diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
index dd409bdbae2..541498ae574 100644
--- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -254,6 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node {
         poisonable.(UsesStep) = this.asExpr()
       ) and
       (
+        // Check if the poisonable step is a local script execution step
+        // and the path of the command or script matches the path of the downloaded artifact
         not poisonable instanceof LocalScriptExecutionRunStep or
         poisonable
             .(LocalScriptExecutionRunStep)
diff --git a/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml
new file mode 100644
index 00000000000..a437dc2c4f2
--- /dev/null
+++ b/ql/lib/ext/manual/lots0logs_gh-action-get-changed-files.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["lots0logs/gh-action-get-changed-files", "*", "output.all", "PR changed files", "manual"]
+      - ["lots0logs/gh-action-get-changed-files", "*", "output.added", "PR changed files", "manual"]
+      - ["lots0logs/gh-action-get-changed-files", "*", "output.modified", "PR changed files", "manual"]
+      - ["lots0logs/gh-action-get-changed-files", "*", "output.renamed", "PR changed files", "manual"]
+
diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected
index 55105c39bdf..96dca7f0308 100644
--- a/ql/test/library-tests/poisonable_steps.expected
+++ b/ql/test/library-tests/poisonable_steps.expected
@@ -27,4 +27,5 @@
 | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step |
diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected
index 08f9136f2e5..62b04344f39 100644
--- a/ql/test/library-tests/test.expected
+++ b/ql/test/library-tests/test.expected
@@ -6,20 +6,20 @@ files
 workflows
 | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
 | .github/workflows/multiline.yml:1:1:89:29 | on:  |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 reusableWorkflows
 compositeActions
 jobs
 | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 localJobs
 | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
 | .github/workflows/multiline.yml:9:5:89:29 | Job: Test |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 extJobs
@@ -74,7 +74,8 @@ steps
 | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
@@ -131,7 +132,8 @@ runSteps
 | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | sed -f ./config.sed file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | sed -f config file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | echo "foo" \| awk -f ./config.awk > foo.txt |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | ./foo/cmd |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} |
@@ -224,7 +226,8 @@ runStepChildren
 | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 |
@@ -377,138 +380,142 @@ parentNodes
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:89:29 | on:  |
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:89:29 | Job: Test |
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:85:9:89:29 | Run Step |
-| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
+| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
 | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push |
 | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push |
 | .github/workflows/poisonable_steps.yml:1:5:1:8 | push | .github/workflows/poisonable_steps.yml:1:5:1:8 | push |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:5:14:5:26 | ubuntu-latest | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:8:15:8:38 | actions/github-script@v7 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
-| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
 | .github/workflows/poisonable_steps.yml:11:53:11:75 | github.workspace | .github/workflows/poisonable_steps.yml:10:19:12:72 | const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')\nreturn foo({ github, context, core }, body, number, sender)\n |
-| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:13:14:13:32 | . venv/bin/activate | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:14:14:14:42 | echo foo; . venv/bin/activate | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:15:14:15:41 | echo foo;. venv/bin/activate | .github/workflows/poisonable_steps.yml:15:9:16:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:16:14:16:42 | echo foo \|. venv/bin/activate | .github/workflows/poisonable_steps.yml:16:9:17:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:17:14:17:32 | ./venv/bin/activate | .github/workflows/poisonable_steps.yml:17:9:18:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:18:14:18:36 | sh venv/bin/activate.sh | .github/workflows/poisonable_steps.yml:18:9:19:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:19:14:19:44 | echo $(sh