Add k6 load testing suite and documentation (#14)

* Add k6 load testing suite and documentation

- Introduced load testing scripts for various endpoints:
  - `dashboard-load.js`: Simulates concurrent users accessing the Executive Dashboard.
  - `department-crud-load.js`: Tests CRUD operations for the Department controller.
  - `notification-load.js`: Tests the Notifications endpoint for concurrent access.
  - `task-api-load.js`: Tests the Task API for creation, updates, and retrieval.
  - `reporting-smoke.js`: Smoke test for reporting endpoints.

- Created comprehensive README.md in `Tests/load-tests/` directory detailing:
  - Installation instructions for k6.
  - Test file descriptions and usage.
  - Key metrics to monitor during tests.
  - Performance targets for various endpoints.
  - CI integration guidelines.

- Added deployment and QA infrastructure documentation:
  - `DEPLOYMENT.md`: Outlines environment configuration, branch workflow, deployment procedures, and rollback instructions.
  - `QA-INFRASTRUCTURE-REPORT.md`: Comprehensive report on QA improvements, test coverage metrics, and future recommendations.

* ci: format ReportGenerator installation and update commands for clarity

* ci: update security workflows to check for private repository status

* ci: update workflows to remove private repository condition for security scans

* ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads

* ci: remove dependency review job to enhance compatibility with private repositories

Author: Som3a99

.github/workflows/ci-tests-coverage.yml

@@ -43,13 +43,44 @@ jobs:
             --configuration Release \
             --no-build \
             --verbosity normal \
+            --settings Tests/coverlet.runsettings.xml \
             --collect:"XPlat Code Coverage" \
             --results-directory TestResults \
-            --logger "trx;LogFileName=test-results.trx"
+            --logger "trx;LogFileName=test-results.trx" \
+            /p:ExcludeByFile="**/Migrations/*.cs%3b**/Areas/Identity/**/*.cs%3b**/*.g.cs%3b**/*.designer.cs"
+      - name: Install ReportGenerator for HTML coverage
+        if: always()
+        run: |
+          dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
+          echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
+
+      - name: Generate HTML coverage report
+        if: always()
+        run: |
+          reportgenerator \
+            -reports:"TestResults/**/coverage.cobertura.xml" \
+            -targetdir:"TestResults/coverage-html" \
+            -reporttypes:"Html;HtmlSummary"
+
 
       - name: Upload test results and coverage
         if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: test-results-and-coverage
           path: TestResults
+
+      - name: Upload HTML coverage report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: coverage-html-report
+          path: TestResults/coverage-html
+
+      - name: Generate test & coverage summary
+        if: always()
+        run: |
+          echo "### Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "- **Framework**: xUnit (FluentAssertions, Moq)" >> $GITHUB_STEP_SUMMARY
+          echo "- **Coverage Tool**: Coverlet" >> $GITHUB_STEP_SUMMARY
+          echo "- **Excluded**: Migrations, Identity scaffolding, generated code" >> $GITHUB_STEP_SUMMARY

.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: CI – Build & Test
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 8
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Cache NuGet packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
+      - name: Restore
+        run: dotnet restore CompanyManagementSystem.sln
+
+      - name: Build
+        run: dotnet build CompanyManagementSystem.sln --no-restore --configuration Release
+
+      - name: Test with coverage
+        run: |
+          dotnet test Tests/Tests.csproj \
+            --no-build \
+            --configuration Release \
+            --logger "trx;LogFileName=test-results.trx" \
+            --settings Tests/coverlet.runsettings.xml \
+            --collect:"XPlat Code Coverage" \
+            --results-directory ./TestResults \
+            /p:ExcludeByFile="**/Migrations/*.cs%3b**/Areas/Identity/**/*.cs%3b**/*.g.cs%3b**/*.designer.cs"
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: ./TestResults/**/*.trx
+
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: ./TestResults/**/coverage.cobertura.xml

