Update HA validation and configuration

.github/workflows/codeql.yml

@@ -43,17 +43,17 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/autobuild@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/github-actions-ansible-lint.yml

@@ -14,7 +14,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0

.github/workflows/github-actions-code-coverage.yml

@@ -14,7 +14,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0

.github/workflows/ossf-scoreboard.yml

@@ -31,7 +31,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -52,6 +52,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -23,7 +23,7 @@ jobs:
         egress-policy: audit
 
     - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
     - name: Run Trivy vulnerability scanner (file system)
       uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
@@ -36,7 +36,7 @@ jobs:
         output: report-fs.sarif
 
     - name: Upload Trivy report (fs) GitHub Security
-      uses: github/codeql-action/upload-sarif@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+      uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
       with:
         sarif_file: report-fs.sarif
         category: 'fs'

requirements.txt

@@ -4,18 +4,18 @@
 #
 #    pip-compile requirements.in
 #
-ansible-compat==25.8.2
+ansible-compat==25.11.0
     # via ansible-lint
 ansible-core==2.17.14
     # via
     #   -r requirements.in
     #   ansible-compat
     #   ansible-lint
-ansible-lint==25.9.2
+ansible-lint==25.11.1
     # via -r requirements.in
 ansible-runner==2.4.2
     # via -r requirements.in
-astroid==4.0.1
+astroid==4.0.2
     # via pylint
 attrs==25.4.0
     # via
@@ -33,35 +33,35 @@ azure-identity==1.25.1
     # via
     #   -r requirements.in
     #   azure-kusto-data
-azure-kusto-data==5.0.5
+azure-kusto-data==6.0.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-azure-kusto-ingest==5.0.5
+azure-kusto-ingest==6.0.0
     # via -r requirements.in
-azure-mgmt-compute==37.0.1
+azure-mgmt-compute==37.1.0
     # via -r requirements.in
 azure-mgmt-core==1.6.0
     # via
     #   azure-mgmt-compute
     #   azure-mgmt-network
-azure-mgmt-network==30.0.0
+azure-mgmt-network==30.1.0
     # via -r requirements.in
-azure-storage-blob==12.23.0
+azure-storage-blob==12.26.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-azure-storage-queue==12.12.0
+azure-storage-queue==12.13.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-black==25.9.0
+black==25.11.0
     # via
     #   -r requirements.in
     #   ansible-lint
 bracex==2.6
     # via wcmatch
-certifi==2025.10.5
+certifi==2025.11.12
     # via
     #   msrest
     #   requests
@@ -71,11 +71,11 @@ cffi==2.0.0
     #   cryptography
 charset-normalizer==3.4.4
     # via requests
-click==8.3.0
+click==8.3.1
     # via
     #   -r requirements.in
     #   black
-coverage[toml]==7.11.0
+coverage[toml]==7.12.0
     # via
     #   -r requirements.in
     #   pytest-cov
@@ -92,7 +92,7 @@ dill==0.4.0
     # via pylint
 distro==1.9.0
     # via ansible-lint
-exceptiongroup==1.3.0
+exceptiongroup==1.3.1
     # via pytest
 filelock==3.20.0
     # via ansible-lint
@@ -189,9 +189,9 @@ pyjwt[crypto]==2.10.1
     # via
     #   msal
     #   pyjwt
-pylint==4.0.2
+pylint==4.0.4
     # via -r requirements.in
-pytest==8.4.2
+pytest==9.0.1
     # via
     #   -r requirements.in
     #   pytest-cov
@@ -206,7 +206,7 @@ python-dateutil==2.9.0.post0
     # via
     #   azure-kusto-data
     #   pandas
-pytokens==0.2.0
+pytokens==0.3.0
     # via black
 pytz==2025.2
     # via pandas
@@ -237,13 +237,13 @@ resolvelib==1.0.1
     # via ansible-core
 rich==14.2.0
     # via -r requirements.in
-rpds-py==0.28.0
+rpds-py==0.30.0
     # via
     #   jsonschema
     #   referencing
 ruamel-yaml==0.18.16
     # via ansible-lint
-ruamel-yaml-clib==0.2.14
+ruamel-yaml-clib==0.2.15
     # via
     #   ansible-lint
     #   ruamel-yaml

