# Chapter 22: Testing in CI

While Chapter 21 established how container images are constructed, testing in CI validates that those images contain functional, secure, and performant code. Testing in automated pipelines differs fundamentally from local development: tests must execute reproducibly in ephemeral environments, complete within strict time constraints, and provide actionable feedback without human intervention.

This chapter examines the testing pyramid as implemented in CI/CD—from isolated unit tests through integration tests with real dependencies to end-to-end validation of complete systems. We explore strategies for maintaining test reliability, managing test data, and generating coverage reports that gate deployment quality, ensuring that only verified artifacts progress toward production.

## 22.1 Unit Testing

Unit tests validate individual components in isolation, forming the foundation of the testing pyramid. In CI, unit tests must execute rapidly (typically under 10 minutes for the entire suite) and without external dependencies to provide immediate feedback on code changes.

### Containerized Unit Testing

Execute unit tests within the same container environment used for production builds to ensure consistency:

```dockerfile
# Dockerfile.test - Multi-stage for testing
FROM node:20-alpine AS test
WORKDIR /app

# Install dependencies (including devDependencies)
COPY package*.json ./
RUN npm ci

# Copy source
COPY . .

# Default command runs unit tests
CMD ["npm", "run", "test:unit"]
```

**CI Integration:**
```yaml
# GitHub Actions - Unit test stage
jobs:
  unit-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Build test image
        run: docker build -f Dockerfile.test -t myapp:test .
      
      - name: Run unit tests
        run: docker run --rm myapp:test
        
      - name: Copy coverage from container (if needed)
        run: |
          docker create --name test-container myapp:test
          docker cp test-container:/app/coverage ./coverage
          docker rm test-container
          
      - name: Upload coverage
        uses: codecov/codecov-action@v3
        with:
          files: ./coverage/lcov.info
```

### Test Isolation and Determinism

CI environments must ensure tests produce identical results across runs:

**Environment Variable Control:**
```yaml
# Freeze random seeds, timezones, and locales
jobs:
  test:
    runs-on: ubuntu-latest
    env:
      TZ: UTC
      LANG: C.UTF-8
      NODE_ENV: test
      CI: true
      RANDOM_SEED: 12345  # For deterministic randomness in tests
```

**Database Isolation (Unit Tests with In-Memory DBs):**
```javascript
// Jest configuration for isolated tests
module.exports = {
  testEnvironment: 'node',
  setupFilesAfterEnv: ['<rootDir>/jest.setup.js'],
  coverageThreshold: {
    global: {
      branches: 80,
      functions: 80,
      lines: 80,
      statements: 80
    }
  },
  // Parallel execution
  maxWorkers: '50%',
  // Retry flaky tests once in CI
  retry: process.env.CI ? 1 : 0
};
```

### Coverage Reporting

Enforce coverage thresholds to prevent quality regression:

```yaml
# GitLab CI with coverage visualization
unit_tests:
  stage: test
  image: node:20-alpine
  coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
  script:
    - npm ci
    - npm run test:unit -- --coverage --coverageReporters=text-summary
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage/cobertura-coverage.xml
      junit: junit.xml
    paths:
      - coverage/
  only:
    - merge_requests
    - main
```

**Coverage Gates:**
```yaml
# Fail pipeline if coverage drops
- name: Check coverage threshold
  run: |
    COVERAGE=$(cat coverage/coverage-summary.json | jq '.total.lines.pct')
    if (( $(echo "$COVERAGE < 80" | bc -l) )); then
      echo "Coverage $COVERAGE% is below threshold of 80%"
      exit 1
    fi
```

## 22.2 Integration Testing

Integration tests verify component interactions with real dependencies (databases, message queues, external APIs). Unlike unit tests, they require infrastructure orchestration within CI pipelines.