.github/workflows/codeql-analysis.yml

@@ -17,6 +17,8 @@ permissions:
 jobs:
   analyze:
     name: Analyze C# Code
+    # Removed: if: github.event.repository.private == false
+    # That condition caused the job to be permanently skipped on private repos.
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
@@ -54,3 +56,11 @@ jobs:
         uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{ matrix.language }}"
+          # FIX: Disable SARIF upload to GitHub's code-scanning API.
+          # This repo is private without GitHub Advanced Security, so the upload
+          # endpoint returns "Code scanning is not enabled" and fails the job.
+          # The scan itself completes successfully — disabling upload lets the
+          # job pass while preserving full analysis coverage.
+          # To re-enable: remove this line and enable Code Scanning at
+          # Settings → Code security → Code scanning (requires GHAS).
+          upload: false

.github/workflows/gitleaks.yml

@@ -11,6 +11,11 @@ on:
 
 permissions:
   contents: read
+  # FIX: gitleaks-action v2 calls GET /repos/{owner}/{repo}/pulls/{n}/commits
+  # on pull_request events to determine which commits to scan. Without this
+  # permission the API returns HTTP 403 "Resource not accessible by integration"
+  # crashing the action before any scan runs.
+  pull-requests: read
 
 jobs:
   gitleaks:
@@ -23,14 +28,30 @@ jobs:
           fetch-depth: 0
 
       - name: Run Gitleaks
+        id: gitleaks
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # GITLEAKS_CONFIG points to your custom rules file at repo root.
           GITLEAKS_CONFIG: .gitleaks.toml
+          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
+          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
+          # (the default). The `with.args` parameter does not exist in this action
+          # and was silently ignored — that is why results.sarif was never written
+          # to disk, causing the upload step to fail with "file not found".
+          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
+          # Security (GHAS), which is not available on private free-plan repos.
+          # We therefore disable the built-in artifact upload and instead capture
+          # the report ourselves below using actions/upload-artifact (no GHAS needed).
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
 
-      - name: Upload Gitleaks SARIF report
-        if: always()
-        uses: github/codeql-action/upload-sarif@v4
+      - name: Upload Gitleaks report as workflow artifact
+        # Run even when gitleaks finds secrets (exit code 1) so the report is
+        # always available for review — but skip when the step was cancelled.
+        if: always() && steps.gitleaks.outcome != 'cancelled'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          sarif_file: results.sarif
-        continue-on-error: true
+          name: gitleaks-report
+          # gitleaks-action v2 writes the SARIF to this fixed path
+          path: results.sarif
+          if-no-files-found: ignore

.github/workflows/security-scans.yml

@@ -12,18 +12,12 @@ permissions:
   contents: read
 
 jobs:
-  dependency-review:
-    name: Dependency Review
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Dependency Review
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
-        with:
-          fail-on-severity: moderate
+  # NOTE: actions/dependency-review-action has been intentionally removed.
+  # It hard-requires GitHub Advanced Security (GHAS) on private repositories —
+  # the Dependency Graph being enabled is necessary but not sufficient.
+  # GHAS is only available on GitHub Enterprise plans.
+  # Equivalent coverage is provided by dotnet-vulnerability-scan below,
+  # which uses `dotnet list --vulnerable` and needs no special GitHub features.
 
   dotnet-vulnerability-scan:
     name: .NET Vulnerability Audit
@@ -71,4 +65,4 @@ jobs:
             echo "::warning::Deprecated NuGet packages detected. Consider updating."
           else
             echo "No deprecated packages found."
-          fi
+          fi

.gitignore

@@ -2,6 +2,7 @@
 # Visual Studio / .NET
 # =========================
 .vs/
+.vscode/
 bin/
 obj/
 [Bb]uild/

ERP.PL/ERP.PL.csproj

@@ -1,13 +1,14 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
+    <UserSecretsId>0b0d445a-714e-4a6e-8191-649508c06636</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AutoMapper" Version="16.1.0" />
+    <PackageReference Include="AutoMapper" Version="16.1.1" />
     <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="8.0.24" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="6.1.4" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.24">

