Missing injection sources

[fproulx-boostsecurity]

The current injection sources regex https://github.com/boostsecurityio/poutine/blob/fc3705554da4ac76409248629d6aadb24c7a2302/opa/rego/rules/injection.rego#L19

Is missing various sources, some of which are in messypoutine https://github.com/messypoutine/gravy-overflow/blob/main/.github/workflows/level1.yml#L46

Such as github.event.workflow_run.head_commit.message

In fact looking at semgrep rule there are a few more we can just get there https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/github-script-injection.yaml#L52-L69

Semgrep's list is missing this one for instance github.event.pull_request.head.repo.description https://github.com/messypoutine/gravy-overflow/blob/4bdd38801e7e37238c1c4282d29dbd8aa0ba520c/.github/workflows/level0.yml#L138