venv/bin/activate.sh) | .github/workflows/poisonable_steps.yml:19:9:20:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:20:14:20:56 | echo foo; sh venv/bin/activate.sh; echo bar | .github/workflows/poisonable_steps.yml:20:9:21:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:21:14:21:56 | echo foo \| sh venv/bin/activate.sh > output | .github/workflows/poisonable_steps.yml:21:9:22:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:22:14:22:40 | python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:22:9:23:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:23:14:23:50 | echo foo; python venv/bin/activate.py | .github/workflows/poisonable_steps.yml:23:9:24:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:24:14:24:29 | pnpm run test:ct | .github/workflows/poisonable_steps.yml:24:9:25:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:25:14:25:73 | pip install nbformat && python scripts/generate_notebooks.py | .github/workflows/poisonable_steps.yml:25:9:26:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:26:14:26:78 | python scripts/generate_theme.py --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:27:14:27:76 | ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:28:14:28:92 | bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:29:14:29:42 | xvfb-run ./mvnw clean package | .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:30:14:30:46 | echo "foo" && npm i && echo "bar" | .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:31:14:31:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:32:14:32:44 | echo "foo" \| npm i \| echo "bar" | .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:33:14:33:35 | echo "foo `npm i` bar" | .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:34:14:34:52 | dotnet test foo/Tests.csproj -c Release | .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:35:14:35:26 | go run foo.go | .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:36:14:36:86 | sed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json | .github/workflows/poisonable_steps.yml:36:9:37:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:37:14:37:51 | sed -f ./config.sed file.txt > foo.txt | .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
-| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step |
 | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:5:1:8 | push |
@@ -665,11 +672,11 @@ cfgNodes
 | .github/workflows/multiline.yml:79:14:84:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo '$ISSUE'\n  echo 'EOF'\n} >> "$GITHUB_ENV"\n |
 | .github/workflows/multiline.yml:85:9:89:29 | Run Step |
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | enter on: push |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | exit on: push (normal) |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | enter on: push |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | exit on: push (normal) |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate |
 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
@@ -728,8 +735,10 @@ cfgNodes
 | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd |
 | .github/workflows/test.yml:1:1:40:53 | enter on: push |
 | .github/workflows/test.yml:1:1:40:53 | exit on: push |
 | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) |
@@ -808,7 +817,7 @@ dfNodes
 | .github/workflows/multiline.yml:79:14:84:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo '$ISSUE'\n  echo 'EOF'\n} >> "$GITHUB_ENV"\n |
 | .github/workflows/multiline.yml:85:9:89:29 | Run Step |
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands |
 | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate |
 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
@@ -867,8 +876,10 @@ dfNodes
 | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
 | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
@@ -949,7 +960,7 @@ nodeLocations
 | .github/workflows/multiline.yml:79:14:84:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo '$ISSUE'\n  echo 'EOF'\n} >> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:79:14:84:29 | .github/workflows/multiline.yml@79:14:84:29 |
 | .github/workflows/multiline.yml:85:9:89:29 | Run Step | .github/workflows/multiline.yml:85:9:89:29 | .github/workflows/multiline.yml@85:9:89:29 |
 | .github/workflows/multiline.yml:86:14:89:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n} >> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:86:14:89:29 | .github/workflows/multiline.yml@86:14:89:29 |
-| .github/workflows/poisonable_steps.yml:5:5:40:74 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:40:74 | .github/workflows/poisonable_steps.yml@5:5:40:74 |
+| .github/workflows/poisonable_steps.yml:5:5:41:23 | Job: local_commands | .github/workflows/poisonable_steps.yml:5:5:41:23 | .github/workflows/poisonable_steps.yml@5:5:41:23 |
