chore: Add spam checking for workflow bodies

[joeauyeung]

What does this PR do?

Adds a background task to scan workflow bodies for spam and auto locking the user is detected

• Fixes #XXXX (GitHub issue number)
• Fixes CAL-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Create an Akismet API key and add it to AKISMET_API_KEY .env variable
• Create a workflow with a normal body
  • User shouldn't lock
• Create a workflow with a spam body
  • The user should auto lock

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
cal	⬜️ Ignored (Inspect)	Visit Preview		Jan 24, 2025 10:32pm
calcom-web-canary	⬜️ Ignored (Inspect)	Visit Preview		Jan 24, 2025 10:32pm

[joeauyeung]

Need the userId to know which user to lock. This comes from the context of the workflow update tRPC endpoint.

[joeauyeung]

Comment needs an IP. From Akismet support we can just use this.

IP is used for scanning against know abuse IPs and adding a reputation score.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (01/23/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add foundation team as reviewer" took an action on this PR • (01/23/25)

1 reviewer was added to this PR based on Keith Williams's automation.

[joeauyeung]

Good call on not deleting the step in the case of a false positive @Udit-takkar

[joeauyeung]

@emrysal does this look correct?

[joeauyeung]

Add the safe property when fetching workflow steps

[joeauyeung]

Before processing the step, see if it is marked as safe

[joeauyeung]

Since scheduleWorkflowNotifications expects multiple steps we now accept multiple steps in the task

[joeauyeung]

scheduleWorkflowNotifications is refactored to accept an object for better readability.

[joeauyeung]

Type fix, expects the safe property

[CarinaWolli]

Should this be safe: oldStep.safe? 🤔 Because otherwise if the oldStep is safe, isStepEdited would always be true because of the different value in the safe field

[joeauyeung]

Only send to scan the body if it's been updated

[joeauyeung]

Default to safe = true if a self-hoster isn't planning on scanning workflows

[github-actions]

E2E results are ready!

• Workflow #45247.1 latest results

[CarinaWolli]

Should this be safe: oldStep.safe? 🤔 Because otherwise if the oldStep is safe, isStepEdited would always be true because of the different value in the safe field

[CarinaWolli]

Suggested change

	trigger: WorkflowTriggerEvents.AFTER_EVENT,
	trigger: workflow.trigger,

Should be like that I think

[joeauyeung]

@CarinaWolli thoughts here? Only if the body has changed we should remark the step as unsafe.

[CarinaWolli]

looks good

[CarinaWolli]

oh wait, why true here and not false?

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@formkit/[email protected]	None	0	35.4 kB	justin-schroeder
npm/[email protected]	None	0	221 kB	dcode

🚮 Removed packages: npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
Possible typosquat attack	npm/[email protected]	Did you mean: ~~css-~~gradient-parser	⚠︎

View full report↗︎

Next steps

What is a typosquat?

Package name is similar to other popular packages and may not be the package you want.

Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]

[zomars]

reviewing