### Service Containers

CI platforms provide "service containers"—sidecar containers that run alongside the test job:

```yaml
# GitHub Actions with service containers
jobs:
  integration-tests:
    runs-on: ubuntu-latest
    
    services:
      postgres:
        image: postgres:15-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: testdb
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432
          
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 6379:6379

    steps:
      - uses: actions/checkout@v4
      
      - name: Run integration tests
        env:
          DATABASE_URL: postgres://postgres:postgres@localhost:5432/testdb
          REDIS_URL: redis://localhost:6379
        run: |
          npm ci
          npm run test:integration
```

**GitLab CI Services:**
```yaml
integration_tests:
  stage: test
  image: node:20
  services:
    - name: postgres:15-alpine
      alias: postgres
    - name: redis:7-alpine
      alias: redis
  variables:
    POSTGRES_DB: testdb
    POSTGRES_USER: postgres
    POSTGRES_PASSWORD: postgres
    DATABASE_URL: postgres://postgres:postgres@postgres/testdb
  script:
    - npm run test:integration
```

### Testcontainers

Testcontainers provides programmatic container management for integration tests, ensuring consistent test environments across local development and CI:

```java
// Java/JUnit 5 example with Testcontainers
@SpringBootTest
@Testcontainers
public class DatabaseIntegrationTest {
    
    @Container
    static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:15-alpine")
        .withDatabaseName("testdb")
        .withUsername("test")
        .withPassword("test");
    
    @DynamicPropertySource
    static void configureProperties(DynamicPropertyRegistry registry) {
        registry.add("spring.datasource.url", postgres::getJdbcUrl);
        registry.add("spring.datasource.username", postgres::getUsername);
        registry.add("spring.datasource.password", postgres::getPassword);
    }
    
    @Test
    void shouldSaveAndRetrieveUser() {
        // Test uses real PostgreSQL instance
    }
}
```

**Node.js with Testcontainers:**
```javascript
// JavaScript example
const { PostgreSqlContainer } = require("@testcontainers/postgresql");
const { Client } = require("pg");

describe("Database Integration", () => {
  let container;
  let client;

  beforeAll(async () => {
    container = await new PostgreSqlContainer("postgres:15-alpine")
      .withDatabase("testdb")
      .withUsername("test")
      .withPassword("test")
      .start();
    
    client = new Client({
      connectionString: container.getConnectionUri(),
    });
    await client.connect();
  });

  afterAll(async () => {
    await client.end();
    await container.stop();
  });

  test("should insert and query data", async () => {
    await client.query("CREATE TABLE users (id SERIAL, name VARCHAR(255))");
    await client.query("INSERT INTO users (name) VALUES ('John')");
    const result = await client.query("SELECT * FROM users");
    expect(result.rows).toHaveLength(1);
  });
});
```

**CI Considerations for Testcontainers:**
- Requires Docker socket access (privileged mode or Docker-in-Docker)
- Cleanup is automatic (containers stopped after test suite)
- Supports Ryuk resource reaper for cleanup after crashes

### Database Migration Testing

Validate schema changes don't break existing data:

```yaml
# Test migration path from previous version
migration_test:
  stage: test
  image: node:20
  services:
    - postgres:15-alpine
  script:
    # 1. Setup database at previous version
    - git checkout HEAD~1
    - npm ci
    - npm run db:migrate
    
    # 2. Insert test data representing production state
    - npm run db:seed:test-data
    
    # 3. Apply new migrations
    - git checkout $CI_COMMIT_SHA
    - npm ci
    - npm run db:migrate
    
    # 4. Verify application still works
    - npm run test:integration
```

## 22.3 End-to-End Testing

End-to-end (E2E) tests validate complete user workflows through the application stack. While valuable, they are slower and more brittle than unit or integration tests, requiring careful management in CI.

