finos · fabiovincenzi · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
@@ -52,6 +52,27 @@ jobs:
       - name: Run E2E tests
         run: npm run test:e2e
 
+      - name: Run Cypress E2E tests
+        run: npm run cypress:run:docker
+        timeout-minutes: 10
+        env:
+          CYPRESS_BASE_URL: http://localhost:8081
+          CYPRESS_API_BASE_URL: http://localhost:8081
+          CYPRESS_GIT_PROXY_URL: http://localhost:8000
+          CYPRESS_GIT_SERVER_TARGET: git-server:8443
+
+      - name: Dump git-proxy logs on failure
+        if: failure()
+        run: docker compose logs git-proxy --tail=100
+
+      - name: Upload Cypress screenshots on failure
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        if: failure()
+        with:
+          name: cypress-screenshots
+          path: cypress/screenshots
+          retention-days: 7
+
       - name: Stop services
         if: always()
         run: docker compose down -v
@@ -19,7 +19,13 @@ const { defineConfig } = require('cypress');
 module.exports = defineConfig({
   e2e: {
     baseUrl: process.env.CYPRESS_BASE_URL || 'http://localhost:3000',
+    specPattern: 'cypress/e2e/*.cy.{js,ts}',
     chromeWebSecurity: false, // Required for OIDC testing
+    env: {
+      API_BASE_URL: process.env.CYPRESS_API_BASE_URL || 'http://localhost:8080',
+      GIT_PROXY_URL: process.env.CYPRESS_GIT_PROXY_URL || 'http://localhost:8000',
+      GIT_SERVER_TARGET: process.env.CYPRESS_GIT_SERVER_TARGET || 'git-server:8443',
+    },
     setupNodeEvents(on, config) {
       on('task', {
         log(message) {

