bugfix: add github.event.pull_request.head.sha as a safe context (#636)

* bugfix: add `github.event.pull_request.head.sha` as a safe context

Signed-off-by: William Woodruff <[email protected]>

* release-notes: record changes

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

docs/release-notes.md

@@ -14,6 +14,11 @@ of `zizmor`.
 * The SARIF output format now marks each rule as a "security" rule,
   which helps GitHub's presentation of the results (#631)
 
+### Bug Fixes 🐛
+
+* The [template-injection] audit no longer considers
+  `github.event.pull_request.head.sha` dangerous (#636)
+
 ## v1.5.2
 
 ### Bug Fixes 🐛

src/audit/template_injection.rs

@@ -39,14 +39,15 @@ const SAFE_CONTEXTS: &[&str] = &[
     // The GitHub event name (i.e. trigger) is itself safe.
     "github.event_name",
     // Safe keys within the otherwise generally unsafe github.event context.
-    "github.event.after",  // hexadecimal SHA ref
-    "github.event.before", // hexadecimal SHA ref
-    "github.event.issue.number",
-    "github.event.merge_group.base_sha",
+    "github.event.after",                // hexadecimal SHA ref
+    "github.event.before",               // hexadecimal SHA ref
+    "github.event.issue.number",         // the issue's own number
+    "github.event.merge_group.base_sha", // hexadecimal SHA ref
     "github.event.number",
-    "github.event.pull_request.base.sha",
-    "github.event.pull_request.commits", // number of commits in PR
-    "github.event.pull_request.number",  // the PR's own number
+    "github.event.pull_request.base.sha", // hexadecimal SHA ref
+    "github.event.pull_request.head.sha", // hexadecimal SHA ref
+    "github.event.pull_request.commits",  // number of commits in PR
+    "github.event.pull_request.number",   // the PR's own number
     "github.event.workflow_run.id",
     // Information about the GitHub repository
     "github.repository",