### Browser Testing with Playwright

Playwright provides cross-browser testing with automatic waiting and tracing:

```yaml
# GitHub Actions with Playwright
e2e_tests:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    
    - name: Setup Node
      uses: actions/setup-node@v4
      with:
        node-version: '20'
    
    - name: Install dependencies
      run: npm ci
    
    - name: Install Playwright browsers
      run: npx playwright install --with-deps
    
    - name: Start application
      run: |
        docker-compose -f docker-compose.test.yml up -d
        npx wait-on http://localhost:3000 --timeout 60000
    
    - name: Run E2E tests
      run: npx playwright test
      
    - name: Upload test results
      if: always()
      uses: actions/upload-artifact@v3
      with:
        name: playwright-report
        path: |
          playwright-report/
          test-results/
    
    - name: Cleanup
      if: always()
      run: docker-compose -f docker-compose.test.yml down -v
```

**Playwright Configuration for CI:**
```javascript
// playwright.config.js
module.exports = {
  testDir: './e2e',
  fullyParallel: true,
  forbidOnly: !!process.env.CI,  // Fail if .only left in code
  retries: process.env.CI ? 2 : 0,  // Retry flaky tests in CI
  workers: process.env.CI ? 1 : undefined,  // Single worker in CI for stability
  reporter: [
    ['html'],
    ['junit', { outputFile: 'junit-results.xml' }]
  ],
  use: {
    baseURL: 'http://localhost:3000',
    trace: 'on-first-retry',  // Capture trace on first retry
    screenshot: 'only-on-failure',
    video: 'retain-on-failure',
  },
  projects: [
    {
      name: 'chromium',
      use: { ...devices['Desktop Chrome'] },
    },
    // Only test one browser in CI for speed, all browsers locally
    process.env.CI ? null : {
      name: 'firefox',
      use: { ...devices['Desktop Firefox'] },
    },
  ].filter(Boolean),
};
```

### Cypress in CI

Cypress provides real-time reloading and debugging capabilities:

```yaml
# Cypress in Docker
cypress_tests:
  stage: test
  image: cypress/included:cypress-13.0.0-node-20.5.0-chrome-114.1.2.1-1-ff-114.0.2-edge-114.0.1823.51-1
  services:
    - name: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
      alias: app
  variables:
    CYPRESS_baseUrl: http://app:3000
  script:
    - cypress run --browser chrome --headless
  artifacts:
    when: always
    paths:
      - cypress/videos/
      - cypress/screenshots/
    reports:
      junit: cypress/results/junit.xml
```

**Parallelization with Cypress Dashboard:**
```yaml
# Split tests across multiple machines
cypress:
  parallel: 4  # Run 4 parallel instances
  script:
    - cypress run --record --parallel --key $CYPRESS_RECORD_KEY
```

### API Testing

Test REST/GraphQL endpoints in isolation:

```yaml
# Postman/Newman integration
api_tests:
  stage: test
  image: postman/newman:alpine
  services:
    - $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  script:
    - newman run collection.json 
        --environment ci-environment.json
        --reporters cli,junit
        --reporter-junit-export newman-results.xml
  artifacts:
    reports:
      junit: newman-results.xml
```

## 22.4 Test Containers Pattern

Testcontainers (mentioned in 22.2) deserves deeper examination as the modern standard for integration testing with real dependencies.

### Architecture and Benefits

**Consistency:** Tests use the same container images as production databases, eliminating "works on my machine" issues.

**Isolation:** Each test suite receives fresh, isolated database instances, preventing test pollution.

**Cleanup:** Automatic resource cleanup via Ryuk sidecar container, even if tests crash.

### Advanced Patterns

**Custom Wait Strategies:**
```java
// Wait for specific log message or HTTP endpoint
@Container
static GenericContainer<?> myService = new GenericContainer<>("myapp:latest")
    .withExposedPorts(8080)
    .waitingFor(
        Wait.forHttp("/health")
            .forStatusCode(200)
            .withStartupTimeout(Duration.ofSeconds(60))
    );
```

