Merge pull request #987 from newrelic/dev

Release 11.4

.github/workflows/security-scan.yml

@@ -0,0 +1,48 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at 12:00 AM
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.trivyignore

@@ -0,0 +1,2 @@
+# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
+AVD-DS-0026

Makefile

@@ -475,25 +475,28 @@ test-services-stop:
 # Docker Development Environment
 #
 
-dev-shell:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; bash"
+devenv-image:
+	@docker compose --profile dev build devenv
 
-dev-build:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 all"
+dev-shell: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; bash"
 
-dev-unit-tests:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 valgrind"
+dev-build: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 all"
 
-dev-integration-tests:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+dev-unit-tests: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 valgrind"
 
-dev-all:
-	docker compose --profile dev up --build --remove-orphans -d
-	docker exec -it agent-devenv bash -c "sh files/set_path.sh ; make -j4 all valgrind; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+dev-integration-tests: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
+
+dev-all: devenv-image
+	docker compose --profile dev up --pull missing --remove-orphans -d
+	docker compose exec -it devenv bash -c "sh files/set_path.sh ; make -j4 all valgrind; ./bin/integration_runner -agent ./agent/.libs/newrelic.so"
 
 dev-stop:
 	docker compose --profile dev stop

VERSION

@@ -1 +1 @@
-11.3.0
+11.4.0