Not just the constant rain, delicious food or the traffic chaos, I was in Hyderabad for 3 reasons all happening in the same week.
- OpenSSF Community Days – Where I gave my first Security talk
- Open Source Summit India – Catching up with old friends in the community
- KubeCon + CloudNativeCon India – Diving deeper into the CNCF ecosystem
After doing virtual meetups for so long, being back at in-person conferences felt like coming home. The week taught me more than what I bargained for. All thanks to Linux Foundation for their continued support in my journey.
The scary part? I was about to share a story of failure, frustration, and hard-won lessons. I was about to tell a room full of security experts about one of our biggest incidents ever.
OpenSSF Community Day
Ram Iyengar organized this event, delivered a solid kickoff and honestly, I was nervous as hell. My flight was way too early in the morning which meant late night packing, no sleep anywhere, and arriving in Hyderabad right before the conference started. I arrived straight to the venue, met Leon, and seeing a familiar face helped calm my nerves.
The OpenSSF initiative is trying to get Indian developers thinking about security from day one. India has one of the fastest-growing developer populations, but security awareness? Not so much. People are shipping code fast, but not always thinking about what could go wrong.
That’s where my story came in. Sometimes the best way to teach security is to show what happens when you mess up.
The Talk That Made a Room Go Silent
I began to tell the story. A story about how an insecure default in an official GitHub Action led to a secret leak that went completely undetected for two years.
It started with a simple question from our CISO: “Vipul, did we just leak our secrets?
That question kicked off a frantic, multi-day debugging session.
- We knew what secret had been found
- A GitHub PAT token discovered by the scanning tool TruffleHog
- But we had no idea how or where it had leaked from.
The technical root of the nightmare was deceptively simple. The popular actions/checkout GitHub Action, used in countless CI/CD pipelines, persists credentials by default in the local .git/config file. In our workflow, this .git folder was being mistakenly packaged into our build artifacts. When those artifacts were published, the secrets went with them.
The story resonated. Hard.
A hush fell over the room. It went dead silent. A simple misconfiguration, a dangerous default, and a vulnerability that had been a known issue since 2021.
The silence in the room was broken the moment I finished, followed by applause. The response was intense. People came up to me all day sharing their own horror stories. Over 50 people filled out feedback forms. The message was clear: we’ve all been there.
Talk Feedback & Slides
Checkout slides, talk feedback and recording.
Key Takeaways from My Talk
If you missed the talk, here’s what matters:
- CI/CD defaults prioritize convenience over security. Always check what they’re actually doing.
- GitHub checkout action persists credentials by default. Turn it off explicitly with
persist-credentials: false. - Your
.gitfolder might be in your artifacts. Check your build process. - Scan everything that leaves your pipeline. Your secrets might already be out there.
Huge thanks to Harald for helping me get this story right, and to Ram for creating space for these uncomfortable but necessary conversations.
And the speaker gifts? Absolute perfection. Instead of the usual branded swag, Ram went above and beyond to give us a curated selection of Hyderabad’s best local treats: Manam chocolates (which are seriously addictive), Karachi bakery’s famous fruit biscuits and buttery Osmania biscuits, and Pothupalli from Almond House – these amazing rice paper sweets filled with jaggery. Way better than another conference t-shirt. I am using this idea next.
The Hallway Track
The best conversations always happen between sessions. This week was no different.
Teja K. introduced me to vet, an open-source tool from SafeDep that catches malicious packages using behavioral analysis instead of just checking CVEs. Perfect timing given what I’d just talked about.
Anitha Priya Natarajan from Red Hat blew my mind talking about Cryptographic Bills of Materials (CBOMs). The future is coming whether we’re ready or not.
Open Source Summit India & KubeCon India 2025
August 5th-7th broadened the scope. Open Source Summit covered everything from kernel development to community building. The diversity was impressive – licensing discussions next to emerging tech demos.
KubeCon brought the cloud-native crowd. The scale was massive. The Solutions Showcase was packed with Microsoft, GitHub, Akamai, and tons of startups showing off their latest stuff. Maybe too packed – it got overwhelming with all the pitches and people.
Two big takeaways:
AI is everywhere in Kubernetes now. This isn’t experimental anymore. People are running GenAI and ML workloads in production on Kubernetes. It’s becoming the OS for AI infrastructure.
