Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1b917321cfb7bd93d91f175e58d86b05f377cd79
ShieldAI/.github/workflows/load-test.yml
Michael Freno 81173d7ab5 FRE-4807: Remediate security review Medium findings 
- Add SHA256 verification for k6 binary download (supply chain integrity)
- Remove literal 'test-token' fallback for API_TOKEN in CI workflow;
  add validation step that fails if LOAD_TEST_API_TOKEN secret is missing
- Replace 'test-token' fallback with empty string + warning in run-all.sh
- Replace 'test-token' fallback with empty string in all 4 service scripts
2026-05-13 13:39:57 -04:00

106 lines
3.5 KiB
YAML
Raw Blame History

name: Load Test
on:
push:
branches: [main]
workflow_dispatch:
inputs:
target_rps:
description: 'Target requests per second'
required: false
default: '500'
duration:
description: 'Test duration'
required: false
default: '300s'
service:
description: 'Service to test (all, api, darkwatch, spamshield, voiceprint)'
required: false
default: 'all'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_VERSION: "20"
jobs:
load-test:
name: Load Test (${{ github.event.inputs.service || 'all' }})
runs-on: ubuntu-latest
timeout-minutes: 30
environment: staging
steps:
- uses: actions/checkout@v4
- name: Install k6
run: |
K6_VERSION="v0.50.0"
K6_URL="https://github.com/grafana/k6/releases/download/${K6_VERSION}/k6-linux-amd64.tar.gz"
K6_SHA256="d950a2408d0be2dc81aef397a7c984a1d84271d7ae94ff7a47d08371904f0800"
curl -sSL "${K6_URL}" -o k6.tar.gz
echo "${K6_SHA256} k6.tar.gz" | sha256sum --check --strict -
tar xzf k6.tar.gz
sudo mv k6 /usr/local/bin/
k6 version
- name: Validate required secrets
run: |
if [ -z "$API_TOKEN" ]; then
echo "❌ LOAD_TEST_API_TOKEN secret is not set"
exit 1
fi
- name: Run load tests
run: |
chmod +x scripts/load-test/run-all.sh
./scripts/load-test/run-all.sh ${{ github.event.inputs.service || 'all' }}
env:
LOAD_TEST_BASE_URL: ${{ secrets.LOAD_TEST_BASE_URL || 'http://localhost:3000' }}
API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN }}
TARGET_RPS: ${{ github.event.inputs.target_rps || '500' }}
DURATION: ${{ github.event.inputs.duration || '300s' }}
K6_CLOUD_TOKEN: ${{ secrets.K6_CLOUD_TOKEN || '' }}
K6_CLOUD_PROJECT_ID: ${{ vars.K6_CLOUD_PROJECT_ID || '' }}
- name: Upload load test report
if: always()
uses: actions/upload-artifact@v4
with:
name: load-test-report-${{ github.sha }}
path: scripts/load-test/reports/
retention-days: 30
- name: Check P99 thresholds
if: always()
run: |
if [ -f scripts/load-test/reports/threshold-results.json ]; then
FAILURES=$(jq -r '[.services | to_entries[] | select(.value.exitCode != 0) | .key] | join(", ")' scripts/load-test/reports/threshold-results.json 2>/dev/null || echo "")
if [ -n "$FAILURES" ] && [ "$FAILURES" != "" ]; then
echo "❌ Load test failures: $FAILURES"
exit 1
else
echo "✅ All load tests passed"
fi
else
echo "⚠️ No threshold results file found"
exit 1
fi
- name: Validate auto-scaling
if: always()
run: |
SUMMARY_FILE=$(ls scripts/load-test/reports/*-summary-*.json 2>/dev/null | head -1)
if [ -n "$SUMMARY_FILE" ]; then
MAX_VUS=$(jq -r '.metrics.vus.max // 0' "$SUMMARY_FILE")
TARGET_VUS=20
if [ "$(echo "$MAX_VUS >= $TARGET_VUS" | bc -l)" -eq 1 ]; then
echo "✅ Auto-scaling validated: max VUs ($MAX_VUS) >= target ($TARGET_VUS)"
else
echo "⚠️ Auto-scaling below target: max VUs ($MAX_VUS) < target ($TARGET_VUS)"
fi
else
echo "⚠️ No summary file for auto-scaling validation"
fi
Reference in New Issue View Git Blame Copy Permalink