FRE-4807: Fix ci.yml Medium findings — SHA256 verification and API_TOKEN validation

2026-05-13 15:06:56 -04:00
parent 81173d7ab5
commit 65c7da4852
1 changed files with 14 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -194,17 +194,29 @@ jobs:

      - name: Install k6
        run: |
-          curl -s https://github.com/grafana/k6/releases/download/v0.50.0/k6-linux-amd64.tar.gz -L | tar xz
+          K6_VERSION="v0.50.0"
+          K6_URL="https://github.com/grafana/k6/releases/download/${K6_VERSION}/k6-linux-amd64.tar.gz"
+          K6_SHA256="d950a2408d0be2dc81aef397a7c984a1d84271d7ae94ff7a47d08371904f0800"
+          curl -sSL "${K6_URL}" -o k6.tar.gz
+          echo "${K6_SHA256}  k6.tar.gz" | sha256sum --check --strict -
+          tar xzf k6.tar.gz
          sudo mv k6 /usr/local/bin/
          k6 version

+      - name: Validate required secrets
+        run: |
+          if [ -z "$API_TOKEN" ]; then
+            echo "❌ LOAD_TEST_API_TOKEN secret is not set"
+            exit 1
+          fi
+
      - name: Run combined load tests
        run: |
          chmod +x scripts/load-test/run-all.sh
          ./scripts/load-test/run-all.sh
        env:
          LOAD_TEST_BASE_URL: ${{ secrets.LOAD_TEST_BASE_URL || 'http://localhost:3000' }}
-          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN || 'test-token' }}
+          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN }}
          TARGET_RPS: ${{ vars.LOAD_TEST_TARGET_RPS || '500' }}
          DURATION: ${{ vars.LOAD_TEST_DURATION || '300s' }}
          K6_CLOUD_TOKEN: ${{ secrets.K6_CLOUD_TOKEN || '' }}