michaelnebel
diff --git a/‎ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 3 additions & 1 deletion b/‎ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 3 additions & 1 deletion
diff --git a/‎ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
Lines changed: 16 additions & 7 deletions b/‎ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
Lines changed: 16 additions & 7 deletions
diff --git a/‎ql/src/Security/CWE-829/UnpinnedActionsTag.md
Lines changed: 0 additions & 44 deletions b/‎ql/src/Security/CWE-829/UnpinnedActionsTag.md
Lines changed: 0 additions & 44 deletions
diff --git a/‎ql/src/Security/CWE-829/UntrustedCheckoutError.md b/‎ql/src/Security/CWE-829/UntrustedCheckoutError.md
diff --git a/‎ql/src/Security/CWE-829/UntrustedCheckoutWarning.md b/‎ql/src/Security/CWE-829/UntrustedCheckoutWarning.md
@@ -113,8 +113,8 @@ private predicate branchEvent(string context) {
         "github\\.event\\.pull_request\\.head\\.repo\\.default_branch",
         "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref",
         "github\\.event\\.workflow_run\\.head_branch",
-        "github\\.event\\.workflow_run\\.head_branch",
         "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref",
+        "github\\.event\\.merge_group\\.head_ref",
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
@@ -146,6 +146,7 @@ private predicate emailEvent(string context) {
         "github\\.event\\.head_commit\\.committer\\.email",
         "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email",
         "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email",
+        "github\\.event\\.merge_group\\.committer\\.email",
         "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",
         "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",
       ]
@@ -165,6 +166,7 @@ private predicate usernameEvent(string context) {
         "github\\.event\\.head_commit\\.committer\\.name",
         "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",
         "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",
+        "github\\.event\\.merge_group\\.committer\\.name",
         "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",
         "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",
       ]
 
@@ -40,6 +40,8 @@ predicate containsHeadSHA(string s) {
             "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
             "\\bgithub\\.event\\.check_run\\.head_sha\\b",
             "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
+            "\\bgithub\\.event\\.merge_group\\.head_sha\\b",
+            "\\bgithub\\.event\\.merge_group\\.head_commit\\.id\\b",
             // heuristics
             "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b"
           ], _, _)
@@ -56,6 +58,7 @@ predicate containsHeadRef(string s) {
             "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
             "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
             "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
+            "\\bgithub\\.event\\.merge_group\\.head_ref\\b",
             // heuristics
             "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b",
             // env vars
@@ -64,11 +67,17 @@ predicate containsHeadRef(string s) {
   )
 }
 
-/** Checkout of a Pull Request HEAD ref */
+/** Checkout of a Pull Request HEAD */
 abstract class PRHeadCheckoutStep extends Step { }
 
+/** Checkout of a Pull Request HEAD ref */
+abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { }
+
+/** Checkout of a Pull Request HEAD ref */
+abstract class SHACheckoutStep extends PRHeadCheckoutStep { }
+
 /** Checkout of a Pull Request HEAD ref using actions/checkout action */
-class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep {
+class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesStep {
   ActionsMutableRefCheckout() {
     this.getCallee() = "actions/checkout" and
     (
@@ -102,7 +111,7 @@ class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep {
 }
 
 /** Checkout of a Pull Request HEAD ref using actions/checkout action */
-class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep {
+class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
   ActionsSHACheckout() {
     this.getCallee() = "actions/checkout" and
     (
@@ -132,7 +141,7 @@ class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep {
 }
 
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
-class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
+class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GitMutableRefCheckout() {
     exists(string line |
       this.getScript().splitAt("\n") = line and
@@ -154,7 +163,7 @@ class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
 }
 
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
-class GitSHACheckout extends PRHeadCheckoutStep instanceof Run {
+class GitSHACheckout extends SHACheckoutStep instanceof Run {
   GitSHACheckout() {
     exists(string line |
       this.getScript().splitAt("\n") = line and
@@ -173,7 +182,7 @@ class GitSHACheckout extends PRHeadCheckoutStep instanceof Run {
 }
 
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
-class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
+class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GhMutableRefCheckout() {
     exists(string line |
       this.getScript().splitAt("\n") = line and
@@ -194,7 +203,7 @@ class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
 }
 
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
-class GhSHACheckout extends PRHeadCheckoutStep instanceof Run {
+class GhSHACheckout extends SHACheckoutStep instanceof Run {
   GhSHACheckout() {
     exists(string line |
       this.getScript().splitAt("\n") = line and
Original file line number	Diff line number	Diff line change
`@@ -113,8 +113,8 @@ private predicate branchEvent(string context) {`
`113`	`113`	`"github\\.event\\.pull_request\\.head\\.repo\\.default_branch",`
`114`	`114`	`"github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref",`
`115`	`115`	`"github\\.event\\.workflow_run\\.head_branch",`
`116`		`- "github\\.event\\.workflow_run\\.head_branch",`
`117`	`116`	`"github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref",`
	`117`	`+ "github\\.event\\.merge_group\\.head_ref",`
`118`	`118`	`]`
`119`	`119`	`\|`
`120`	`120`	`Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`@@ -146,6 +146,7 @@ private predicate emailEvent(string context) {`
`146`	`146`	`"github\\.event\\.head_commit\\.committer\\.email",`
`147`	`147`	`"github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email",`
`148`	`148`	`"github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email",`
	`149`	`+ "github\\.event\\.merge_group\\.committer\\.email",`
`149`	`150`	`"github\\.event\\.workflow_run\\.head_commit\\.author\\.email",`
`150`	`151`	`"github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",`
`151`	`152`	`]`
`@@ -165,6 +166,7 @@ private predicate usernameEvent(string context) {`
`165`	`166`	`"github\\.event\\.head_commit\\.committer\\.name",`
`166`	`167`	`"github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",`
`167`	`168`	`"github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",`
	`169`	`+ "github\\.event\\.merge_group\\.committer\\.name",`
`168`	`170`	`"github\\.event\\.workflow_run\\.head_commit\\.author\\.name",`
`169`	`171`	`"github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",`
`170`	`172`	`]`