user_role: Add roles list input for user_role

.github/workflows/ansible-test-windows.yml

@@ -44,6 +44,7 @@ jobs:
   integration:
     runs-on: ${{ matrix.os }}
     name: I (Ⓐ${{ matrix.ansible }}+win-2022|grp${{ matrix.group }})
+    continue-on-error: ${{ matrix.ansible == 'devel' }}
     strategy:
       fail-fast: false
       matrix:
@@ -73,9 +74,7 @@ jobs:
     env:
       NAMESPACE: lowlydba  # zizmor: ignore[template-injection] -- Static value
       COLLECTION_NAME: sqlserver  # zizmor: ignore[template-injection] -- Static value
-      GHWS: ${{ env.GHWS }}  # zizmor: ignore[template-injection] -- Dynamically computed in earlier step
       GROUP: ${{ matrix.group }}  # zizmor: ignore[template-injection] -- Matrix value from controlled environment
-      ANSIBLE: ${{ matrix.ansible }}  # zizmor: ignore[template-injection] -- Matrix value from controlled environment
       PYTHON: python3
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}  # zizmor: ignore[secrets-outside-env] -- Codecov token needed for coverage uploads; environment protection would block PR-triggered runs
       WORKSPACE: ${{ github.workspace }}
@@ -152,13 +151,11 @@ jobs:
           Add-Content -LiteralPath $env:GITHUB_ENV -Value "GHWS=$ws"
 
       # Override break-sys-pkg defaults, because we don't need to bother with python venv for CI
-      - name: Install ansible-base
-        env:
-          ANSIBLE: ${{ matrix.ansible }}
+      - name: Install ansible-base (${{ matrix.ansible }})  # zizmor: ignore[template-injection] -- matrix.ansible is a controlled enum value (stable-2.19, stable-2.20, devel)
         run: |
           python3 -m pip config set global.break-system-packages true
           python3 -m pip install --upgrade setuptools pypsrp --disable-pip-version-check --retries 10
-          python3 -m pip install "https://github.com/ansible/ansible/archive/$ANSIBLE.tar.gz" --disable-pip-version-check --retries 10
+          python3 -m pip install "https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz" --disable-pip-version-check --retries 10
 
       - name: Install collection dependencies
         id: collection-dependency
@@ -195,26 +192,27 @@ jobs:
           sa-password: L0wlydb4
           version: 2022
 
-      - name: Run integration test
-        env:
-          GHWS: ${{ env.GHWS }}
-          NAMESPACE: ${{ env.NAMESPACE }}
-          COLLECTION_NAME: ${{ env.COLLECTION_NAME }}
-          GROUP: ${{ env.GROUP }}
+      - name: Run integration test  # zizmor: ignore[template-injection] -- env.GHWS is a computed path; matrix values are controlled enums
         run: |
-          pushd "$GHWS/ansible_collections/$NAMESPACE/$COLLECTION_NAME"
-          ansible-test windows-integration -v --color --retry-on-error --continue-on-error --diff --coverage --requirements windows/group/$GROUP/
-
-      - name: Generate coverage report
-        env:
-          GHWS: ${{ env.GHWS }}
-          NAMESPACE: ${{ env.NAMESPACE }}
-          COLLECTION_NAME: ${{ env.COLLECTION_NAME }}
+          pushd "${{ env.GHWS }}/ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}"
+          ansible-test windows-integration -v --color --retry-on-error --continue-on-error --diff --coverage --requirements windows/group/${{ matrix.group }}/
+
+      - name: Generate coverage report  # zizmor: ignore[template-injection] -- env.GHWS is a computed path
         run: |
-          pushd "$GHWS/ansible_collections/$NAMESPACE/$COLLECTION_NAME"
+          pushd "${{ env.GHWS }}/ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}"
           ansible-test coverage xml -v --requirements
 
       # See the reports at https://codecov.io/gh/lowlydba/lowlydba.sqlserver
       - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           fail_ci_if_error: false
+
+  win-ci-test-rollup:
+    name: Are we good?
+    runs-on: ubuntu-slim
+    needs: [integration]
+    if: always()
+    steps:
+      - uses: lowlydba/are-we-good@7efad05442f92a1203940ca8b79dd4fb930e75d4 # v1.0.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/ansible-test.yml

