Missing injection sources

[fproulx-boostsecurity]

The current injection sources regex

poutine/opa/rego/rules/injection.rego

Line 19 in fc37055

patterns.github contains "\\$\\{\\{\\s*(github\\.head_ref|github\\.event\\.workflow_run\\.(head_branch|head_repository\\.description|head_repository\\.owner\\.email|pull_requests[^}]+?(head\\.ref|head\\.repo\\.name))|github\\.event\\.(issue\\.title|issue\\.body|pull_request\\.title|pull_request\\.body|comment\\.body|review\\.body|review_comment\\.body|pages\\.[^}]+?\\.page_name|head_commit\\.message|head_commit\\.author\\.email|head_commit\\.author\\.name|commits[^}]+?\\.author\\.email|commits[^}]+?\\.author\\.name|pull_request\\.head\\.ref|pull_request\\.head\\.label|pull_request\\.head\\.repo\\.default_branch|(inputs|client_payload)[^}]+?))\\s*\\}\\}"

Is missing various sources, some of which are in messypoutine
https://github.com/messypoutine/gravy-overflow/blob/main/.github/workflows/level1.yml#L46

Such as github.event.workflow_run.head_commit.message

In fact looking at semgrep rule there are a few more we can just get there https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/github-script-injection.yaml#L52-L69

Semgrep's list is missing this one for instance github.event.pull_request.head.repo.description https://github.com/messypoutine/gravy-overflow/blob/4bdd38801e7e37238c1c4282d29dbd8aa0ba520c/.github/workflows/level0.yml#L138