How to Handle Auth and Secrets in CI Load Tests
Inject the auth token as a masked secret env var so the load tool sends it in headers without the token appearing in the repo or logs.
Store the token as a repo secret, expose it as an env var to the load step, and read it from __ENV to build an Authorization header. Never commit the token into the script.
Steps
- Add the token as a repository secret.
- Expose it to the load step as an env var.
- Read it in the script and set the auth header.
Script uses the token
k6-script.js
import http from 'k6/http';
const TOKEN = __ENV.API_TOKEN;
export default function () {
http.get(`${__ENV.BASE_URL}/api/orders`, {
headers: { Authorization: `Bearer ${TOKEN}` },
});
}Workflow
.github/workflows/ci.yml
steps:
- uses: grafana/setup-k6-action@v1
- name: Run load test
env:
API_TOKEN: ${{ secrets.LOAD_TEST_TOKEN }}
BASE_URL: https://staging.example.com
run: k6 run k6-script.jsGotchas
- Secrets are masked in logs; do not echo the token or write it to an artifact.
- For OAuth flows, mint a short-lived token in a setup step rather than storing a long-lived one.
Related guides
How to Load Test a Staging or Preview URL in CIPoint a CI load test at a staging or preview deployment by passing the URL as an environment variable to k6,…
How to Parameterize Load Levels in CIParameterize virtual users and duration in CI by reading them from environment variables, so one script runs…