Skip to content
Latchkey

How to Handle Auth and Secrets in CI Load Tests

Inject the auth token as a masked secret env var so the load tool sends it in headers without the token appearing in the repo or logs.

Store the token as a repo secret, expose it as an env var to the load step, and read it from __ENV to build an Authorization header. Never commit the token into the script.

Steps

  • Add the token as a repository secret.
  • Expose it to the load step as an env var.
  • Read it in the script and set the auth header.

Script uses the token

k6-script.js
import http from 'k6/http';
const TOKEN = __ENV.API_TOKEN;

export default function () {
  http.get(`${__ENV.BASE_URL}/api/orders`, {
    headers: { Authorization: `Bearer ${TOKEN}` },
  });
}

Workflow

.github/workflows/ci.yml
steps:
  - uses: grafana/setup-k6-action@v1
  - name: Run load test
    env:
      API_TOKEN: ${{ secrets.LOAD_TEST_TOKEN }}
      BASE_URL: https://staging.example.com
    run: k6 run k6-script.js

Gotchas

  • Secrets are masked in logs; do not echo the token or write it to an artifact.
  • For OAuth flows, mint a short-lived token in a setup step rather than storing a long-lived one.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →