diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
index 10a45830324..421af3be8ab 100644
--- a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+++ b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -92,9 +92,15 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       or
       // 3rd party actions returning the PR head sha/ref
       exists(UsesStep step |
-        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
-        // TODO: This should be read step of the head_sha or head_ref output vars
-        this.getArgument("ref").regexpMatch(".*head_ref.*") and
+        (
+          step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+          // TODO: This should be read step of the head_sha or head_ref output vars
+          this.getArgument("ref").matches("%.head_ref%")
+          or
+          step.getCallee() = ["github/branch-deploy"] and
+          // TODO: This should be read step of the ref output var
+          this.getArgument("ref").matches("%.ref%")
+        ) and
         DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
       )
       or
diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml
index e68a4c67cc4..acfc1c7e210 100644
--- a/ql/lib/qlpack.yml
+++ b/ql/lib/qlpack.yml
@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.22
+version: 0.0.23
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2
diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml
index 465be503e7c..efafbbb55ba 100644
--- a/ql/src/qlpack.yml
+++ b/ql/src/qlpack.yml
@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.22
+version: 0.0.23
 groups:
   - actions
   - queries