- network connectivity failures
- auth/permission failures
- proxy misconfiguration (
Contributor workflow, testing gates, and CircleCI release details are in contribution.md.
- Not a container runtime
- Not a policy runner
- Not a plugin manager
It does one thing: manage OPA binaries predictably.
Apache 2.0.
See LICENSE and license.md.