README.md

@@ -6,6 +6,9 @@
 [![EF Core](https://img.shields.io/badge/EF%20Core-8.0-512BD4)](https://learn.microsoft.com/en-us/ef/core/)
 [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 [![Live Demo](https://img.shields.io/badge/Live%20Demo-companyflow.runasp.net-brightgreen?logo=microsoftazure)](https://companyflow.runasp.net/)
+[![Tests](https://img.shields.io/badge/tests-400+-brightgreen?logo=xunit)](Tests)
+[![Coverage](https://img.shields.io/badge/coverage-~70%25-yellowgreen)]()
+[![Unit Tests](https://img.shields.io/badge/unit%20tests-389%2B-blue)]()
 
 > **Live Demo:** [https://companyflow.runasp.net](https://companyflow.runasp.net/)
 

Tests.UI/DepartmentTests.cs

@@ -0,0 +1,83 @@
+using Microsoft.Playwright;
+using NUnit.Framework;
+using FluentAssertions;
+
+namespace Tests.UI;
+
+/// <summary>
+/// End-to-end tests for the Departments module.
+/// Logs in as CEO, creates a department, verifies it appears in the table,
+/// then edits and deletes it.
+/// </summary>
+[TestFixture]
+[Category("UI")]
+public class DepartmentTests : PlaywrightFixture
+{
+    private static readonly string CeoEmail = Environment.GetEnvironmentVariable("CEO_EMAIL") ?? "ceo@companyflow.com";
+    private static readonly string CeoPassword = Environment.GetEnvironmentVariable("CEO_PASSWORD") ?? "Admin@123456!";
+
+    [SetUp]
+    public async Task SetUp()
+    {
+        await LoginAsAsync(Page, CeoEmail, CeoPassword);
+    }
+
+    // ── Navigate to Departments ──
+
+    [Test]
+    public async Task Department_Index_PageLoads()
+    {
+        await Page.GotoAsync($"{BaseUrl}/Department");
+        await Page.WaitForLoadStateAsync();
+
+        var title = await Page.TitleAsync();
+        title.Should().NotBeNullOrEmpty();
+        // Verify we are on departments page (not redirected to login)
+        Page.Url.Should().Contain("/Department");
+    }
+
+    // ── Create Department ──
+
+    [Test]
+    public async Task Department_Create_ValidData_AppearsInList()
+    {
+        var uniqueCode = $"TEST_{DateTime.Now:mmss}";
+        var deptName = $"UI Test Dept {DateTime.Now:mmss}";
+
+        await Page.GotoAsync($"{BaseUrl}/Department/Create");
+        await Page.WaitForLoadStateAsync();
+
+        // Fill form
+        await Page.FillAsync("input[name='DepartmentCode']", uniqueCode);
+        await Page.FillAsync("input[name='DepartmentName']", deptName);
+        await Page.ClickAsync("button[type='submit']");
+
+        // Should redirect to index
+        await Page.WaitForURLAsync(url => url.Contains("/Department") && !url.Contains("/Create"),
+            new PageWaitForURLOptions { Timeout = 10_000 });
+
+        // Verify the new department appears in the list
+        var pageContent = await Page.ContentAsync();
+        pageContent.Should().Contain(deptName);
+    }
+
+    // ── Create with duplicate code returns validation error ──
+
+    [Test]
+    public async Task Department_Create_DuplicateCode_ShowsError()
+    {
+        await Page.GotoAsync($"{BaseUrl}/Department/Create");
+        await Page.WaitForLoadStateAsync();
+
+        // Use a code that is very likely to already exist or use an obvious test one
+        await Page.FillAsync("input[name='DepartmentCode']", "INVALID CODE!@#");
+        await Page.FillAsync("input[name='DepartmentName']", "Test Department");
+        await Page.ClickAsync("button[type='submit']");
+
+        // Should remain on create page when validation fails
+        await Page.WaitForLoadStateAsync();
+        // Either stays on create page or shows error
+        var isOnPage = Page.Url.Contains("/Department");
+        isOnPage.Should().BeTrue();
+    }
+}