QA测试策略指南：基于风险的现代软件质量工程与测试金字塔实践

qa-testing-strategy by vasilyu1983/ai-agents-public

173 周安装量

47 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/vasilyu1983/ai-agents-public --skill qa-testing-strategy

质量管理开发运维测试

🇨🇳中文介绍

QA 测试策略（2026年1月）

面向现代软件交付的基于风险的质量工程策略。

核心参考资料：精选链接位于 data/sources.json（SLO/错误预算、契约、端到端测试、OpenTelemetry）。请从 references/operational-playbook.md 开始，以获取简洁、可导航的概览。

范围

创建或更新基于风险的测试策略（测试什么、在哪里测试以及为什么测试）
定义质量门禁和发布标准（合并与部署）
选择最有效的测试层级（单元测试 → 集成测试 → 契约测试 → 端到端测试）
使故障可诊断（工件、日志/追踪、所有权）
将可靠性操作化（不稳定测试 SLO、隔离、测试套件预算）

替代方案

需求	技能
调试失败的测试或事件	qa-debugging
测试 LLM 智能体/角色	qa-agent-testing
执行安全审计/威胁建模

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

测试类型	目标	典型用途
单元测试	快速验证逻辑和不变量	纯函数、核心业务规则
组件测试	隔离验证 UI 行为	UI 组件和状态转换
集成测试	验证与真实依赖的边界	API + 数据库、队列、外部适配器
契约测试	防止跨团队破坏性变更	OpenAPI/AsyncAPI/JSON Schema/Protobuf
端到端测试	验证关键用户旅程	每个产品领域 1-2 条“核心路径”
性能测试	强制执行预算和容量	负载、压力、浸泡、回归趋势
视觉测试	捕获 UI 回归	稳定页面上的布局/视觉差异
无障碍测试	自动化 WCAG 检查	axe 冒烟测试 + 针对性手动审计
安全测试	及早发现常见 Web 漏洞	CI 中的 DAST 冒烟测试 + 关键检查

决策树：测试策略

    Need to test: [Feature Type]
        │
        ├─ Pure business logic/invariants? → Unit tests (mock boundaries)
        │
        ├─ UI component/state transitions? → Component tests
        │   └─ Cross-page user journey? → E2E tests
        │
        ├─ API Endpoint?
        │   ├─ Single service boundary? → Integration tests (real DB/deps)
        │   └─ Cross-service compatibility? → Contract tests (schema/versioning)
        │
        ├─ Event-driven/API schema evolution? → Contract + backward-compat tests
        │
        └─ Performance-critical? → k6 load testing

策略基于风险：明确关键旅程和故障模式
测试组合是分层的：快速检查捕获大多数缺陷
CI 是经济的：快速的预合并门禁，繁重的套件按计划执行
故障是可诊断的：可操作的工件（日志/追踪/截图）
使用 SLO 和去不稳定测试运行手册管理不稳定测试

左移门禁（预合并）

契约：OpenAPI/AsyncAPI/JSON Schema 验证
静态检查：代码检查、类型检查、密钥扫描
快速测试：单元测试 + 关键集成测试（避免将完整的端到端测试作为 PR 门禁）

右移（部署后）

关键路径的合成检查（监控即测试）
金丝雀分析：在扩大规模前比较 SLO 信号和关键指标
功能标志用于安全发布和快速回滚
将事件转化为回归测试（优先选择较低层级）

预算	目标
PR 门禁	p50 ≤ 10 分钟，p95 ≤ 20 分钟
主线健康度	≥ 99% 绿色构建/天

不稳定测试管理

定义：测试在产品未变更时失败，重试后通过
每周跟踪：flaky_failures / total_test_executions（其中 flaky_failure = fail_then_pass_on_rerun）
SLO：测试套件不稳定率 ≤ 1% 每周
带所有者和过期时间的隔离策略
使用去不稳定测试运行手册：template-flaky-test-triage-deflake-runbook.md

    it('should apply discount', () => {
      // Arrange
      const order = { total: 150 };
      // Act
      const result = calculateDiscount(order);
      // Assert
      expect(result.discount).toBe(15);
    });

