Open Source Summit North America 2025

The CDEvents specification has been around for some time but what are "we" doing with it? This talk peels back the layers of our journey from CDEvents to the engineering design of a "Workflow Conductor". We will examine how specific events can be translated into actionable steps, enabling the Workflow Conductor to manage and coordinate diverse CI/CD tools. The focus will be on how the declaration of intent is tracked across tools, maintaining a consistent and auditable process. Join us to discover the technical underpinnings of this system and learn how it can transform your software delivery pipeline.

What if you got a second chance to build an Event Driven Provenance service? In this talk I will cover the decision to start over, rewrite, and Open Source the Event Driven system we built in house. In the process of covering the things we changed and the things we kept I tell a few war stories. Add in what needed to be improved and what we left behind. I will talk about our involvement in the CD Foundation and how the new system can leverage CDEvents and help with SBOM storage and retrieval. Demo and Discussion included dependent on time allotment.

When driving on a highway, you have to follow the rules of the road—some apply to everyone, while others only apply to commercial drivers. Open source maintainers and software publishers face a similar divide regarding regulatory compliance.

While software manufacturers must meet extensive legal and security obligations, open source maintainers often assume these regulations do not apply directly to them—but do they? In this talk, we’ll separate fact from fiction by breaking down what rules like the EU Cyber Resilience Act require from maintainers versus software vendors.

We’ll explore the limited enforceable obligations for open source projects, including secure development policies and vulnerability reporting, and discuss when (if ever) these rules impact maintainers. By understanding these distinctions, open source contributors can make informed decisions about risk, responsibility, and collaboration with commercial software teams—without unnecessary compliance burdens.

When you buy something, you might want to know where it was assembled and where its parts came from. Depending on how thorough you are, you might want to know more details about the process. Did it meet some organic criteria? Which quality inspector assessed it? Depending on where you live in the world, you get some human readable version of that information stamped on your packaging or included on the box today.

When you consume a software artifact in production, you might want to know its *provenance*.

In this talk, we’ll explore the activity of checking provenance as a gate to production and look at questions you might want to ask. Where is this artifact from, how was it produced, what checks ran against it, who claims these facts anyways, and more. We’ll look at pre-requisites necessary to answer those kinds of questions by comparing the provenance details exposed by systems like Github Actions, Tekton Chains, and Witness.

Join us for this dive into provenance details and tools. You’ll come away with ideas on both why you should generate provenance attestations and how you can use them to do actually valuable things in the real world - not just tick a compliance checkbox.

Do you have a closet that’s overflowing? In order to accommodate your favorite latest wardrobe styles (and to avoid a closet clutter disaster), you might need to let go of those jeans two sizes too small or… gasp! … prune your conference t-shirt collection to a reasonable number.

In the CI/CD world, cleaning out your closet translates in part to activities like pruning artifact repos and limiting bandwidth usage appropriately. Businesses are incessantly looking for ways to trim the fat for leaner, healthier bottom lines, and DevOps operational infrastructure can be a clutter hotspot when it comes to resource expense.

Learn how the Jenkins project has reduced costs with more effective management of its operational resources. We’ll share techniques that we’ve used to identify costs, reallocate resources to reduce those costs, and adapt to changing environments. The Jenkins closet is looking better than ever!

For years, the supply chain security community has been working hard to generate security metadata about repositories, software builds, vulnerability reports, releases, and SBOMs that describe how software is composed.

Transparent build processes with visible supply chains are great, but all that information has been remarkably difficult to use. Until now!

Meet AMPEL, the Amazing Multi-Purpose Policy Engine. Ampel (https://github.com/carabiner-dev/ampel) is the missing piece in the supply chain ecosystem: an open source policy engine that natively understands in-toto attestations, verifies keyless Sigstore signatures and understands any attestation predicate type. 

Ampel is embeddable: it can look into SBOMs and warn about bad dependencies, understand security scans and gate builds when vulnerabilities are present, or stop artifacts from publishing when they don't meet security frameworks. 

Ampel is slowly building an ecosystem: Starting with the bnd attester, the Ampel universe has tools that can work across the SLDC to secure CI/CD systems.

In this talk, we'll explore with practical examples how Ampel can ensure compliance of a hardened pipeline through verifiable evidence.

Closing words from the cdCon Program Chair, Jeremy Meiss, CDF Community Award announcement, and the giveaway of five "CI/CD Design Patterns" books. Afterwards, you'll get the chance to network with members of the CI/CD community.

Use this time to chat and connect with anyone from the CI/CD community you might have missed during the conference.