Add extra source to actions CWE-094/CodeInjectionMedium

[knewbury01]

since all the context event sources are considered by this query (regardless of trigger event) then context sources should also be, otherwise we get reporting inconsistency as follow:

on: pull_request
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "${{ github.event.pull_request.head.ref }}" //reported

vs

on: pull_request
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: echo "${{ github.head_ref }}" //not reported

only made this change for the medium level query, since it does also make some sense to consider trigger event.

[Copilot]

Pull request overview

This PR aligns the actions/code-injection/medium query’s behavior with existing context-event source handling by also treating github.head_ref as a source on pull_request, reducing reporting inconsistencies between equivalent GitHub context expressions.

Changes:

• Added a new RemoteFlowSource in the medium code injection query to model github.head_ref for the pull_request event.
• Added a change note documenting the expected increase in results for actions/code-injection/medium.

Show a summary per file

File	Description
actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql	Introduces a new GitHub-context-based source specific to the medium query.
actions/ql/src/change-notes/2026-04-08-codeinjection-medium-sources.md	Documents the new source behavior and the resulting increase in findings.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

The new doc comment has a few wording/capitalization issues: "github" should be capitalized as "GitHub", and "eg" should be "e.g.". Consider also backticking event/context identifiers (for example github.head_ref, pull_request_target) to improve readability.

Suggested change

	* A data flow source of user input from github context.
	* eg: github.head_ref
	* Usually only considered for pull_request_target where access to secrets
	* and tokens is more available.
	* However this query already finds all context events as sources regardless
	* A data flow source of user input from GitHub context.
	* e.g.: `github.head_ref`
	* Usually only considered for `pull_request_target` where access to secrets
	* and tokens is more available.
	* However this query already finds all context events as sources regardless,

[Copilot]

The change note sentence is a bit ungrammatical/awkward ("such that now", "found as source", "on event"). Consider rephrasing to something like "...so github.head_ref is now treated as a source on the pull_request event (not just pull_request_target)" for clarity.

Suggested change

	* Added source type to `actions/code-injection/medium` such that now `github.head_ref` is found as source even on event `pull_request` (not just `pull_request_target`). This will result in the query finding more results.
	* Added a source type to `actions/code-injection/medium` so `github.head_ref` is now treated as a source on the `pull_request` event (not just `pull_request_target`). This will result in the query finding more results.