Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
version: 2
updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
commit-message:
prefix: "chore(deps)"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
labels:
- "ci"
commit-message:
prefix: "chore(ci)"
4 changes: 4 additions & 0 deletions .github/workflows/rust.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ jobs:

steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libglib2.0-dev libxdo-dev pkg-config
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
- name: Build
run: cargo build --verbose
- name: Run tests
Expand Down
53 changes: 53 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Security Policy

## Supported Versions

| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in HonkHonk, please report it responsibly.

**Do NOT open a public GitHub issue for security vulnerabilities.**

Instead, use [GitHub's private vulnerability reporting](https://github.com/thewrz/HonkHonk/security/advisories/new) to submit a report directly through the repository.

Alternatively, email: **djfreaq@gmail.com**

Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

## Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 7 days
- **Fix or mitigation**: Depends on severity, targeting 30 days for critical issues

## Scope

This policy covers:
- The HonkHonk application binary
- Build and packaging scripts in this repository
- GitHub Actions workflows

Out of scope:
- Third-party dependencies (report upstream, but let us know so we can track)
- Issues requiring physical access to the machine

## Security Considerations

HonkHonk interacts with:
- **PipeWire** (audio server) — via pipewire-rs bindings
- **D-Bus** (desktop portals) — via ashpd for shortcuts and file dialogs
- **Filesystem** — reads audio files from user-specified directories

The application:
- Does not make network connections
- Does not process untrusted remote input
- Runs entirely in userspace with no elevated privileges
- Stores configuration in XDG-compliant directories only
Loading