页面对象模型（端到端测试）

    class LoginPage {
      async login(email: string, password: string) {
        await this.page.fill('[data-testid="email"]', email);
        await this.page.fill('[data-testid="password"]', password);
        await this.page.click('[data-testid="submit"]');
      }
    }

反模式	问题	解决方案
测试实现	重构时中断	测试行为
共享可变状态	不稳定测试	隔离测试数据
测试中使用 sleep()	缓慢、不可靠	使用适当的等待
一切皆端到端测试	缓慢、昂贵	使用测试金字塔
忽略不稳定测试	虚假信心	修复或隔离

应该做 / 避免做

针对稳定的契约和用户可见的行为编写测试
将不稳定测试视为 P1 级可靠性工作
将“如何调试此故障”作为每个测试套件的一部分

默认“一切皆端到端测试”
使用 Sleep/基于时间的等待（使用基于事件的等待）
将覆盖率百分比作为主要质量 KPI

功能矩阵 vs 测试矩阵门禁（发布阻塞）

在发布前，运行一次覆盖率审计，将产品功能/待办事项 ID 映射到直接的测试证据。

每个发布范围内的功能必须至少映射到一个直接的自动化测试，或者有明确的所有者/日期的豁免。
证据必须包含文件路径和测试标识符（套件/规范/用例）。
“间接覆盖”在没有书面理由和风险确认的情况下不被接受。
如果关键功能没有直接证据，则发布被阻塞。

功能/待办事项 ID
覆盖状态（direct、indirect、none）
证据引用
风险等级
差距的所有者和截止日期

资源	用途
comprehensive-testing-guide.md	跨层级的端到端操作手册
operational-playbook.md	测试金字塔、BDD、CI 门禁
shift-left-testing.md	契约优先、BDD、持续测试
test-automation-patterns.md	可靠模式和反模式
playwright-webapp-testing.md	Playwright 模式
chaos-resilience-testing.md	混沌工程
observability-driven-testing.md	OpenTelemetry、基于追踪的测试
contract-testing-2026.md	Pact、Specmatic
synthetic-test-data.md	隐私安全、临时的测试数据
test-environment-management.md	环境配置和生命周期管理
quality-metrics-dashboard.md	质量指标和仪表板
compliance-testing.md	SOC2、HIPAA、GDPR、PCI-DSS 测试
feature-matrix-vs-test-matrix-gate.md	发布阻塞的功能到测试覆盖率审计

模板	用途
template-test-case-design.md	Given/When/Then 和测试预言
test-strategy-template.md	基于风险的策略
template-flaky-test-triage.md	不稳定测试分类运行手册
template-jest-vitest.md	单元测试模式
template-api-integration.md	API + 数据库集成测试
template-playwright.md	Playwright 端到端测试
template-visual-testing.md	视觉回归测试
template-k6-load-testing.md	k6 性能测试
automation-pipeline-template.md	CI 阶段、预算、门禁
template-cucumber-gherkin.md	BDD 特性文件和步骤
template-release-coverage-audit.md	功能矩阵 vs 测试矩阵发布审计

文件	用途
sources.json	外部参考资料

qa-debugging — 调试失败的测试
qa-agent-testing — 测试 AI 智能体
software-backend — 待测试的 API 模式
ops-devops-platform — CI/CD 流水线

运维门禁：发布安全验证序列

将此序列用于涉及用户流程、定价、本地化或分析的功能分支。

    # 1) Static checks
    npm run lint
    npm run typecheck
    
    # 2) Fast correctness
    npm run test:unit
    
    # 3) Critical path checks
    npm run test:e2e -- --grep "@critical"
    
    # 4) Instrumentation gate (if configured)
    npm run test:analytics-gate
    
    # 5) Production build
    npm run build

捕获确切的失败命令和第一行错误。
分类：环境问题、基线已知故障或回归。
修复后仅重新运行失败的门禁一次。
在早期必需的门禁为红色时，不要继续执行后续门禁。

用于 QA 交接的智能体输出契约

运行的命令，
每个门禁的通过/失败状态，
故障是预先存在的还是新引入的，
下一个阻塞性操作。

在最终答案前，使用网络搜索/网页抓取来验证当前的外部事实、版本、定价、截止日期、法规或平台行为。
优先使用一手来源；对于易变信息，报告来源链接和日期。
如果无法访问网络，请说明限制并将指导标记为未经验证。

🇺🇸English

QA Testing Strategy (Jan 2026)

Risk-based quality engineering strategy for modern software delivery.