 | .github/workflows/poisonable_steps.yml:7:9:8:6 | Run Step | .github/workflows/poisonable_steps.yml:7:9:8:6 | .github/workflows/poisonable_steps.yml@7:9:8:6 |
 | .github/workflows/poisonable_steps.yml:7:14:7:30 | venv/bin/activate | .github/workflows/poisonable_steps.yml:7:14:7:30 | .github/workflows/poisonable_steps.yml@7:14:7:30 |
 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step | .github/workflows/poisonable_steps.yml:8:9:13:6 | .github/workflows/poisonable_steps.yml@8:9:13:6 |
@@ -1008,8 +1019,10 @@ nodeLocations
 | .github/workflows/poisonable_steps.yml:38:14:38:45 | sed -f config file.txt > foo.txt | .github/workflows/poisonable_steps.yml:38:14:38:45 | .github/workflows/poisonable_steps.yml@38:14:38:45 |
 | .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step | .github/workflows/poisonable_steps.yml:39:9:40:6 | .github/workflows/poisonable_steps.yml@39:9:40:6 |
 | .github/workflows/poisonable_steps.yml:39:14:39:55 | echo "foo" \| awk -f ./config.awk > foo.txt | .github/workflows/poisonable_steps.yml:39:14:39:55 | .github/workflows/poisonable_steps.yml@39:14:39:55 |
-| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step | .github/workflows/poisonable_steps.yml:40:9:40:74 | .github/workflows/poisonable_steps.yml@40:9:40:74 |
+| .github/workflows/poisonable_steps.yml:40:9:41:6 | Run Step | .github/workflows/poisonable_steps.yml:40:9:41:6 | .github/workflows/poisonable_steps.yml@40:9:41:6 |
 | .github/workflows/poisonable_steps.yml:40:14:40:73 | gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo | .github/workflows/poisonable_steps.yml:40:14:40:73 | .github/workflows/poisonable_steps.yml@40:14:40:73 |
+| .github/workflows/poisonable_steps.yml:41:9:41:23 | Run Step | .github/workflows/poisonable_steps.yml:41:9:41:23 | .github/workflows/poisonable_steps.yml@41:9:41:23 |
+| .github/workflows/poisonable_steps.yml:41:14:41:22 | ./foo/cmd | .github/workflows/poisonable_steps.yml:41:14:41:22 | .github/workflows/poisonable_steps.yml@41:14:41:22 |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 |
 | .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 |
@@ -1030,7 +1043,7 @@ nodeLocations
 scopes
 | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
 | .github/workflows/multiline.yml:1:1:89:29 | on:  |
-| .github/workflows/poisonable_steps.yml:1:1:40:74 | on: push |
+| .github/workflows/poisonable_steps.yml:1:1:41:23 | on: push |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 sources
 | ahmadnassri/action-changed-files | * | output.files | filename | manual |
@@ -1052,6 +1065,10 @@ sources
 | jitterbit/get-changed-files | * | output.removed | filename | manual |
 | jitterbit/get-changed-files | * | output.renamed | filename | manual |
 | khan/pull-request-comment-trigger | * | output.comment_body | text | manual |
+| lots0logs/gh-action-get-changed-files | * | output.added | PR changed files | manual |
+| lots0logs/gh-action-get-changed-files | * | output.all | PR changed files | manual |
+| lots0logs/gh-action-get-changed-files | * | output.modified | PR changed files | manual |
+| lots0logs/gh-action-get-changed-files | * | output.renamed | PR changed files | manual |
 | marocchino/on_artifact | * | output.* | artifact | manual |
 | peter-murray/issue-body-parser-action | * | output.* | text | manual |
 | potiuk/get-workflow-origin | * | output.sourceHeadBranch | branch | manual |
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
index 8475711949f..5cf7bbd4e6b 100644
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
@@ -21,69 +21,8 @@ jobs:
         id: pr
         run: echo "::set-output name=id::$(<pr-id.txt)"
 
-      - name: download dist artifact
-        uses: dawidd6/action-download-artifact@v2
-        with:
-          workflow: ${{ github.event.workflow_run.workflow_id }}
-          workflow_conclusion: success
-          name: dist
-
       - name: upload surge service
         id: deploy
         run: |
           export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
           npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}
-
-      - name: update status comment
-        uses: actions-cool/maintain-one-comment@v1.2.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            🎊 PR Preview has been successfully built and deployed to https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
-
-            <img width="300" src="https://user-images.githubusercontent.com/507615/90250366-88233900-de6e-11ea-95a5-84f0762ffd39.png">
-
-            <!-- Sticky Pull Request Comment -->
-          body-include: '<!-- Sticky Pull Request Comment -->'
-          number: ${{ steps.pr.outputs.id }}
-
-      - name: The job failed
-        if: ${{ failure() }}
-        uses: actions-cool/maintain-one-comment@v1.2.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            😭 Deploy PR Preview failed.
