Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
version: 2
updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
commit-message:
prefix: "chore(deps)"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
labels:
- "ci"
commit-message:
prefix: "chore(ci)"
5 changes: 5 additions & 0 deletions .github/workflows/rust.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ jobs:

steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: |
sudo apt-get -o Acquire::Retries=3 update
sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
Comment on lines +19 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add a command-level retry loop around apt commands (not just Acquire::Retries).

Acquire::Retries primarily retries package acquisition; it may not cover failures where the entire apt-get update or apt-get install command fails before downloads begin (e.g., DNS resolution, transient network resets, mirror handshake failures). If CI flakes still occur, wrapping apt-get update + apt-get install in a small loop (3 attempts with short backoff) will make the workflow more robust.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 19 - 23, Wrap the apt commands (the
`sudo apt-get -o Acquire::Retries=3 update` and `sudo apt-get -o
Acquire::Retries=3 install -y --no-install-recommends ...`) in a command-level
retry loop that attempts the entire command sequence up to 3 times with a short
backoff (e.g., sleep between attempts) and exits non-zero only if all attempts
fail; update the workflow step where the install runs to run the loop and
preserve the existing `Acquire::Retries` option so both command-level and
package-acquisition retries are active.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Harden the apt install script for CI reliability (non-interactive + strict bash).

Right now you rely on apt’s retry setting, but the step can still behave less deterministically if the runner shell doesn’t enforce strict error handling and/or if any package triggers interactive behavior. Consider:

  • setting DEBIAN_FRONTEND=noninteractive
  • adding set -euo pipefail (or at least set -e) to make failures fail-fast and deterministic
Proposed patch
     - name: Install system dependencies
       run: |
-        sudo apt-get -o Acquire::Retries=3 update
-        sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
+        set -euo pipefail
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get -o Acquire::Retries=3 update
+        sudo apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
           libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 19 - 23, Update the "Install system
dependencies" step so the shell is strict and apt is non-interactive: add a
shell safety header (e.g., set -euo pipefail or at minimum set -e) at the top of
the run block and export DEBIAN_FRONTEND=noninteractive before running apt-get;
keep the existing -y and --no-install-recommends flags and the Acquire::Retries
setting to preserve retries while ensuring failures are fail-fast and no
interactive prompts block the CI.

- name: Build
run: cargo build --verbose
- name: Run tests
Expand Down
53 changes: 53 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Security Policy

## Supported Versions

| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in HonkHonk, please report it responsibly.

**Do NOT open a public GitHub issue for security vulnerabilities.**

Instead, use [GitHub's private vulnerability reporting](https://github.com/thewrz/HonkHonk/security/advisories/new) to submit a report directly through the repository.

Alternatively, email: **djfreaq@gmail.com**

Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

## Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 7 days
- **Fix or mitigation**: Depends on severity, targeting 30 days for critical issues

## Scope

This policy covers:
- The HonkHonk application binary
- Build and packaging scripts in this repository
- GitHub Actions workflows

Out of scope:
- Third-party dependencies (report upstream, but let us know so we can track)
- Issues requiring physical access to the machine

## Security Considerations

HonkHonk interacts with:
- **PipeWire** (audio server) — via pipewire-rs bindings
- **D-Bus** (desktop portals) — via ashpd for shortcuts and file dialogs
- **Filesystem** — reads audio files from user-specified directories

The application:
- Does not make network connections
- Does not process untrusted remote input
- Runs entirely in userspace with no elevated privileges
- Stores configuration in XDG-compliant directories only
Loading