workload/schemachange: properly escape role names in policy statements

When ALTER POLICY is executed with unescaped role identifiers that start with
numbers, it can cause SQL syntax errors like "trailing junk after numeric
literal". This change adds proper SQL identifier escaping for role names
in ALTER POLICY statements by using lexbase.EscapeSQLIdent, which ensures
that identifiers are properly quoted with double quotes.
The change also avoids a `InFailedSQLTransaction` error by checking `row.Err()`
in the `findExistingPolicy` function.

Fixes: #145277
Release note: none

Author: Dedej-Bergin

pkg/workload/schemachange/operation_generator.go

@@ -5115,6 +5115,10 @@ func findExistingPolicy(
 		policyExists = true
 	}
 
+	if rows.Err() != nil {
+		return nil, false, rows.Err()
+	}
+
 	return &policyWithInfo, policyExists, nil
 }
 
@@ -5236,7 +5240,7 @@ func (og *operationGenerator) alterPolicy(ctx context.Context, tx pgx.Tx) (*opSt
 			usesDummyRole = true
 		}
 
-		sqlStatement.WriteString(fmt.Sprintf(" TO %s", roles))
+		sqlStatement.WriteString(fmt.Sprintf(" TO %s", lexbase.EscapeSQLIdent(roles)))
 	default: // USING and/or WITH CHECK expressions
 		// For case 2 and 3, we generate USING, WITH CHECK, or both
 		includeUsing = alterType == 2 || og.randIntn(2) == 0
@@ -5278,9 +5282,8 @@ func (og *operationGenerator) alterPolicy(ctx context.Context, tx pgx.Tx) (*opSt
 	opStmt.sql = sqlStatement.String()
 
 	opStmt.expectedExecErrors.addAll(codesWithConditions{
-		{code: pgcode.UndefinedObject, condition: !policyExists},
+		{code: pgcode.UndefinedObject, condition: !policyExists || usesDummyRole},
 		{code: pgcode.UndefinedTable, condition: !tableExists},
-		{code: pgcode.UndefinedObject, condition: usesDummyRole},
 	})
 
 	return opStmt, nil