Core references : curated links in data/sources.json (SLOs/error budgets, contracts, E2E, OpenTelemetry). Start with references/operational-playbook.md for a compact, navigable overview.

Scope

Create or update a risk-based test strategy (what to test, where, and why)
Define quality gates and release criteria (merge vs deploy)
Select the smallest effective layer (unit → integration → contract → E2E)
Make failures diagnosable (artifacts, logs/traces, ownership)
Operationalize reliability (flake SLO, quarantines, suite budgets)

Use Instead

Need	Skill
Debug failing tests or incidents	qa-debugging
Test LLM agents/personas	qa-agent-testing
Perform security audit/threat model	software-security-appsec
Design CI/CD pipelines and infra	ops-devops-platform

Quick Reference

Test Type	Goal	Typical Use
Unit	Prove logic and invariants fast	Pure functions, core business rules
Component	Validate UI behavior in isolation	UI components and state transitions
Integration	Validate boundaries with real deps	API + DB, queues, external adapters
Contract	Prevent breaking changes cross-team	OpenAPI/AsyncAPI/JSON Schema/Protobuf
E2E	Validate critical user journeys	1–2 “money paths” per product area
Performance	Enforce budgets and capacity	Load, stress, soak, regression trends
Visual	Catch UI regressions	Layout/visual diffs on stable pages
Accessibility	Automate WCAG checks	axe smoke + targeted manual audits
Security	Catch common web vulns early

Default Workflow

Clarify scope and risk: critical journeys, failure modes, and non-functional risks (latency, data loss, auth).
Define quality signals: SLOs/error budgets, contract/schema checks, and what blocks merge vs blocks deploy.
Choose the smallest effective layer (unit → integration → contract → E2E).
Make failures diagnosable: artifacts + correlation IDs (logs/traces/screenshots), clear ownership, deflake runbook.
Operationalize: flake SLO, quarantine with expiry, suite budgets (PR gate vs scheduled), dashboards.

Test Pyramid

           /\
          /E2E\          5-10% - Critical journeys
         /------\
        /Integr. \       15-25% - API, DB, queues
       /----------\
      /Component \       20-30% - UI modules
     /------------\
    /   Unit      \      40-60% - Logic and invariants
   /--------------\

Decision Tree: Test Strategy

Need to test: [Feature Type]
    │
    ├─ Pure business logic/invariants? → Unit tests (mock boundaries)
    │
    ├─ UI component/state transitions? → Component tests
    │   └─ Cross-page user journey? → E2E tests
    │
    ├─ API Endpoint?
    │   ├─ Single service boundary? → Integration tests (real DB/deps)
    │   └─ Cross-service compatibility? → Contract tests (schema/versioning)
    │
    ├─ Event-driven/API schema evolution? → Contract + backward-compat tests
    │
    └─ Performance-critical? → k6 load testing

Core QA Principles

Definition of Done

Strategy is risk-based: critical journeys + failure modes explicit
Test portfolio is layered: fast checks catch most defects
CI is economical: fast pre-merge gates, heavy suites scheduled
Failures are diagnosable: actionable artifacts (logs/trace/screenshots)
Flakes managed with SLO and deflake runbook

Shift-Left Gates (Pre-Merge)

Contracts: OpenAPI/AsyncAPI/JSON Schema validation
Static checks: lint, typecheck, secret scanning
Fast tests: unit + key integration (avoid full E2E as PR gate)

Shift-Right (Post-Deploy)

Synthetic checks for critical paths (monitoring-as-tests)
Canary analysis: compare SLO signals and key metrics before ramping
Feature flags for safe rollouts and fast rollback
Convert incidents into regression tests (prefer lower layers first)

CI Economics

Budget	Target
PR gate	p50 ≤ 10 min, p95 ≤ 20 min
Mainline health	≥ 99% green builds/day