**Docker Compose Integration:**
```java
// Test full stack with docker-compose
@Container
static DockerComposeContainer<?> environment = 
    new DockerComposeContainer<>(new File("docker-compose.test.yml"))
        .withExposedService("web", 8080)
        .withExposedService("database", 5432)
        .waitingFor("web", Wait.forListeningPort());
```

**Volume Mounts for Test Data:**
```java
// Mount SQL fixtures into database container
@Container
static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:15")
    .withClasspathResourceMapping("fixtures/", "/docker-entrypoint-initdb.d/", 
        BindMode.READ_ONLY);
```

### CI Optimization

**Pre-pull Images:**
```yaml
# Speed up Testcontainers by pre-pulling images
pre_pull:
  stage: prepare
  script:
    - docker pull postgres:15-alpine
    - docker pull redis:7-alpine
    - docker pull localstack/localstack:latest
  cache:
    key: docker-images
    paths:
      - /var/lib/docker
```

**Reuse Containers (Experimental):**
```java
// Reuse containers between test classes (faster but less isolated)
@Testcontainers
@TestInstance(TestInstance.Lifecycle.PER_CLASS)  // Reuse instance
public class IntegrationTests {
    @Container
    static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>("postgres:15")
        .withReuse(true);  // Enable reuse
}
```

## 22.5 Parallel Test Execution

Parallel execution reduces feedback time but requires careful resource management to prevent test interference.

### Test Splitting Strategies

**File-based Splitting:**
```yaml
# Split test files across parallel jobs
test:
  parallel: 4
  script:
    - |
      # Get all test files
      TEST_FILES=$(find tests -name "*.test.js" | sort)
      TOTAL=$(echo "$TEST_FILES" | wc -l)
      CHUNK=$((TOTAL / 4))
      
      # Get this job's slice
      case $CI_NODE_INDEX in
        1) SLICE=$(echo "$TEST_FILES" | head -n $CHUNK) ;;
        2) SLICE=$(echo "$TEST_FILES" | head -n $((CHUNK*2)) | tail -n $CHUNK) ;;
        3) SLICE=$(echo "$TEST_FILES" | head -n $((CHUNK*3)) | tail -n $CHUNK) ;;
        4) SLICE=$(echo "$TEST_FILES" | tail -n $((TOTAL-CHUNK*3))) ;;
      esac
      
      npm test -- $SLICE
```

**Timing-based Splitting (CircleCI):**
```yaml
# Automatically balance based on historical timing data
test:
  parallelism: 4
  steps:
    - run:
        command: |
          circleci tests glob "tests/**/*.test.js" | \
          circleci tests split --split-by=timings | \
          xargs npm test
```

**Jest Parallelization:**
```javascript
// jest.config.js
module.exports = {
  // Use 50% of available CPUs (leave headroom for other processes)
  maxWorkers: '50%',
  
  // Shard for CI parallelization
  ...(process.env.CI && {
    shard: `${process.env.SHARD_INDEX}/${process.env.SHARD_TOTAL}`,
  }),
};
```

```yaml
# Run sharded tests
test:
  parallel: 4
  script:
    - npm test -- --shard=$CI_NODE_INDEX/$CI_NODE_TOTAL
```

### Resource Isolation

Prevent parallel tests from interfering:

**Database per Test Worker:**
```javascript
// Dynamic database naming
const workerId = process.env.JEST_WORKER_ID || '1';
const dbName = `test_db_worker_${workerId}`;

beforeAll(async () => {
  await createDatabase(dbName);
  process.env.DATABASE_URL = `postgres://localhost/${dbName}`;
});
```

**Port Allocation:**
```javascript
// Find available ports dynamically
const getPort = require('get-port');

beforeAll(async () => {
  const port = await getPort();
  server.listen(port);
});
```

## 22.6 Test Reports and Coverage

Comprehensive reporting transforms test results into actionable insights and quality gates.

