DefGuard · t-aleksander · Apr 23, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -113,17 +113,211 @@ jobs:
             ./e2e/playwright-report
           retention-days: 7
 
+  test-migration-wizard:
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+        instance-size:medium
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to GitHub container registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Export image tag
+        run: |
+          BRANCH=${GITHUB_REF#refs/heads/}
+          if [[ "$BRANCH" == release/* ]]; then
+            IMAGE_TAG=${BRANCH//\//-}
+          else
+            IMAGE_TAG=$BRANCH
+          fi
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: "./e2e/.nvmrc"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          # FIXME: temporarily pinned because of https://github.com/pnpm/pnpm/pull/9959
+          version: 10.17
+          run_install: false
+
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+
+      - uses: actions/cache@v5
+        name: Setup pnpm cache
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Pull images
+        run: docker compose --file './docker-compose.e2e.yaml' pull
+
+      - name: Install E2E dependencies
+        working-directory: ./e2e
+        run: pnpm install --frozen-lockfile
+
+      - name: Cache Playwright browsers
+        id: playwright-cache
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('e2e/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Install playwright chromium
+        working-directory: ./e2e
+        run: |
+          if [[ "${{ steps.playwright-cache.outputs.cache-hit }}" == "true" ]]; then
+            npx playwright install-deps chromium
+          else
+            npx playwright install --with-deps chromium
+          fi
+
+      - name: Run migration wizard tests
+        working-directory: ./e2e
+        env:
+          DEFGUARD_LICENSE_KEY: ${{ secrets.DEFGUARD_LICENSE_KEY }}
+        run: pnpm playwright test --config playwright.config.migration.ts
+
+      - name: Stop compose
+        if: always()
+        run: docker compose --file './docker-compose.e2e.yaml' down
+
+      - uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: playwright-report-migration-wizard
+          path: |
+            ./e2e/playwright-report
+          retention-days: 7
+
+  test-auto-adoption-wizard:
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+        instance-size:medium
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to GitHub container registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Export image tag
+        run: |
+          BRANCH=${GITHUB_REF#refs/heads/}
+          if [[ "$BRANCH" == release/* ]]; then
+            IMAGE_TAG=${BRANCH//\//-}
+          else
+            IMAGE_TAG=$BRANCH
+          fi
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: "./e2e/.nvmrc"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          # FIXME: temporarily pinned because of https://github.com/pnpm/pnpm/pull/9959
+          version: 10.17
+          run_install: false
+
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+
+      - uses: actions/cache@v5
+        name: Setup pnpm cache
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Pull images
+        run: docker compose --file './docker-compose.e2e-auto-adoption.yaml' pull
+
+      - name: Install E2E dependencies
+        working-directory: ./e2e
+        run: pnpm install --frozen-lockfile
+
+      - name: Cache Playwright browsers
+        id: playwright-cache
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('e2e/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Install playwright chromium
+        working-directory: ./e2e
+        run: |
+          if [[ "${{ steps.playwright-cache.outputs.cache-hit }}" == "true" ]]; then
+            npx playwright install-deps chromium
+          else
+            npx playwright install --with-deps chromium
+          fi
+
+      - name: Run auto-adoption wizard tests
+        working-directory: ./e2e
+        env:
+          DEFGUARD_LICENSE_KEY: ${{ secrets.DEFGUARD_LICENSE_KEY }}
+        run: pnpm playwright test --config playwright.config.auto-adoption.ts
+
+      - name: Stop compose
+        if: always()
+        run: docker compose --file './docker-compose.e2e-auto-adoption.yaml' down
+
+      - uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: playwright-report-auto-adoption-wizard
+          path: |
+            ./e2e/playwright-report
+          retention-days: 7
+
   trigger-dev-deploy:
-    needs: test
-    if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' && needs.test.result == 'success' }}
+    needs: [test, test-migration-wizard, test-auto-adoption-wizard]
+    if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' && needs.test.result == 'success' && needs.test-migration-wizard.result == 'success' && needs.test-auto-adoption-wizard.result == 'success' }}
     uses: ./.github/workflows/dev-deployment.yml
     secrets: inherit
 
   trigger-staging-deploy:
-    needs: test
+    needs: [test, test-migration-wizard, test-auto-adoption-wizard]
     if: |
       github.event_name != 'pull_request' &&
       startsWith(github.ref_name, 'release/') &&
-      needs.test.result == 'success'
+      needs.test.result == 'success' &&
+      needs.test-migration-wizard.result == 'success' &&
+      needs.test-auto-adoption-wizard.result == 'success'
     uses: ./.github/workflows/staging-deployment.yml
     secrets: inherit
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docker-compose.e2e-auto-adoption.yaml b/docker-compose.e2e-auto-adoption.yaml
@@ -0,0 +1,55 @@
+services:
+  core:
+    image: ghcr.io/defguard/defguard:${IMAGE_TAG}
+    environment:
+      DEFGUARD_COOKIE_INSECURE: true
+      DEFGUARD_COOKIE_DOMAIN: localhost
+      DEFGUARD_LOG_LEVEL: debug
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+      DEFGUARD_DB_USER: defguard
+      DEFGUARD_DB_PASSWORD: defguard
+      DEFGUARD_DB_NAME: defguard
+      DEFGUARD_GRPC_PORT: 50055
+      DEFGUARD_ADOPT_EDGE: "edge:50051"
+      DEFGUARD_ADOPT_GATEWAY: "gateway:50066"
+      RUST_BACKTRACE: 1
+    ports:
+      - "8000:8000"
+      - "50055:50055"
+    depends_on:
+      - db
+
+  db:
+    image: public.ecr.aws/docker/library/postgres:17-alpine
+    environment:
+      POSTGRES_DB: defguard
+      POSTGRES_USER: defguard
+      POSTGRES_PASSWORD: defguard
+    ports:
+      - "5432:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U defguard -d defguard"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+      start_period: 5s
+
+  edge:
+    image: ghcr.io/defguard/defguard-proxy:${IMAGE_TAG}
+    ports:
+      - "8080:8080"
+      - "50051:50051"
+    environment:
+      DEFGUARD_PROXY_GRPC_PORT: 50051
+      RUST_BACKTRACE: 1
+
+  gateway:
+    image: ghcr.io/defguard/gateway:${IMAGE_TAG}
+    ports:
+      - "50066:50066"
+    environment:
+      DEFGUARD_GATEWAY_GRPC_PORT: 50066
+      RUST_BACKTRACE: 1
+    cap_add:
+      - NET_ADMIN
diff --git a/e2e/playwright.config.auto-adoption.ts b/e2e/playwright.config.auto-adoption.ts
@@ -0,0 +1,35 @@
+import { defineConfig, devices } from '@playwright/test';
+
+import { testsConfig } from './config';
+import { loadEnv } from './utils/loadEnv';
+
+loadEnv();
+
+export default defineConfig({
+  globalSetup: './utils/globalSetupAutoAdoption',
+  timeout: testsConfig.TEST_TIMEOUT * 1000,
+  testDir: './tests',
+  testMatch: '**/autoAdoptionWizard.spec.ts',
+  fullyParallel: false,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 2 : 0,
+  workers: 1,
+  reporter: [['html', { open: 'never' }]],
+  use: {
+    baseURL: testsConfig.BASE_URL,
+    trace: 'retain-on-failure',
+    viewport: { height: 993, width: 1920 },
+    video: { mode: 'retain-on-failure' },
+    screenshot: 'only-on-failure',
+    contextOptions: { permissions: ['clipboard-read', 'clipboard-write'] },
+  },
+  projects: [
+    {
+      name: 'auto-adoption-wizard',
+      use: {
+        ...devices['Desktop Chrome'],
+        viewport: { height: 993, width: 1920 },
+      },
+    },
+  ],
+});
diff --git a/e2e/playwright.config.migration.ts b/e2e/playwright.config.migration.ts
@@ -0,0 +1,35 @@
+import { defineConfig, devices } from '@playwright/test';
+
+import { testsConfig } from './config';
+import { loadEnv } from './utils/loadEnv';
+
+loadEnv();
+
+export default defineConfig({
+  globalSetup: './utils/globalSetupMigration',
+  timeout: testsConfig.TEST_TIMEOUT * 1000,
+  testDir: './tests',
+  testMatch: '**/migrationWizard.spec.ts',
+  fullyParallel: false,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 2 : 0,
+  workers: 1,
+  reporter: [['html', { open: 'never' }]],
+  use: {
+    baseURL: testsConfig.BASE_URL,
+    trace: 'retain-on-failure',
+    viewport: { height: 993, width: 1920 },
+    video: { mode: 'retain-on-failure' },
+    screenshot: 'only-on-failure',
+    contextOptions: { permissions: ['clipboard-read', 'clipboard-write'] },
+  },
+  projects: [
+    {
+      name: 'migration-wizard',
+      use: {
+        ...devices['Desktop Chrome'],
+        viewport: { height: 993, width: 1920 },
+      },
+    },
+  ],
+});
diff --git a/e2e/playwright.config.ts b/e2e/playwright.config.ts
@@ -35,6 +35,9 @@ export default defineConfig({
     '**/externalopenid.spec.ts',
     '**/externalopenidmfa.spec.ts',
     '**/openid.spec.ts',
+    // These wizards use dedicated config files with their own globalSetup.
+    '**/autoAdoptionWizard.spec.ts',
+    '**/migrationWizard.spec.ts',
   ],
   /* Run tests in files in parallel */
   fullyParallel: false,

diff --git a/e2e/tests/autoAdoptionWizard.spec.ts b/e2e/tests/autoAdoptionWizard.spec.ts
@@ -0,0 +1,16 @@
+import { expect, test } from '@playwright/test';
+
+import { runAutoAdoptionWizard } from '../utils/controllers/wizards/runAutoAdoptionWizard';
+import { dockerRestartAutoAdoption } from '../utils/docker';
+
+test.describe('Auto Adoption Wizard', () => {
+  test.beforeEach(() => {
+    // Restore DB to the pre-wizard snapshot before each test.
+    dockerRestartAutoAdoption();
+  });
+
+  test('completes the happy path and lands on vpn-overview', async ({ page }) => {
+    await runAutoAdoptionWizard(page);
+    await expect(page).toHaveURL(/\/vpn-overview/);
+  });
+});