Add tests for untrusted checkouts in workflow_run triggered workflows

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -106,7 +106,10 @@ private predicate isExternalUserControlledWorkflowRun(string context) {
       [
         "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch",
         "github\\.event\\.workflow_run\\.display_title",
+        "github\\.event\\.workflow_run\\.head_branch",
         "github\\.event\\.workflow_run\\.head_repository\\.description",
+        "github\\.event\\.workflow_run\\.head_repository\\.full_name",
+        "github\\.event\\.workflow_run\\.head_repository\\.name",
         "github\\.event\\.workflow_run\\.head_commit\\.message",
         "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",
         "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",

ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml

@@ -0,0 +1,19 @@
+on:
+  workflow_run:
+    workflows: ['Test']
+    types: [completed]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == "success"
+    env:
+      HEAD: ${{ github.event.workflow_run.head.sha }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.workflow_run.head.sha }}
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ env.HEAD }}
+

ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected

@@ -20,3 +20,5 @@
 | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |