Kong · amankong · Jul 2, 2025
diff --git a/.github/workflows/add-release-pongo.yml b/.github/workflows/add-release-pongo.yml
@@ -13,6 +13,10 @@ jobs:
       code_base: ${{ steps.define_vars.outputs.CODE_BASE }}
       tag_version: ${{ steps.define_vars.outputs.TAG_VERSION }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Define Vars
       id: define_vars
       shell: bash
@@ -38,6 +42,10 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PAT }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Checkout Pongo
       id: checkout_pongo
       uses: actions/checkout@v4

diff --git a/.github/workflows/ast-grep.yml b/.github/workflows/ast-grep.yml
@@ -25,6 +25,10 @@ jobs:
         shell: bash
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: git checkout
         uses: actions/checkout@v4
 

diff --git a/.github/workflows/auto-assignee.yml b/.github/workflows/auto-assignee.yml
@@ -8,6 +8,10 @@ jobs:
   assign-author:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: assign-author
         # ignore the pull requests opened from PR because token is not correct
         if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'

diff --git a/.github/workflows/autodocs.yml b/.github/workflows/autodocs.yml
@@ -25,6 +25,10 @@ jobs:
       DOWNLOAD_ROOT: $HOME/download-root
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Set environment variables
         run: |
           echo "INSTALL_ROOT=$HOME/install-root" >> $GITHUB_ENV
@@ -73,6 +77,10 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [build]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Set environment variables
         run: |
           echo "INSTALL_ROOT=$HOME/install-root" >> $GITHUB_ENV

diff --git a/.github/workflows/backport-fail-bot.yml b/.github/workflows/backport-fail-bot.yml
@@ -10,6 +10,10 @@ jobs:
     if: github.event.issue.pull_request != null && contains(github.event.comment.body, 'cherry-pick the changes locally and resolve any conflicts')
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Fetch mapping file
       id: fetch_mapping
       uses: actions/github-script@v7

diff --git a/.github/workflows/backport-v2.yml b/.github/workflows/backport-v2.yml
@@ -12,6 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Create backport pull requests
         uses: korthout/backport-action@924c8170740fa1e3685f69014971f7f251633f53 # v2.4.1

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,6 +22,10 @@ jobs:
       cache-key: ${{ steps.cache-key.outputs.cache-key }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Checkout Kong source code
       uses: actions/checkout@v4
 

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -43,6 +43,10 @@ jobs:
       old-kong-version: ${{ steps.old-kong-version.outputs.ref }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0  # `git merge-base` requires the history
@@ -80,6 +84,10 @@ jobs:
     needs: build
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Bump max open files
       run: |
           sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf
@@ -135,6 +143,10 @@ jobs:
       runners: ${{ steps.generate-runner-array.outputs.RUNNERS }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Checkout source code
       uses: actions/checkout@v4
 
@@ -221,6 +233,10 @@ jobs:
           REDIS_ARGS: "--requirepass passdefault"
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Bump max open files
       run: |
           sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf
@@ -398,6 +414,10 @@ jobs:
     needs: build
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Bump max open files
       run: |
           sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf
@@ -470,6 +490,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Checkout source code
       uses: actions/checkout@v4
 

diff --git a/.github/workflows/buildifier.yml b/.github/workflows/buildifier.yml
@@ -24,6 +24,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
 

diff --git a/.github/workflows/changelog-requirement.yml b/.github/workflows/changelog-requirement.yml
@@ -15,6 +15,10 @@ jobs:
     name: Requires changelog
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
         with:
           fetch-depth: 2

diff --git a/.github/workflows/changelog-validation.yml b/.github/workflows/changelog-validation.yml
@@ -9,6 +9,10 @@ jobs:
     name: Validate changelog
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
 
       - name: Validate changelogs

diff --git a/.github/workflows/cherry-picks-v2.yml b/.github/workflows/cherry-picks-v2.yml
@@ -26,6 +26,10 @@ jobs:
         startsWith(github.event.comment.body, '/cherry-pick')
       )
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.CHERRY_PICK_TOKEN }}

diff --git a/.github/workflows/community-stale.yml b/.github/workflows/community-stale.yml
@@ -10,6 +10,10 @@ jobs:
       issues: write
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/stale@v9
         with:
           days-before-stale: 14

diff --git a/.github/workflows/copyright-check.yml b/.github/workflows/copyright-check.yml
@@ -11,6 +11,10 @@ jobs:
   check-copyright-and-ee-files:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Checkout
         uses: actions/checkout@v4
 

diff --git a/.github/workflows/deck-integration.yml b/.github/workflows/deck-integration.yml
@@ -47,6 +47,10 @@ jobs:
         options: --health-cmd pg_isready --health-interval 5s --health-timeout 5s --health-retries 8
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Install packages
         run: sudo apt update && sudo apt install -y libyaml-dev valgrind libprotobuf-dev libpam-dev postgresql-client jq
 

diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
@@ -8,6 +8,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: backport master label found
       run: echo "Please do not backport into master, instead, create a PR targeting master and backport from it instead."; exit 1
       if: ${{ contains(github.event.*.labels.*.name, 'backport master') }}
diff --git a/.github/workflows/label-community-pr.yml b/.github/workflows/label-community-pr.yml
@@ -14,6 +14,10 @@ jobs:
       run:
         shell: bash
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Label Community PR
         env:

diff --git a/.github/workflows/label-schema.yml b/.github/workflows/label-schema.yml
@@ -7,6 +7,10 @@ jobs:
     if: "${{ contains(github.event.*.labels.*.name, 'schema-change-noteworthy') }}"
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Schema change label found
       uses: Kong/action-slack-notify@bd750854aaf93c5c6f69799bf813c40e7786368a # v2_node20
       continue-on-error: true

diff --git a/.github/workflows/labeler-v2.yml b/.github/workflows/labeler-v2.yml
@@ -10,4 +10,8 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - uses: actions/labeler@v5
diff --git a/.github/workflows/openresty-patches-companion.yml b/.github/workflows/openresty-patches-companion.yml
@@ -8,6 +8,10 @@ jobs:
   create-pr:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
       - name: Dispatch the workflow
         if: ${{ github.repository_owner == 'Kong' }}
         uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1

diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
@@ -31,6 +31,10 @@ jobs:
       cache-key: ${{ steps.cache-key.outputs.cache-key }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     - name: Checkout Kong source code
       uses: actions/checkout@v4
 
@@ -101,6 +105,10 @@ jobs:
       group: perf-ce
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
     # set up mutex across CE and EE to avoid resource race
     - name: Set up mutex
       uses: ben-z/gh-action-mutex@9709ba4d8596ad4f9f8bbe8e0f626ae249b1b3ac # v1.0-alpha-6