feat(roles/php): allow for PHP-FPM pools to be configured individually.

.github/workflows/codeql.yml

@@ -31,22 +31,22 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 
       - name: 'Checkout repository'
         uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Initialize CodeQL'
-        uses: 'github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e' # v4.35.4
+        uses: 'github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba' # v4.35.5
         with:
           languages: '${{ matrix.language }}'
 
       - name: 'Autobuild'
-        uses: 'github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e' # v4.35.4
+        uses: 'github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba' # v4.35.5
 
       - name: 'Perform CodeQL Analysis'
-        uses: 'github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e' # v4.35.4
+        uses: 'github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba' # v4.35.5
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/dependency-review.yml

@@ -11,12 +11,12 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 
       - name: 'Checkout repository'
         uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Dependency Review'
-        uses: 'actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48' # v4.9.0
+        uses: 'actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294' # v5.0.0

.github/workflows/docs.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'Harden the runner (Audit all outbound calls)'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 
@@ -53,7 +53,7 @@ jobs:
       url: '${{ steps.deployment.outputs.page_url }}'
     steps:
       - name: 'Harden the runner (Audit all outbound calls)'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 

.github/workflows/lf-build.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
 
       - name: 'Harden the runner (Audit all outbound calls)'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 

.github/workflows/lf-release.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
       - name: 'Harden the runner (Audit all outbound calls)'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 

.github/workflows/lf-unit-tests.yml

@@ -0,0 +1,48 @@
+name: 'Linuxfabrik: Unit Tests'
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request: {}
+
+permissions:
+  contents: 'read'
+
+jobs:
+  controller-plugins:
+    name: 'Controller plugins (Python ${{ matrix.python-version }})'
+    runs-on: 'ubuntu-latest'
+    strategy:
+      fail-fast: false
+      matrix:
+        # Controller-side plugins (filter, lookup). The managed-node tier
+        # (modules on RHEL 8 / Python 3.6) needs a UBI 8 container and is
+        # scaffolded in tox.ini, not run here yet.
+        python-version:
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+          - '3.13'
+    steps:
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+
+      - name: 'Set up Python'
+        uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0
+        with:
+          python-version: '${{ matrix.python-version }}'
+
+      - name: 'Install tox'
+        run: 'pip install tox'
+
+      - name: 'Run tox for this Python (all matching ansible-core envs)'
+        # `-f pyXYZ` selects every tox env carrying this Python's factor,
+        # e.g. py311 -> py311-ansible215/216/217/218.
+        run: 'tox -f py$(echo "${{ matrix.python-version }}" | tr -d ".")'

.github/workflows/pre-commit-autoupdate.yml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: 'write'
     steps:
       - name: 'Harden the runner (Audit all outbound calls)'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 

.github/workflows/scorecard.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450' # v2.19.1
+        uses: 'step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411' # v2.19.4
         with:
           egress-policy: 'audit'
 
@@ -42,6 +42,6 @@ jobs:
           retention-days: 5
 
       - name: 'Upload to code-scanning'
-        uses: 'github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e' # v4.35.4
+        uses: 'github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba' # v4.35.5
         with:
           sarif_file: 'results.sarif'

.gitignore

@@ -7,7 +7,6 @@ tests/output/*
 playbooks/test.yml
 roles/test
 context/
-particle/.vagrant
 
 # mkdocs documentation
 /docs/CHANGELOG.md

.pre-commit-config.yaml

@@ -42,7 +42,12 @@ repos:
         # false-positives on the project's own code style (`shell=dict(...)`
         # in argument_spec triggers B604, the literal `'on_create'` sentinel
         # triggers B105). Out of scope for in-tree review.
-        exclude: '^plugins/modules/ipa.*\.py$'
+        # `plugins/module_utils/gnupg.py` is vendored python-gnupg kept
+        # byte-identical with upstream; bandit flags its (expected) subprocess
+        # use (B404/B603) and asserts (B101), which we do not patch out.
+        # `tests/` holds unit tests whose fixtures use throwaway passwords
+        # (B105/B106); scanning test fixtures for hardcoded secrets is noise.
+        exclude: '^(plugins/modules/ipa.*|plugins/module_utils/gnupg|tests/.*)\.py$'
         types_or: ['python']
 
   - repo: 'https://github.com/jendrikseipp/vulture'
@@ -51,3 +56,17 @@ repos:
       - id: 'vulture'
         args: ['--min-confidence=80']
         types_or: ['python']
+
+  - repo: 'local'
+    hooks:
+      - id: 'pytest-unit'
+        name: 'pytest (plugin unit tests)'
+        # Fast single-interpreter run of the controller-plugin unit tests on
+        # every commit. The full Python x ansible-core matrix runs in CI via
+        # tox; see tests/README.md.
+        entry: 'pytest tests/unit'
+        language: 'python'
+        additional_dependencies: ['ansible-core', 'pytest', 'pyyaml']
+        pass_filenames: false
+        files: '^(plugins/|tests/unit/)'
+        types_or: ['python']