Why Run API Tests in CI/CD?
Running Postman collections automatically inside a CI/CD pipeline turns manual, occasional API checks into a continuous safety net that runs on every commit or pull request. Instead of discovering a broken endpoint after a customer complains, the pipeline fails fast with a specific assertion failure, pointing directly at the change that broke the contract.
Cricket analogy: Running API checks on every commit is like a team having a fitness test before every single match instead of once a season, catching a niggling injury before it costs a game.
Adding a Newman Stage to a Pipeline
A typical pipeline stage installs Node.js, installs Newman (plus any needed reporters), then invokes newman run against the target collection and a non-production environment, immediately after the build step and before deployment. Placing it there means an API contract regression is caught the moment code lands, not after a slower end-to-end suite finishes hours later.
Cricket analogy: Adding a Newman step right after the build stage is like slotting a nets session immediately after training drills, so form is checked while it's still fresh rather than days later.
name: API Tests
on: [pull_request]
jobs:
newman:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm install -g newman newman-reporter-htmlextra
- run: >
newman run postman/collection.json
-e postman/staging.postman_environment.json
--env-var apiKey=$API_KEY
--reporters cli,htmlextra
--reporter-htmlextra-export newman-report.html
env:
API_KEY: ${{ secrets.STAGING_API_KEY }}
- uses: actions/upload-artifact@v4
if: always()
with:
name: newman-report
path: newman-report.htmlManaging Environments and Secrets Securely
API keys, auth tokens, and other secrets should never live inside an exported Postman environment JSON that gets committed to the repo. Instead, the CI system's secret manager injects them at run time, typically passed to Newman via --env-var name=value, so the actual credential value only ever exists in memory during the pipeline run, not in version control.
Cricket analogy: Keeping API keys out of the collection file is like a captain never writing the team's signal codes on a public whiteboard, instead passing them verbally to trusted players only.
Failing the Build on Test Failures
Because Newman exits non-zero when any assertion fails, the CI job step itself fails naturally with no extra glue code — most CI systems already treat a non-zero exit code from a shell step as a failed step. Wiring that failing step into branch-protection rules means a pull request literally cannot merge, and a pipeline literally cannot deploy, while the API contract is broken.
Cricket analogy: Gating the merge on a passing Newman run is like a selection committee refusing to name a player to the squad until they pass the mandatory fitness test, no exceptions.
Most CI systems (GitHub Actions, GitLab CI, Jenkins, CircleCI) can run Newman inside a plain Node.js container — no special Postman plugin is required, since Newman is just an npm package.
Never commit a Postman environment file containing real API keys or tokens to version control. Use --env-var to inject secrets from your CI system's secret store at run time instead of baking them into the exported JSON.
- Running Newman as a CI pipeline stage catches API regressions on every commit or pull request, before code merges.
- A typical CI job installs Node.js, installs Newman (and any reporters), then runs newman run with the collection and environment files.
- Secrets like API keys should be injected via --env-var or CI secret variables, never committed inside an environment JSON file.
- Newman's non-zero exit code on test failure naturally fails the CI job step, blocking the merge or deploy.
- Reports (htmlextra, junit) should be uploaded as build artifacts so failures can be diagnosed without re-running locally.
- Running the same Newman command locally and in CI keeps behavior consistent and debuggable.
Practice what you learned
1. Where should a real API key be stored for use in a CI-run Newman command?
2. What typically triggers a Newman-based API test stage in a CI/CD pipeline?
3. What should happen to the CI pipeline if the Newman run's exit code is non-zero?
4. Why upload the htmlextra or junit report as a CI artifact?
Was this page helpful?
You May Also Like
Newman: Running Collections from the CLI
Newman is Postman's command-line collection runner, letting teams execute collections, generate reports, and fail builds without opening the Postman app.
Collection Runner
Learn how Postman's Collection Runner executes an entire collection of requests in sequence, complete with data-driven iterations, delays, and detailed pass/fail reporting.
Monitors and Scheduled Runs
Postman Monitors run your collections automatically on a schedule from multiple regions, alerting you the moment an API starts failing or slowing down in production.