From 81c8a6f6195e06d106baf8ec850e624f04e8a6c1 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 8 Dec 2024 18:08:25 -0500
Subject: [PATCH] fix: template-injection: ignore another safe context

---
 src/audit/template_injection.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/audit/template_injection.rs b/src/audit/template_injection.rs
index 608973e8c..c2cc19f9e 100644
--- a/src/audit/template_injection.rs
+++ b/src/audit/template_injection.rs
@@ -41,7 +41,8 @@ const SAFE_CONTEXTS: &[&str] = &[
     "github.event.issue.number",
     "github.event.merge_group.base_sha",
     "github.event.number",
-    "github.event.pull_request.number",
+    "github.event.pull_request.commits", // number of commits in PR
+    "github.event.pull_request.number",  // the PR's own number
     "github.event.workflow_run.id",
     // Information about the GitHub repository
     "github.repository",