scripts/sap_automation_qa.sh

@@ -178,6 +178,15 @@ validate_params() {
         log "ERROR" "Error: The following parameters cannot be empty: ${missing_params[*]}"
         exit 1
     fi
+
+    WORKSPACES_DIR=$(grep "^WORKSPACES_DIR:" "$VARS_FILE" | awk '{split($0,a,": "); print a[2]}' | xargs)
+    if [[ -z "$WORKSPACES_DIR" ]]; then
+        WORKSPACES_DIR="WORKSPACES"
+        log "INFO" "WORKSPACES_DIR not set in vars.yaml, using default: $WORKSPACES_DIR"
+    else
+        log "INFO" "WORKSPACES_DIR: $WORKSPACES_DIR"
+    fi
+    export WORKSPACES_DIR
 }
 
 # Extract the error message from a command's output.
@@ -403,7 +412,7 @@ run_ansible_playbook() {
                 command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $temp_file \
                     -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder' $extra_vars"
             else
-                local ssh_key_dir="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME"
+                local ssh_key_dir="${cmd_dir}/../$WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME"
                 local ssh_key=""
                 local extensions=("ppk" "pem" "key" "private" "rsa" "ed25519" "ecdsa" "dsa" "")
 
@@ -429,7 +438,7 @@ run_ansible_playbook() {
                 fi
 
                 check_file_exists "$ssh_key" \
-                    "SSH key file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory. Looked for files with patterns: ssh_key.*, *ssh_key*"
+                    "SSH key file not found in $WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME directory. Looked for files with patterns: ssh_key.*, *ssh_key*"
 
                 chmod 600 "$ssh_key"
                 command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \
@@ -449,9 +458,9 @@ run_ansible_playbook() {
                     --extra-vars 'ansible_ssh_pass=$(cat $temp_file)' --extra-vars @$VARS_FILE -e @$system_params \
                     -e '_workspace_directory=$system_config_folder' $extra_vars"
             else
-                local password_file="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password"
+                local password_file="${cmd_dir}/../$WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME/password"
                 check_file_exists "$password_file" \
-                    "password file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
+                    "password file not found in $WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME directory."
                 command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \
                     --extra-vars 'ansible_ssh_pass=$(cat $password_file)' --extra-vars @$VARS_FILE -e @$system_params \
                     -e '_workspace_directory=$system_config_folder' $extra_vars"
@@ -509,7 +518,7 @@ main() {
     validate_params
 
     # Check if the SYSTEM_HOSTS and SYSTEM_PARAMS directory exists inside WORKSPACES/SYSTEM folder
-    SYSTEM_CONFIG_FOLDER="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME"
+    SYSTEM_CONFIG_FOLDER="${cmd_dir}/../$WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME"
     SYSTEM_HOSTS="$SYSTEM_CONFIG_FOLDER/hosts.yaml"
     SYSTEM_PARAMS="$SYSTEM_CONFIG_FOLDER/sap-parameters.yaml"
     TEST_TIER=$(echo "$TEST_TIER" | tr '[:upper:]' '[:lower:]')
@@ -519,9 +528,9 @@ main() {
     log "INFO" "Using Authentication Type: $AUTHENTICATION_TYPE."
 
     check_file_exists "$SYSTEM_HOSTS" \
-        "hosts.yaml not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
+        "hosts.yaml not found in $WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME directory."
     check_file_exists "$SYSTEM_PARAMS" \
-        "sap-parameters.yaml not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
+        "sap-parameters.yaml not found in $WORKSPACES_DIR/SYSTEM/$SYSTEM_CONFIG_NAME directory."
 