### JUnit XML Integration

Standard format supported by all CI platforms:

```yaml
# Generate and upload JUnit reports
test:
  script:
    - npm test -- --reporter=junit --outputFile=junit.xml
  artifacts:
    reports:
      junit: junit-results.xml
    paths:
      - junit-results.xml
    expire_in: 1 week
```

**GitLab Test Visualization:**
- Displays test suites, cases, and failure details in MR interface
- Tracks test execution time trends
- Identifies slow tests for optimization

### Coverage Reporting

**Line-by-Line Coverage:**
```yaml
# Upload to Codecov
- name: Upload coverage to Codecov
  uses: codecov/codecov-action@v3
  with:
    files: ./coverage/lcov.info
    flags: unittests
    name: codecov-umbrella
    fail_ci_if_error: true
    verbose: true
```

**Coverage Diff (Changed Lines Only):**
```bash
# Only require coverage on modified lines
git diff origin/main...HEAD --name-only | grep '\.js$' | xargs npx jest --coverage --collectCoverageFrom
```

### Quality Gates

**SonarQube Integration:**
```yaml
sonarqube-check:
  stage: test
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - sonar-scanner 
      -Dsonar.projectKey=myapp 
      -Dsonar.sources=. 
      -Dsonar.coverage.exclusions=**/*.test.js 
      -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
  only:
    - merge_requests
    - main
```

**Quality Gate Conditions:**
- Coverage on new code ≥ 80%
- Duplicated lines on new code ≤ 3%
- No blocker/critical issues
- Test success rate = 100%

## 22.7 Test Data Management

Reliable tests require consistent, isolated test data that resets between runs.

### Database Seeding Strategies

**SQL Fixtures:**
```yaml
# Load schema and seed data before tests
test:
  before_script:
    - psql -h postgres -U postgres -d testdb -f tests/fixtures/schema.sql
    - psql -h postgres -U postgres -d testdb -f tests/fixtures/seed-data.sql
  script:
    - npm test
```

**Factory Pattern (Programmatic):**
```javascript
// factories/user.js
const factory = require('factory-girl').factory;
const User = require('../../src/models/User');

factory.define('user', User, {
  email: factory.seq('User.email', n => `user${n}@test.com`),
  name: factory.chance('name'),
  createdAt: new Date(),
  updatedAt: new Date()
});

// In tests
const user = await factory.create('user', { role: 'admin' });
```

**Docker Init Scripts:**
```dockerfile
# Dockerfile.test
COPY tests/fixtures/ /docker-entrypoint-initdb.d/
```

### Data Isolation Levels

**Transaction Rollback (Fastest):**
```java
@SpringBootTest
@Transactional  // Roll back after each test
public class UserTest {
    // Tests run in transactions that rollback automatically
}
```

**Database per Test (Most Isolated):**
```javascript
beforeEach(async () => {
  const testDb = `test_${Date.now()}_${randomBytes(4).toString('hex')}`;
  await createDatabase(testDb);
  process.env.DATABASE_URL = `postgres://localhost/${testDb}`;
});

afterEach(async () => {
  await dropDatabase(testDb);
});
```

### Production Data Anonymization

For realistic load testing:

```yaml
# Nightly job to refresh staging with anonymized production
refresh_staging:
  stage: prepare
  only:
    - schedules
  script:
    - pg_dump production_db | psql staging_db
    - npm run db:anonymize  # Scramble PII
    - npm run test:e2e
```

## 22.8 Flaky Test Handling

Flaky tests—tests that pass and fail intermittently without code changes—destroy trust in CI and must be eliminated aggressively.