Flake Management

Define: test fails without product change, passes on rerun
Track weekly: flaky_failures / total_test_executions (where flaky_failure = fail_then_pass_on_rerun)
SLO: Suite flake rate ≤ 1% weekly
Quarantine policy with owner and expiry
Use the deflake runbook: template-flaky-test-triage-deflake-runbook.md

Common Patterns

AAA Pattern

it('should apply discount', () => {
  // Arrange
  const order = { total: 150 };
  // Act
  const result = calculateDiscount(order);
  // Assert
  expect(result.discount).toBe(15);
});

Page Object Model (E2E)

class LoginPage {
  async login(email: string, password: string) {
    await this.page.fill('[data-testid="email"]', email);
    await this.page.fill('[data-testid="password"]', password);
    await this.page.click('[data-testid="submit"]');
  }
}

Anti-Patterns

Anti-Pattern	Problem	Solution
Testing implementation	Breaks on refactor	Test behavior
Shared mutable state	Flaky tests	Isolate test data
sleep() in tests	Slow, unreliable	Use proper waits
Everything E2E	Slow, expensive	Use test pyramid
Ignoring flaky tests	False confidence	Fix or quarantine

Do / Avoid

Do

Write tests against stable contracts and user-visible behavior
Treat flaky tests as P1 reliability work
Make "how to debug this failure" part of every suite

Avoid

"Everything E2E" as default
Sleeps/time-based waits (use event-based)
Coverage % as primary quality KPI

Feature Matrix vs Test Matrix Gate (Release Blocking)

Before release, run a coverage audit that maps product features/backlog IDs to direct test evidence.

Gate Rules

Every release-scoped feature must map to at least one direct automated test, or an explicit waiver with owner/date.
Evidence must include file path and test identifier (suite/spec/case).
"Covered indirectly" is not accepted without written rationale and risk acknowledgment.
If critical features have no direct evidence, release is blocked.

Minimal Audit Output

feature/backlog id
coverage status (direct, indirect, none)
evidence reference
risk level
owner and due date for gaps

Resources

Resource	Purpose
comprehensive-testing-guide.md	End-to-end playbook across layers
operational-playbook.md	Testing pyramid, BDD, CI gates
shift-left-testing.md	Contract-first, BDD, continuous testing
test-automation-patterns.md	Reliable patterns and anti-patterns
playwright-webapp-testing.md	Playwright patterns
chaos-resilience-testing.md	Chaos engineering

Templates

Template	Purpose
template-test-case-design.md	Given/When/Then and test oracles
test-strategy-template.md	Risk-based strategy
template-flaky-test-triage.md	Flake triage runbook
template-jest-vitest.md	Unit test patterns
template-api-integration.md	API + DB integration tests
template-playwright.md	Playwright E2E

Data

File	Purpose
sources.json	External references

Related Skills

qa-debugging — Debugging failing tests
qa-agent-testing — Testing AI agents
software-backend — API patterns to test
ops-devops-platform — CI/CD pipelines

Ops Gate: Release-Safe Verification Sequence

Use this sequence for feature branches that touch user flows, pricing, localization, or analytics.

# 1) Static checks
npm run lint
npm run typecheck

# 2) Fast correctness
npm run test:unit

# 3) Critical path checks
npm run test:e2e -- --grep "@critical"

# 4) Instrumentation gate (if configured)
npm run test:analytics-gate

# 5) Production build
npm run build

If a Gate Fails

Capture exact failing command and first error line.
Classify: environment issue, baseline known failure, or regression.
Re-run only the failed gate once after fix.
Do not continue to later gates while earlier required gates are red.

Agent Output Contract for QA Handoff

Always report:

commands run,
pass/fail per gate,
whether failures are pre-existing or introduced,
next blocking action.

Fact-Checking

Use web search/web fetch to verify current external facts, versions, pricing, deadlines, regulations, or platform behavior before final answers.
Prefer primary sources; report source links and dates for volatile information.
If web access is unavailable, state the limitation and mark guidance as unverified.

Weekly Installs

173

Repository

vasilyu1983/ai-…s-public

GitHub Stars

First Seen

Jan 23, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode152

codex149

gemini-cli147

cursor144

github-copilot140

kimi-cli127

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

85,700 周安装