 		if [[ "$OFFLINE_MODE" == "true" ]]; then
         local crm_report_dir="$SYSTEM_CONFIG_FOLDER/offline_validation"

src/module_utils/get_pcmk_properties.py

@@ -561,20 +561,40 @@ def validate_from_constants(self):
 
         if failed_parameters:
             overall_status = TestStatus.ERROR.value
+            failed_param_names = []
+            for param in failed_parameters:
+                param_name = param.get("name", "")
+                category = param.get("category", "")
+                if param_name and category:
+                    failed_param_names.append(f"'{param_name}' ({category})")
+                elif param_name:
+                    failed_param_names.append(f"'{param_name}'")
+
+            if failed_param_names:
+                self.result["message"] += (
+                    f"HA parameter validation failed for {len(failed_parameters)} parameter(s): "
+                    f"{', '.join(failed_param_names)}. "
+                )
+            else:
+                self.result[
+                    "message"
+                ] += f"HA parameter validation failed for {len(failed_parameters)} parameter(s). "
         elif warning_parameters:
             overall_status = TestStatus.WARNING.value
+            self.result["message"] += "HA parameter validation completed with warnings. "
         elif self.result.get("status") == TestStatus.WARNING.value:
             overall_status = TestStatus.WARNING.value
+            self.result["message"] += "HA parameter validation completed with warnings. "
         else:
             overall_status = TestStatus.SUCCESS.value
+            self.result["message"] += "HA parameter validation completed successfully. "
 
         self.result.update(
             {
                 "details": {"parameters": parameters},
                 "status": overall_status,
             }
         )
-        self.result["message"] += "HA parameter validation completed successfully. "
         recommendation_message = self._generate_recommendation_message()
         if recommendation_message:
             self.result["message"] += recommendation_message

src/modules/get_pcmk_properties_scs.py

@@ -166,6 +166,7 @@ class HAClusterValidator(BaseHAClusterValidator):
         "ipaddr": ".//primitive[@type='IPaddr2']",
         "azurelb": ".//primitive[@type='azure-lb']",
         "azureevents": ".//primitive[@type='azure-events-az']",
+        "filesystem": ".//primitive[@type='Filesystem']",
     }
 
     def __init__(

src/roles/configuration_checks/tasks/files/hana.yml

@@ -159,7 +159,7 @@ checks:
       user:                             *root
     validator_type:                     *list
     validator_args:
-      valid_list:                       ["reboot", "stonith-action=reboot"]
+      valid_list:                       ["reboot", "stonith-action=reboot", "stonith-action=reboot (default)"]
     report:                             *check
 
   - id:                                 "DB-HANA-0004"

src/roles/ha_db_hana/tasks/files/constants.yaml

@@ -34,6 +34,9 @@ CRM_CONFIG_DEFAULTS:
   azure-events-az_globalPullState:
     value:                          "IDLE"
     required:                       false
+  have-watchdog:
+    value:                          "true"
+    required:                       false
 
 # === Operation Defaults ===
 # cibadmin --query --scope op_defaults
@@ -50,7 +53,7 @@ OP_DEFAULTS:
 RSC_DEFAULTS:
   migration-threshold:
     value:                          "5000"
-    required:                       false
+    required:                       true
   priority:
     value:                          "1"
     required:                       false
@@ -868,18 +871,18 @@ GLOBAL_INI:
         execution_order:
           value:                      "1"
           required:                   true
-      ha_dr_provider_suschksrv:
+      ha_dr_provider_chksrv:
         provider:
-          value:                      "susChkSrv"
+          value:                      "ChkSrv"
           required:                   true
         path:
           value:                      ["/usr/share/SAPHanaSR", "/hana/shared/myHooks"]
           required:                   true
         execution_order:
-          value:                      "3"
+          value:                      "2"
           required:                   true
         action_on_host:
-          value:                      "fence"
+          value:                      "kill"
           required:                   true
       trace:
         ha_dr_saphanasr: