[Kong’s](https://konghq.com/kong)Kong’s fast, lightweight and scalable API management solution helps improve developer productivity by automating the delivery of API management. One way Kong automates API management is through a continuous integration and continuous delivery (CI/CD) process by leveraging Kong's [decK](https://docs.konghq.com/hub/kong-inc/deck)decK (declarative configuration for Kong) and GitHub Actions.
Kong's decK provides a command line interface (CLI) to manage Kong in a declarative way. This allows organizations to manage their configuration in Git repositories, manage version control and leverage [GitOps](https://www.gitops.tech)GitOps to automate the application of the configuration.
From a business perspective, establishing a CI/CD process accelerates innovation, increases quality and provides better customer satisfaction.
In this blog post, I will navigate through how to set up GitHub Action with decK to start GitOps for Kong. By the end of this post, we will be able to open a pull request (PR) in GitHub that will:
To accomplish these, we will set up two workflows - one on a pull request and the other on merge to master. The PR action will do `deck diff` and the merge to master will do `deck sync`, respectively.
$ mkdir -p my-first-deck-in-action/kong
$ cd my-first-deck-in-action/kong
In my case, I have an existing Kong environment; therefore, I will first export my existing configuration with deck dump.
$ deck dump --kong-addr http://example.com:8001 --headers Kong-Admin-Token:*** --all-workspaces
Please make sure the `–kong-addr` option points to your Kong Admin API base url, and add the `–headers` option to embed your admin token if your Kong is configured with `[rbac](https://konghq.com/blog/learning-center/what-is-rbac)rbac: on`. For Kong Enterprise users, the `–all-workspaces` will export all configurations from each workspace.
This command will return no output when successfully executed:
In my case, Kong has three workspaces, which are IT, LOB and default, as you can see below.
You have now successfully stored the files into a local gGit repository. Let's push them to GitHub by first creating a repo in GitHub, Choose either public or private for this post.
When you are creating a repo in GitHub, please make sure not to initialize README for the following step work.
After the repo is created, you will see the instructions below:
With the Github repository created, we can now add and push to it:
git remote add origin git@github.com:ikeike443/my-first-deck-in-action.git branch -M main
$ git push -u origin main
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 8 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (6/6), 1010 bytes | 1010.00 KiB/s, done.
Total 6 (delta 1), reused 0 (delta 0)
remote: Resolving deltas: 100% (1/1), done.
To github.com:ikeike443/my-first-deck-in-action.git
* [new branch] main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.
Now, you have successfully set up your Git repository for Kong configuration. You can see the yaml file(s) in GitHub like below:
$ cat <<'EOF' | tee entrypoint.sh
#!/bin/sh -l
set -e -o pipefail
main (){
cmd=$1
dir=$2
ops=$3
if [ ! -e ${dir} ]; then
echo "${dir}: No such file or directory exists";
exit 1;
fi
for file in $(ls ${dir}); do
echo "Executing: deck $cmd $ops -s $dir/$file"
deck $cmd $ops -s $dir/$file
done
}
case $1 in
"ping") deck $1 $3;;
"validate"|"diff"|"sync") main $1 $2 "$3" ;;
* ) echo "deck $1 is not supported." && exit 1 ;;
esac
EOF
Make sure to give this file permission to execute:
$ chmod +x entrypoint.shNow, we have successfully set up the action. Let's create a workflow file that runs the action.
Workflow files should be located under `.github/workflow/` directory.
Let's create the `.github/workflow/` directory as shown below:
$ pwd # make sure you're at the root of the repository
/Users/ikedatakafumi/Documents/workspace/my-first-deck-in-action
$ mkdir -p .github/workflows
First, we will set up the workflow on a pull request event that validates the configuration. Let's create `.github/workflows/CI.yaml` with your favorite editor, as shown below.
NOTE: I'm using a Kong Enterprise instance with [RBAC ](https://docs.konghq.com/getting-started-guide/latest/manage-teams/#turn-on-rbac)RBAC enabled. If your instance has RBAC disabled, remove the `–headers ${{ secrets.KONG_HEADERS }}”` from the options section of each step in the workflow.
name: CI
on:
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
name: "checkout"
- name: decK ping
id: decK_ping
uses: ./
with:
command: "ping"
options: "--kong-addr ${{ secrets.KONG_ADDR }} --headers ${{ secrets.KONG_HEADERS }}"
- name: decK validate
id: decK_validate
uses: ./
with:
command: "validate"
options: "--kong-addr ${{ secrets.KONG_ADDR }} --headers ${{ secrets.KONG_HEADERS }}"
kong_workspaces: "kong"
- name: decK diff
id: decK_diff
uses: ./
with:
command: "diff"
options: "--kong-addr ${{ secrets.KONG_ADDR }} --headers ${{ secrets.KONG_HEADERS }}"
kong_workspaces: "kong"
The workflow will execute four steps sequentially:
Next, let's push all the files we created to GitHub now.
After successfully pushing the latest changes to GitHub, the repository should look like this:
Let's now set the secrets that the action will use by going to the GitHub UI, Settings and Secrets section on the side panel.
Add a new secret for KONG_ADDR, and if RBAC is turned on in your Kong installation, add another secret for KONG_HEADERS, which contains "Kong-Admin-Token:***".
We're all set! Let's confirm the action on a pull request works.
Next, I'll create a new branch, commit this change to the branch and push it to GitHub. Then I'll open a new pull request in the GitHub UI. If you are not familiar with how to open a pull request, please see: [https://guides.github.com/activities/hello-world/](https://guides.github.com/activities/hello-world)https://guides.github.com/activities/hello-world/.
After successfully opening a pull request, the GitHub Action should start running.
We can see the result of the action in the "Checks" tab in the pull request as shown below.
Reviewing the results of the Action, we should see the results of the decK commands. In particular, deck diff shows how the Kong configuration will change when the changes are merged.
To do this, please create another yaml file under `.github/workflows` directory. Let's call it "sync.yaml" like below:
With this action, when changes are pushed to the master branch or a pull request is merged to master, the `deck sync` command will run to apply the configuration to Kong.
After the workflow has successfully finished, we can verify the new configuration was successfully applied. Let's validate using Kong Manager.
Congratulations! We have successfully set up a CI/CD pipeline to manage the Kong configuration declaratively using GitHub Actions!
For your convenience, I've created a reusable GitHub Action for decK, which you can fork and modify for your environment: [https://github.com/ikeike443/decK-action](https://github.com/ikeike443/decK-action)https://github.com/ikeike443/decK-action.
In this post, we configured how to set up GitHub Actions to configure Kong declaratively with GitOps using decK. If you have any questions, please feel free to contact me on [GitHub](https://github.com/ikeike443/decK-action)GitHub.
Happy hacking!
As organizations build more APIs, manual processes and frequent handoffs in the API development workflow can lead to a slower time to market, higher development costs, and poor-quality APIs. They can also result in APIs being poorly documented, caus
[](https://konghq.com/blog/engineering/automating-api-delivery-with-apiops-and-kong)
In the latest Kong Gateway 3.12 release , announced October 2025, specific MCP capabilities have been released: AI MCP Proxy plugin: it works as a protocol bridge, translating between MCP and HTTP so that MCP-compatible clients can either call exi
[](https://konghq.com/blog/engineering/ai-gateway-mcp-gateway-mcp-server-breakdown)
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
[](https://konghq.com/blog/product-releases/terraform-provider-konnect-v3)
One of the superpowers of Kong Gateway that its users most appreciate is its declarative configuration management capabilities, facilitated by the decK command line tool. Declarative configuration enables you to manage your Kong Gateway configurat
[](https://konghq.com/blog/product-releases/managing-kong-with-terraform)
Automate Everything: Kong Gateway + API Management with Terraform Across Any Cloud Too many organizations manually manage their API gateways and policy enforcement today. As humans, we make mistakes. You’ve got one team manually configuring Kong or
[](https://konghq.com/blog/engineering/terraform-your-way-to-the-cloud)
The Kong Konnect team recently launched the Portal Management API , which allows users to manage their Developer Portals with one API. That means you can easily manage your portal settings, appearance, application registrations, and registration se
[](https://konghq.com/blog/engineering/seamlessly-manage-api-access)
Imagine this: You're documenting an unreleased feature, and your documentation requires screenshots. However, you're working in an internal environment that includes features you don't want to reveal to the public. What do you do? We faced this exac
[](https://konghq.com/blog/engineering/docs-as-code-screenshot-automation)