Actions: improve improper access control query

Closes: https://github.com/github/codeql/issues/20706

actions/ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -14,7 +14,7 @@
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.ControlChecks
 
-from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event event
+from LocalJob job, LabelCheck check, PRHeadCheckoutStep checkout, Event event
 where
   job.isPrivileged() and
   job.getAStep() = checkout and
@@ -25,6 +25,8 @@ where
     event.getAnActivityType() = "synchronize"
     or
     not exists(job.getATriggerEvent())
+    or
+    checkout instanceof MutableRefCheckoutStep
   )
 select checkout, "The checked-out code can be modified after the authorization check $@.", check,
   check.toString()

actions/ql/src/change-notes/2025-11-25-improve-improper-access-control.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The `actions/improper-access-control` query has been improved to correctly detect cases where either the check
+  triggers or the checkout reference are unsafe, rather than only when both applied as was done previously.

actions/ql/test/query-tests/Security/CWE-285/.github/workflows/bad_checkout.yml

@@ -16,5 +16,5 @@ jobs:
       uses: actions/checkout@v3
       if: contains(github.event.pull_request.labels.*.name, 'safe to test')
       with:
-        ref: ${{ github.event.pull_request.head.ref }}
+        ref: ${{ github.event.pull_request.head.ref }}  # BAD (mutable ref)
     - run: ./cmd

actions/ql/test/query-tests/Security/CWE-285/.github/workflows/bad_triggers.yml

@@ -16,5 +16,5 @@ jobs:
       uses: actions/checkout@v3
       if: contains(github.event.pull_request.labels.*.name, 'safe to test')
       with:
-        ref: ${{ github.event.pull_request.head.ref }}
+        ref: ${{ github.event.pull_request.head.sha }}  # BAD (bad trigger)
     - run: ./cmd

actions/ql/test/query-tests/Security/CWE-285/.github/workflows/good.yml

@@ -0,0 +1,20 @@
+name: Pull request feedback
+
+on:
+  pull_request_target:
+    types: [ labeled ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v3
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}  # GOOD (labeled event + immutable ref)
+    - run: ./cmd

actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected

@@ -1 +1,2 @@
-| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |
+| .github/workflows/bad_checkout.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/bad_checkout.yml:17:11:17:75 | contain ...  test') | contain ...  test') |
+| .github/workflows/bad_triggers.yml:15:7:20:4 | Uses Step | The checked-out code can be modified after the authorization check $@. | .github/workflows/bad_triggers.yml:17:11:17:75 | contain ...  test') | contain ...  test') |