@@ -0,0 +1,270 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+describe('Push Actions (Approve, Reject, Cancel)', () => {
+  const testUser = {
+    username: 'testuser',
+    password: 'user123',
+    email: 'testuser@example.com',
+    gitAccount: 'testuser',
+  };
+
+  const approverUser = {
+    username: 'approver',
+    password: 'approver123',
+    email: 'approver@example.com',
+    gitAccount: 'approver',
+  };
+
+  before(() => {
+    // Setup: login as admin, create test users, assign permissions
+    cy.login('admin', 'admin');
+
+    cy.createUser(testUser.username, testUser.password, testUser.email, testUser.gitAccount);
+    cy.createUser(
+      approverUser.username,
+      approverUser.password,
+      approverUser.email,
+      approverUser.gitAccount,
+    );
+
+    cy.getTestRepoId().then((repoId) => {
+      cy.addUserPushPermission(repoId, testUser.username);
+      cy.addUserAuthorisePermission(repoId, approverUser.username);
+    });
+
+    cy.logout();
+  });
+
+  afterEach(() => {
+    cy.logout();
+  });
+
+  describe('Approve flow', () => {
+    beforeEach(() => {
+      const suffix = `approve-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should approve a pending push via attestation dialog', function () {
+      cy.login(approverUser.username, approverUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      // Verify push is Pending
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Action buttons should be visible
+      cy.get('[data-testid="push-cancel-btn"]').should('be.visible');
+      cy.get('[data-testid="push-reject-btn"]').should('be.visible');
+      cy.get('[data-testid="attestation-open-btn"]').should('be.visible');
+
+      // Open attestation dialog
+      cy.get('[data-testid="attestation-open-btn"]').click();
+      cy.get('[data-testid="attestation-dialog"]').should('be.visible');
+
+      // Confirm button should be disabled until all checkboxes are checked
+      cy.get('[data-testid="attestation-confirm-btn"]').should('be.disabled');
+
+      // Check all attestation checkboxes
+      cy.get('[data-testid="attestation-dialog"]')
+        .find('input[type="checkbox"]')
+        .each(($checkbox) => {
+          cy.wrap($checkbox).check({ force: true });
+        });
+
+      // Confirm button should now be enabled
+      cy.get('[data-testid="attestation-confirm-btn"]').should('not.be.disabled');
+
+      // Click confirm to approve
+      cy.get('[data-testid="attestation-confirm-btn"]').click();
+
+      // Should navigate back to push list
+      cy.url().should('include', '/dashboard/push');
+      cy.url().should('not.include', this.pushId);
+
+      // Verify push is now Approved by revisiting its detail page
+      cy.visit(`/dashboard/push/${this.pushId}`);
+      cy.get('[data-testid="push-status"]').should('contain', 'Approved');
+
+      // Action buttons should no longer be visible for an approved push
+      cy.get('[data-testid="push-cancel-btn"]').should('not.exist');
+      cy.get('[data-testid="push-reject-btn"]').should('not.exist');
+      cy.get('[data-testid="attestation-open-btn"]').should('not.exist');
+    });
+  });
+
+  describe('Reject flow', () => {
+    beforeEach(() => {
+      const suffix = `reject-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should reject a pending push', function () {
+      cy.login(approverUser.username, approverUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      // Verify push is Pending
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Open reject dialog
+      cy.get('[data-testid="push-reject-btn"]').click();
+
+      // Confirm button should be disabled until reason is provided
+      cy.get('[data-testid="push-reject-confirm-btn"]').should('be.disabled');
+
+      // Fill in rejection reason
+      cy.get('#reason').type('Rejecting for test purposes');
+
+      // Confirm button should now be enabled
+      cy.get('[data-testid="push-reject-confirm-btn"]').should('not.be.disabled');
+
+      // Confirm rejection
+      cy.get('[data-testid="push-reject-confirm-btn"]').click();
+
+      // Should navigate back to push list
+      cy.url().should('include', '/dashboard/push');
+      cy.url().should('not.include', this.pushId);
+
+      // Verify push is now Rejected
+      cy.visit(`/dashboard/push/${this.pushId}`);
+      cy.get('[data-testid="push-status"]').should('contain', 'Rejected');
+
+      // Action buttons should no longer be visible
+      cy.get('[data-testid="push-cancel-btn"]').should('not.exist');
+      cy.get('[data-testid="push-reject-btn"]').should('not.exist');
+      cy.get('[data-testid="attestation-open-btn"]').should('not.exist');
+    });
+  });
+
+  describe('Cancel flow', () => {
+    beforeEach(() => {
+      const suffix = `cancel-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should cancel a pending push', function () {
+      // Cancel can be done by the push author
+      cy.login(testUser.username, testUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      // Verify push is Pending
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Click Cancel
+      cy.get('[data-testid="push-cancel-btn"]').click();
+
+      // Should navigate back to push list
+      cy.url().should('include', '/dashboard/push');
+
+      // Verify push is now Canceled
+      cy.visit(`/dashboard/push/${this.pushId}`);
+      cy.get('[data-testid="push-status"]').should('contain', 'Canceled');
+
+      // Action buttons should no longer be visible
+      cy.get('[data-testid="push-cancel-btn"]').should('not.exist');
+      cy.get('[data-testid="push-reject-btn"]').should('not.exist');
+      cy.get('[data-testid="attestation-open-btn"]').should('not.exist');
+    });
+  });
+
+  describe('Negative: unauthorized approve', () => {
+    beforeEach(() => {
+      const suffix = `neg-approve-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should not change push state when user lacks canAuthorise permission', function () {
+      // Login as testuser (has canPush but NOT canAuthorise)
+      cy.login(testUser.username, testUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Open attestation dialog and attempt to approve
+      cy.get('[data-testid="attestation-open-btn"]').click();
+      cy.get('[data-testid="attestation-dialog"]').should('be.visible');
+
+      // Check all checkboxes
+      cy.get('[data-testid="attestation-dialog"]')
+        .find('input[type="checkbox"]')
+        .each(($checkbox) => {
+          cy.wrap($checkbox).check({ force: true });
+        });
+
+      cy.get('[data-testid="attestation-confirm-btn"]').click();
+
+      // TODO: The server correctly returns 403 but the UI (src/ui/services/git-push.ts)
+      // only handles 401 errors in authorisePush/rejectPush. The 403 is silently
+      // ignored and the user is navigated away without feedback. Once the UI properly
+      // handles 403, this test should assert a snackbar error message is shown.
+      cy.visit(`/dashboard/push/${this.pushId}`);
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+    });
+  });
+
+  describe('Negative: unauthorized reject', () => {
+    beforeEach(() => {
+      const suffix = `neg-reject-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should not change push state when user lacks canAuthorise permission', function () {
+      // Login as testuser
+      cy.login(testUser.username, testUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Click Reject
+      cy.get('[data-testid="push-reject-btn"]').click();
+
+      // TODO: Same issue as unauthorized approve — UI ignores 403 from server.
+      // Once fixed, assert snackbar error message is shown.
+      cy.visit(`/dashboard/push/${this.pushId}`);
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+    });
+  });
+
+  describe('Attestation dialog cancel does not cancel the push', () => {
+    beforeEach(() => {
+      const suffix = `dialog-cancel-${Date.now()}`;
+      cy.createPush(testUser.username, testUser.password, testUser.email, suffix).as('pushId');
+    });
+
+    it('should close attestation dialog without affecting push status', function () {
+      cy.login(approverUser.username, approverUser.password);
+      cy.visit(`/dashboard/push/${this.pushId}`);
+
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Open attestation dialog
+      cy.get('[data-testid="attestation-open-btn"]').click();
+      cy.get('[data-testid="attestation-dialog"]').should('be.visible');
+
+      // Click the dialog's Cancel button (NOT the push cancel button)
+      cy.get('[data-testid="attestation-cancel-btn"]').click();
+
+      // Dialog should close, push should still be pending
+      cy.get('[data-testid="attestation-dialog"]').should('not.exist');
+      cy.get('[data-testid="push-status"]').should('contain', 'Pending');
+
+      // Action buttons should still be visible (push is still pending)
+      cy.get('[data-testid="push-cancel-btn"]').should('be.visible');
+      cy.get('[data-testid="push-reject-btn"]').should('be.visible');
+      cy.get('[data-testid="attestation-open-btn"]').should('be.visible');
+    });
+  });
+});
@@ -18,6 +18,12 @@ describe('Repo', () => {
   let cookies;
   let repoName;
 
