FRE-4807: Remediate security review Medium findings

- Add SHA256 verification for k6 binary download (supply chain integrity)
- Remove literal 'test-token' fallback for API_TOKEN in CI workflow;
  add validation step that fails if LOAD_TEST_API_TOKEN secret is missing
- Replace 'test-token' fallback with empty string + warning in run-all.sh
- Replace 'test-token' fallback with empty string in all 4 service scripts

.github/workflows/load-test.yml

@@ -36,17 +36,29 @@ jobs:
 
       - name: Install k6
         run: |
-          curl -s https://github.com/grafana/k6/releases/download/v0.50.0/k6-linux-amd64.tar.gz -L | tar xz
+          K6_VERSION="v0.50.0"
+          K6_URL="https://github.com/grafana/k6/releases/download/${K6_VERSION}/k6-linux-amd64.tar.gz"
+          K6_SHA256="d950a2408d0be2dc81aef397a7c984a1d84271d7ae94ff7a47d08371904f0800"
+          curl -sSL "${K6_URL}" -o k6.tar.gz
+          echo "${K6_SHA256}  k6.tar.gz" | sha256sum --check --strict -
+          tar xzf k6.tar.gz
           sudo mv k6 /usr/local/bin/
           k6 version
 
+      - name: Validate required secrets
+        run: |
+          if [ -z "$API_TOKEN" ]; then
+            echo "❌ LOAD_TEST_API_TOKEN secret is not set"
+            exit 1
+          fi
+
       - name: Run load tests
         run: |
           chmod +x scripts/load-test/run-all.sh
           ./scripts/load-test/run-all.sh ${{ github.event.inputs.service || 'all' }}
         env:
           LOAD_TEST_BASE_URL: ${{ secrets.LOAD_TEST_BASE_URL || 'http://localhost:3000' }}
-          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN || 'test-token' }}
+          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN }}
           TARGET_RPS: ${{ github.event.inputs.target_rps || '500' }}
           DURATION: ${{ github.event.inputs.duration || '300s' }}
           K6_CLOUD_TOKEN: ${{ secrets.K6_CLOUD_TOKEN || '' }}