### Detection and Tracking

**Identify Flakiness:**
```yaml
# Run tests multiple times to detect flakiness
flaky_check:
  script:
    - for i in {1..5}; do npm test; done
  allow_failure: true  # Don't block, just report
```

**Test Analytics:**
```javascript
// Track flaky tests with Jest
// jest.config.js
module.exports = {
  testRunner: 'jest-runner',
  reporters: [
    'default',
    ['jest-junit', { outputDirectory: './reports' }],
    ['jest-flake-tracker', { 
      outputFile: './reports/flaky.json',
      threshold: 0.1  // Flag tests failing >10% of time
    }]
  ]
};
```

### Mitigation Strategies

**Retry with Exponential Backoff:**
```yaml
test:
  retry: 2  # GitLab CI native retry
  script:
    - npm test
```

**Quarantine Flaky Tests:**
```javascript
// Move flaky tests to separate suite
describe.skip('FLAKY: Payment Gateway Integration', () => {
  // Tests under investigation
});

// Or mark with custom tag
it('processes payments [flaky]', () => {
  // Test logic
});
```

```yaml
# Run quarantined tests separately
test:stable:
  script:
    - npm test -- --testNamePattern='^(?!.*\\[flaky\\])'

test:flaky:
  allow_failure: true
  script:
    - npm test -- --testNamePattern='\\[flaky\\]'
```

**Root Cause Fixes:**
Common causes and solutions:
- **Timing issues:** Replace `setTimeout` with explicit wait conditions
- **Resource leaks:** Ensure connections closed, files deleted
- **Shared state:** Reset singletons between tests
- **Random data:** Use seeded random generators
- **External dependencies:** Mock or use testcontainers

### CI Configuration for Flaky Tests

```yaml
# Strict mode for main branch (no flakes allowed)
test:strict:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  retry: 0  # No retries on main
  allow_failure: false

# Lenient mode for feature branches
test:lenient:
  rules:
    - if: $CI_COMMIT_BRANCH != "main"
  retry: 2
  allow_failure: false
```

---

## Chapter Summary and Preview

In this chapter, we examined testing strategies essential for validating containerized applications in CI pipelines. Unit testing in containers ensures consistent execution environments between CI and production, with coverage thresholds enforcing quality standards at the base of the testing pyramid. Integration testing leverages service containers and Testcontainers to validate real database interactions and service dependencies without mocking, ensuring compatibility with actual infrastructure. End-to-end testing with tools like Playwright and Cypress validates complete user workflows, though requiring careful parallelization and artifact management to maintain pipeline efficiency. We explored parallel test execution strategies including file-based splitting and timing-aware distribution to minimize feedback time, alongside resource isolation techniques to prevent test interference. Test reporting via JUnit XML and coverage tools like Codecov and SonarQube provides visibility into quality metrics, while test data management strategies—from transaction rollback to database-per-worker patterns—ensure test isolation and reproducibility. Finally, we addressed flaky test detection and mitigation, emphasizing that flaky tests must be quarantined or fixed immediately to maintain CI reliability.

**Key Takeaways:**
- Structure tests as a pyramid: 70% unit (fast, isolated), 20% integration (real dependencies), 10% E2E (slow, comprehensive) to balance coverage with execution speed
- Use Testcontainers for integration tests to ensure database versions and configurations match production exactly, eliminating environment-specific failures
- Implement parallel test execution with dynamic database naming (worker ID-based) to prevent cross-test contamination while minimizing total execution time
- Never allow flaky tests to persist in the main branch; quarantine them immediately and prioritize root cause fixes over retry mechanisms
- Require coverage on new/modified code only (diff coverage) rather than overall project coverage to avoid penalizing legacy code while ensuring new work meets standards

**Next Chapter Preview:**
Chapter 23: Code Quality and Security Scanning extends testing beyond functional correctness to structural quality and vulnerability detection. We will explore static application security testing (SAST), software composition analysis (SCA) for dependency vulnerabilities, container image scanning, and dynamic application security testing (DAST). This chapter examines how to integrate linting, secret detection, and compliance checking into CI pipelines as automated gates that prevent security debt from accumulating. Understanding these security scanning patterns ensures that the tested code from this chapter meets organizational security and compliance standards before deployment to Kubernetes clusters.