+  before(() => {
+    cy.login('admin', 'admin');
+    cy.cleanupTestRepos();
+    cy.logout();
+  });
+
   describe('Anonymous users', () => {
     beforeEach(() => {
       cy.visit('/dashboard/repo');
@@ -70,8 +76,6 @@ describe('Repo', () => {
       });
 
       cy.contains('a', `cypress-test/${repoName}`, { timeout: 10000 }).click();
-
-      // cy.get('[data-testid="delete-repo-button"]').click();
     });
 
     it('Displays an error when adding an existing repo', () => {
@@ -100,11 +104,13 @@ describe('Repo', () => {
       // Create a new repo
       cy.getCSRFToken().then((csrfToken) => {
         repoName = `${Date.now()}`;
-        cloneURL = `http://localhost:8000/github.com/cypress-test/${repoName}.git`;
+        const gitProxyUrl = Cypress.env('GIT_PROXY_URL') || 'http://localhost:8000';
+        cloneURL = `${gitProxyUrl}/github.com/cypress-test/${repoName}.git`;
 
+        const apiBaseUrl = Cypress.env('API_BASE_URL') || Cypress.config('baseUrl');
         cy.request({
           method: 'POST',
-          url: 'http://localhost:8080/api/v1/repo',
+          url: `${apiBaseUrl}/api/v1/repo`,
           body: {
             project: 'cypress-test',
             name: repoName,
@@ -161,7 +167,7 @@ describe('Repo', () => {
       cy.getCSRFToken().then((csrfToken) => {
         cy.request({
           method: 'DELETE',
-          url: `http://localhost:8080/api/v1/repo/${repoName}/delete`,
+          url: `${Cypress.env('API_BASE_URL') || Cypress.config('baseUrl')}/api/v1/repo/${repoId}/delete`,
           headers: {
             cookie: cookies?.join('; ') || '',
             'X-CSRF-TOKEN': csrfToken,