https://github.com/arcsymer/restos-platform
DevSecOps backbone for RestOS: reusable security workflow, cross-repo scanning + Dependabot, and a Postgres/Prometheus/Grafana observability stack
https://github.com/arcsymer/restos-platform
devops devsecops github-actions grafana observability portfolio prometheus security
Last synced: about 4 hours ago
JSON representation
DevSecOps backbone for RestOS: reusable security workflow, cross-repo scanning + Dependabot, and a Postgres/Prometheus/Grafana observability stack
- Host: GitHub
- URL: https://github.com/arcsymer/restos-platform
- Owner: arcsymer
- License: mit
- Created: 2026-07-07T04:09:07.000Z (4 days ago)
- Default Branch: main
- Last Pushed: 2026-07-07T14:50:49.000Z (3 days ago)
- Last Synced: 2026-07-07T16:09:00.169Z (3 days ago)
- Topics: devops, devsecops, github-actions, grafana, observability, portfolio, prometheus, security
- Size: 150 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# restos-platform
The DevSecOps backbone for the [RestOS](https://github.com/arcsymer) ecosystem: a **reusable
security workflow** every repo calls, a **security retrofit** (secret + dependency scanning,
Dependabot) across all repos, and an **observability stack** (Postgres + Prometheus + Grafana) that
the services plug into.
[](https://github.com/arcsymer/restos-platform/actions/workflows/ci.yml)

> **Pilot software.** Synthetic data by default; **not a certified production/POS system** — no real
> payments, no fiscal receipts (KSeF), no compliance certification. For a supervised free pilot see
> [`PILOT_BOUNDARIES.md`](PILOT_BOUNDARIES.md), the [`RUNBOOK.md`](RUNBOOK.md) "Pilot operations"
> section, and the operator's human/legal checklist (`PILOT_HUMAN.md`, in the private vault).
## What's here
- **`.github/workflows/reusable-security.yml`** — a `workflow_call` security scan (gitleaks +
Trivy filesystem vuln/config scan). Any RestOS repo runs it with three lines:
```yaml
jobs:
security:
uses: arcsymer/restos-platform/.github/workflows/reusable-security.yml@main
```
- **`SECURITY.md`** — the ecosystem security policy and what's enforced where.
- **`compose/`** — two stacks:
- **`docker-compose.full.yml`** — the whole ecosystem in one command (see below).
- **`docker-compose.yml`** — a lean observability-only stack (public images, no custom builds):
`docker compose -f compose/docker-compose.yml up` → Postgres, Prometheus, Grafana. This is the
file CI validates with `docker compose config`.
## Run the whole stack — `docker compose up`
```sh
docker compose -f compose/docker-compose.full.yml up --build
```
One command stands up the ecosystem locally (all RestOS repos as siblings — see
[`RUNBOOK.md`](RUNBOOK.md)):
- **Postgres** backing **restos-core** (Java 21 / Spring Boot, `:8080`) with real Micrometer
metrics at `/actuator/prometheus`;
- **restos-portal** (NestJS, SQLite, `:3000`);
- **restos-web** (Angular, static nginx, `:8081`);
- **Redpanda** + a POS **producer** and a **streaming bronze consumer** (the D1 slice → Delta Lake);
- the observability spine — **OpenTelemetry Collector → Prometheus → Grafana** (`:3001`, a
provisioned dashboard with live app metrics).
Verified end to end — see **[docs/demo-stack.md](docs/demo-stack.md)** for the real transcript and
screenshots:

## Status — honest scope
The reusable security workflow, the cross-repo Dependabot/gitleaks retrofit, the observability
compose stack, **and now the full `docker compose up` (every app tier containerised, one command,
with a provisioned Grafana dashboard showing live metrics) plus the D1 streaming slice** are all
done and validated. It is a **local developer stack on synthetic data** — no production, no real
users, no live metrics claims beyond what the screenshots show.
## License
MIT — see [LICENSE](LICENSE). Part of the RestOS portfolio. Built end-to-end with an agentic
workflow (Claude Code), orchestrated, reviewed, and directed by me.