fix: triggering events for artifact poisoning

Author: Alvaro Muñoz

ql/src/Security/CWE-829/ArtifactPoisoning.ql

@@ -14,9 +14,27 @@
 import actions
 import codeql.actions.security.ArtifactPoisoningQuery
 
-from LocalJob job, ArtifactDownloadStep download, Step run
+predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
+  w.getATriggerEvent() = trigger and
+  count(string t | w.getATriggerEvent() = t | t) = 1
+}
+
+from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run
 where
-  job.getWorkflow().getATriggerEvent() = ["workflow_run", "workflow_dispatch"] and
+  w = job.getWorkflow() and
+  (
+    // The Workflow is triggered by an event other than `pull_request`
+    not isSingleTriggerWorkflow(w, "pull_request")
+    or
+    // The Workflow is only triggered by `workflow_call` and there is
+    // a caller workflow triggered by an event other than `pull_request`
+    isSingleTriggerWorkflow(w, "workflow_call") and
+    exists(ExternalJob call, Workflow caller |
+      call.getCallee() = w.getLocation().getFile().getRelativePath() and
+      caller = call.getWorkflow() and
+      not isSingleTriggerWorkflow(caller, "pull_request")
+    )
+  ) and
   (run instanceof Run or run instanceof UsesStep) and
   exists(int i, int j |
     job.getStep(i) = download and