-
-            <img width="300" src="https://user-images.githubusercontent.com/507615/90250824-4e066700-de6f-11ea-8230-600ecc3d6a6b.png">
-
-            <!-- Sticky Pull Request Comment -->
-          body-include: '<!-- Sticky Pull Request Comment -->'
-          number: ${{ steps.pr.outputs.id }}
-
-  failed:
-    runs-on: ubuntu-latest
-    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure'
-    steps:
-      - name: download pr artifact
-        uses: dawidd6/action-download-artifact@v2
-        with:
-          workflow: ${{ github.event.workflow_run.workflow_id }}
-          name: pr
-
-      - name: save PR id
-        id: pr
-        run: echo "::set-output name=id::$(<pr-id.txt)"
-
-      - name: The job failed
-        uses: actions-cool/maintain-one-comment@v1.2.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          body: |
-            😭 Deploy PR Preview failed.
-
-            <img width="300" src="https://user-images.githubusercontent.com/507615/90250824-4e066700-de6f-11ea-8230-600ecc3d6a6b.png">
-
-            <!-- Sticky Pull Request Comment -->
-          body-include: '<!-- Sticky Pull Request Comment -->'
-          number: ${{ steps.pr.outputs.id }}
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
similarity index 100%
rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning61.yml
rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
similarity index 100%
rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml
rename to ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
new file mode 100644
index 00000000000..633c45661e5
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
@@ -0,0 +1,23 @@
+# It consumes an artifact produced by the First Workflow
+
+on: workflow_run
+jobs:
+  my-second-job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: download pr artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+            workflow: ${{github.event.workflow_run.workflow_id}}
+            run_id: ${{github.event.workflow_run.id}}
+            name: artifact
+
+      # Save PR id to output
+      - name: Save artifact data
+        id: artifact
+        uses: juliangruber/read-file-action@v1
+        with:
+          path: ./artifact.txt
+      - name: Use artifact
+        run: echo ${{ steps.artifact.outputs.contents }} 
+
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
new file mode 100644
index 00000000000..92c4be4a9e8
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
@@ -0,0 +1,30 @@
+# It consumes an artifact produced by the First Workflow
+
+on: workflow_run
+jobs:
+  my-second-job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: download pr artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+            workflow: ${{github.event.workflow_run.workflow_id}}
+            run_id: ${{github.event.workflow_run.id}}
+            name: artifact
+
+      - id: artifact
+        run: |
+          echo "::set-output name=pr_number::$(<artifact.txt)"
+          mkdir firebase-android
+          unzip firebase-android.zip -d firebase-android
+      - name: Use artifact
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
+
+      - id: artifact2
+        run: |
+          echo "::set-output name=pr_number::$(cat -e artifact.txt)"
+          mkdir firebase-android
+          unzip firebase-android.zip -d firebase-android
+      - name: Use artifact
+        run: echo ${{ steps.artifact2.outputs.pr_number }} 
+
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
index e815c3dd129..9b4410023e5 100644
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
@@ -1,9 +1,9 @@
-# Second Workflow
 # It consumes an artifact produced by the First Workflow
 
 on: workflow_run
 jobs:
   my-second-job:
+    runs-on: ubuntu-latest
     steps:
       - name: download pr artifact
         uses: dawidd6/action-download-artifact@v2
@@ -12,10 +12,20 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      # Save PR id to output
-      - name: Save artifact data
-        id: artifact
-        run: echo "::set-output name=id::$(<artifact.txt)"
-
+      - id: artifact
+        run: |
+          set -eou pipefail
+          pr_number=$(cat -e artifact.txt)
+          pr_number=${pr_number%?}
+          pr_length=${#pr_number}
+          only_numbers_re="^[0-9]+$"
+          if ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then
+            echo "invalid PR number"
+            exit 1
+          fi
+          echo "::set-output name=pr_number::$pr_number"
+          mkdir firebase-android
+          unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }} 
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
+
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
new file mode 100644
index 00000000000..63acdc612b0
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
@@ -0,0 +1,22 @@
+# Second Workflow
+# It consumes an artifact produced by the First Workflow
+
+on: workflow_run
+jobs:
+  my-second-job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: download pr artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+            workflow: ${{github.event.workflow_run.workflow_id}}
+            run_id: ${{github.event.workflow_run.id}}
+            name: artifact
+
+      # Save PR id to output
+      - name: Save artifact data
+        id: artifact
+        run: echo "::set-output name=id::$(<artifact.txt)"
+
+      - name: Use artifact
+        run: echo ${{ steps.artifact.outputs.id }} 
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
index 3f2d9ebc2c9..370241c7ac0 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -3,12 +3,21 @@ edges
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
 | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | provenance |  |
-| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | provenance |  |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | provenance |  |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance |  |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance |  |
 | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance |  |
@@ -101,13 +110,24 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | semmle.label | echo "::set-output name=id::$(<pr-id.txt)" |
-| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
-| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | semmle.label | Run Step: artifact2 [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | semmle.label | steps.artifact2.outputs.pr_number |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
@@ -310,9 +330,12 @@ subpaths
 | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action5/action.yml:16:19:16:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
-| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
+| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
-| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
+| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
+| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} |
+| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} |
+| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
index 4de44d83635..6a0f11410f4 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -3,12 +3,21 @@ edges
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
 | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | provenance |  |
-| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | provenance |  |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | provenance |  |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | provenance |  |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance |  |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance |  |
 | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance |  |
@@ -101,13 +110,24 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | semmle.label | echo "::set-output name=id::$(<pr-id.txt)" |
-| .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
-| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | semmle.label | Run Step: artifact2 [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | semmle.label | steps.artifact2.outputs.pr_number |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml
index edcdc3b2064..aa884b7eca7 100644
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml
@@ -35,6 +35,6 @@ jobs:
           ls -a sonarcloud-data
       - name: Run command
         run: 
-          ./x.py build -j$(nproc) --compiler gcc --skip-build
+          python foo/x.py
 
 
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml
similarity index 100%
rename from ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning8.yml
rename to ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
index 6b9b0f670f3..c987f63115a 100644
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
@@ -1,7 +1,6 @@
 edges
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance |  |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance |  |
 | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance |  |
@@ -13,13 +12,12 @@ edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance |  |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 nodes
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build |
+| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step |
@@ -42,11 +40,12 @@ nodes
 | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 subpaths
 #select
-| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
-| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | ./x.py build -j$(nproc) --compiler gcc --skip-build |
+| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py |
 | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n |
 | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd |
 | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd |
@@ -58,3 +57,4 @@ subpaths
 | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
 | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n |
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
index 18ad272f803..57d7ff9d64b 100644
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
@@ -1,7 +1,6 @@
 edges
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance |  |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance |  |
 | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance |  |
@@ -13,13 +12,12 @@ edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance |  |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 nodes
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning8.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./x.py build -j$(nproc) --compiler gcc --skip-build |
+| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | semmle.label | python foo/x.py |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | semmle.label | sh foo/cmd\n |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step |
@@ -42,5 +40,7 @@ nodes
 | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 subpaths
 #select
diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
index 41c465dcc27..70eb169860e 100644
--- a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
+++ b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
@@ -1,9 +1,8 @@
 | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
-| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | Uses Step |
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning8.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning71.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | Uses Step |
 | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step |
 | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Unpinned 3rd party Action 'Python CI' step $@ uses 'peter-evans/create-pull-request' with ref '5', not a pinned commit hash | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | Uses Step: create_pr |
 | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'thollander/actions-comment-pull-request' with ref '2', not a pinned commit hash | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | Uses Step |
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
index b4a099672a4..4431d865417 100644
--- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -9,16 +9,12 @@ edges
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
-| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact |
-| .github/workflows/artifactpoisoning7.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step |
-| .github/workflows/artifactpoisoning7.yml:17:9:21:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:21:9:22:52 | Run Step |
-| .github/workflows/artifactpoisoning8.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:16:9:18:40 | Run Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
 | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
-| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step |
 | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step |
@@ -40,9 +36,7 @@ edges
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step |
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
 | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
-| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare |
-| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step |
-| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step |
 | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step |
 | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |
 | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step |