Blog: CI/CD sharp edges — integrating rivet, spar, sigil with mainstream tooling

[avrabe]

Follow-up to "Spec-driven development is half the loop"

A reviewer raised this question:

What are the sharp edges you've hit integrating your stack (rivet, spar, sigil) with mainstream CI/CD and existing security tooling? A lot of SDD "complete guides" end up recommending heavy static analysis, dependency scanning, and secrets detection on top of AI workflows. Where do your tools play nicely, and where did you have to build glue or compromise?

Practical ops post. The main post argues for the pattern; this one shows what it took to actually run the pattern on CI.

Scope

• Where rivet plays well: GitHub Actions, Bazel hermetic builds, pre-commit hooks (21-hook template)
• Where friction exists: tool-qualification for DO-178C, MCP server behind corporate IdP, OIDC setup for sigil keyless signing
• Semgrep / CodeQL interplay — when their findings become rivet issues automatically, what glue that requires
• Dependency scanning (OSV, GHSA) — how the feeds integrate with the cybersecurity schema
• Secrets detection — what a rivet schema for secrets-handling should look like
• GitHub Actions specifics: marketplace actions we ended up replacing, how sigil attestation bundles ride in release workflow
• Known limits: what we had to build glue for, what we compromised on
• The attestation-in-CI problem: running agent code in untrusted CI without breaking the trust boundary

Target

1500–2000 words, practical ops post with concrete workflow YAML snippets and lessons.

Source

Part of the review on content/blog/2026-04-23-spec-driven-development-is-half-the-loop.md (currently draft). Deferred from that post as "specific enough for a 'lessons learned' post."