Platform engineering won. Everyone agrees raw Kubernetes is too hard for most developers. The focus now is building Internal Developer Platforms that hide the complexity and make dev experience smooth.
Hyderabad Nights: Biryani, Rains, and Brainstorms
The learning and networking didn’t stop when the sessions ended. The nights in Hyderabad were special. Meeting up with mentors, friends, or even speaker dinners. It rained constantly with a storm warning in the city. I was genuinely impressed by the accuracy of government rain alert messages that I regularly got.
The journey through Hyderabad’s bustling traffic was an adventure in itself, but the reward was worth it. I got to spent time with people, having mandi and enjoying Hyderabadi biryani, sweets and Manam chocolates. This was my second time in the city so I already had tried out the touristy places.
It’s chaotic, loud, and utterly authentic.
These moments reminded me why I missed in-person conferences during the pandemic years.
Being on the other side: Peer Mentoring
One of the things I got to do at KubeCon was peer mentoring for the community track.
This was one of the most rewarding parts of these events. You get paired with folks who are newer to the community or trying to figure out their next steps. Sometimes it’s a student wondering how to contribute to open source. Sometimes it’s a seasoned engineer looking to switch focus areas. Or, founders looking to build communities around their products.
The conversations were all over the place – from “how do I get my first PR merged” to “should I start my own project or contribute to existing ones.”
I ended up working with people from the Ansible team at Red Hat and some contributors from SUSE. The conversations ranged from “how do I get my first meaningful contribution merged” to “should I focus on upstream work or internal tooling.”
My role as a mentor was mostly just to listen and share what I’ve learned about finding your niche, whether that’s documentation, testing, or diving deep into a specific component. These one-on-one chats reminded me that behind all the technical complexity, it’s still just people helping people figure things out.
4% Social Battery and a Full Mind: What I take home
Packing up to leave, I was exhausted but satisfied. My social battery was at maybe 4% as I sat in the cab to the airport at midnight, rain pounding the windows.
This week reminded me of some basic truths:
Everyone’s fighting the same battles. Whether you’re doing cloud-native or maintaining legacy systems, the core problems are the same. How do you balance security with productivity? How do you manage technical debt? How do you scale teams without losing culture?
Community beats technology. The most successful projects work because of strong communities, not just smart code.
Being vulnerable makes you stronger. My talk about our security incident connected because it was about failure and learning, not because it showed how smart we are. People related to the struggle more than they would have to a perfect success story.
Sharing failures helps everyone. People learn more from honest post-mortems than success stories. When we talk openly about our mistakes, others can avoid the same traps.
Volunteering at the GitHub Booth, Meeting the Stars!
Extremely proud to have a hand in organizing a big picture with GitHub Employees, Education Team, GitHub Campus Experts, GitTogether Community all in one photo at KubeCon!
What’s Next?
I’m committing to doing talks on new focus areas. The learnings, the structure and the different kind of presentations has me hooked. I loved the challenge to present something real in 15 minutes. I am all for it! Too many talks focus on perfect implementations instead of learning from failures.
Second, I want to keep pushing for better defaults in our tooling. That checkout action isn’t going to fix itself. I am already in discussions with the GitHub Actions team and we may have an official resolution going forward.
I’m going to work with the CNCF to expand the mentoring program and maybe organize some workshops focused on practical security for developers. Contributor Experience SIG might be the place to work towards that.
For anyone considering attending events like this, I say: Just go.
Yes, it’s overwhelming. Yes, you’ll feel out of your depth sometimes. But that’s exactly why you should be there. The conversations that happen in hallways and over biryani are where the real learning happens. You’ll discover that everyone is figuring it out as they go.
The Kubernetes and cloud-native space moves fast, but the community is what makes it sustainable. Show up, ask questions, and share your failures. That’s how we all get better.
The People who make it all matter
Massive thanks to The Linux Foundation & CNCF for putting together this incredible week. To the OpenSSF community for engaging so deeply with an uncomfortable story. To Bhavani and Atul for their hospitality as conference chairs. And to everyone – attendees, speakers, sponsors, venue staff – who made it happen.
Thanks to Hyderabad for being so welcoming, even with all that rain.
Stay alert, or the insecure defaults will come and get you. 👻
That’s that, stay in the mix. Always.