@@ -50,6 +50,7 @@ jobs:
 
   sanity:
     name: Sanity (Ⓐ${{ matrix.ansible }})
+    continue-on-error: ${{ matrix.ansible == 'devel' }}
     permissions:
       contents: write  # Required for uploading coverage reports
     strategy:
@@ -102,6 +103,7 @@ jobs:
   integration:
     runs-on: ubuntu-latest
     name: I (Ⓐ${{ matrix.ansible }}+py${{ matrix.python }})
+    continue-on-error: ${{ matrix.ansible == 'devel' }}
     permissions:
       contents: write  # Required for uploading coverage reports
     services:
@@ -152,3 +154,13 @@ jobs:
           fail_ci_if_error: false
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] -- Codecov token needed for uploading coverage; workflow_dispatch only
+
+  ci-test-rollup:
+    name: Are we good?
+    runs-on: ubuntu-slim
+    needs: [sanity, integration]
+    if: always()
+    steps:
+      - uses: lowlydba/are-we-good@7efad05442f92a1203940ca8b79dd4fb930e75d4 # v1.0.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
       contents: write  # Required for creating releases and tags
     env:
       VERSION: ${{ github.event.inputs.version }}  # zizmor: ignore[template-injection] -- User input is required for this workflow
-      GHP_BASE_URL: ${{ env.GHP_BASE_URL }}  # zizmor: ignore[template-injection] -- Set at workflow level
+      GHP_BASE_URL: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}
       GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }}  # zizmor: ignore[secrets-outside-env] -- Galaxy API key needed for publishing; workflow_dispatch only
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # zizmor: ignore[secrets-outside-env] -- GitHub token needed for release creation; workflow_dispatch only
     steps:

CHANGELOG.rst

@@ -4,6 +4,22 @@ lowlydba.sqlserver Release Notes
 
 .. contents:: Topics
 
+v2.8.0
+======
+
+Release Summary
+---------------
+
+Hardened GitHub Actions workflows against supply chain attacks using pinned
+SHA hashes, scoped permissions, and zizmor security analysis. Added a ``roles``
+input to the ``user_role`` module for managing multiple database role memberships
+simultaneously using the ``add``/``remove``/``set`` pattern.
+
+Minor Changes
+-------------
+
+- user_role - Added ``roles`` parameter with ``add``/``remove``/``set`` pattern to manage multiple roles. The existing ``role`` parameter is deprecated and will be removed in 3.0.0. (#352)
+
 v2.7.0
 ======
 

README.md

@@ -4,6 +4,7 @@
 [![CI](https://github.com/lowlydba/lowlydba.sqlserver/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/lowlydba/lowlydba.sqlserver/actions/workflows/ansible-test.yml)
 [![CI (Windows)](https://github.com/lowlydba/lowlydba.sqlserver/actions/workflows/ansible-test-windows.yml/badge.svg)](https://github.com/lowlydba/lowlydba.sqlserver/actions/workflows/ansible-test-windows.yml)
 [![codecov](https://codecov.io/gh/lowlydba/lowlydba.sqlserver/branch/main/graph/badge.svg?token=3TW3VBCn9N)](https://codecov.io/gh/lowlydba/lowlydba.sqlserver)
+[![immutable release ruleset](https://img.shields.io/badge/immutable%20tags-active-green?logo=github)](https://github.com/lowlydba/lowlydba.sqlserver/rules/14953198)
 
 [![GPL v3](https://img.shields.io/github/license/lowlydba/lowlydba.sqlserver)](https://github.com/lowlydba/lowlydba.sqlserver/blob/main/LICENSE)
 [![Ansible Collection Downloads](https://img.shields.io/ansible/collection/d/lowlydba/sqlserver)](https://galaxy.ansible.com/ui/repo/published/lowlydba/sqlserver)

changelogs/changelog.yaml

@@ -583,3 +583,24 @@ releases:
     fragments:
     - 329-add-agent-outputfile.yml
     release_date: '2025-08-16'
+  2.8.0:
+    changes:
+      minor_changes:
+      - user_role - Added ``roles`` parameter with ``add``/``remove``/``set`` pattern
+        to manage multiple roles. The existing ``role`` parameter is deprecated and
+        will be removed in 3.0.0. (#352)
+      release_summary: 'Hardened GitHub Actions workflows against supply chain attacks
+        using pinned
+
+        SHA hashes, scoped permissions, and zizmor security analysis. Added a ``roles``
+
+        input to the ``user_role`` module for managing multiple database role memberships
+
+        simultaneously using the ``add``/``remove``/``set`` pattern.
+
+        '
+    fragments:
+    - 2.8.0.yml
+    - remove-six-usage.yml
+    - user-role-roles-list.yml
+    release_date: '2026-04-11'