Adjust alert messages CWE-829/ArtifactPoisoning[Critical|Medium]

Author: knewbury01

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

@@ -21,5 +21,5 @@ where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   event = getRelevantEventInPrivilegedContext(sink.getNode())
 select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
-  sink.getNode().toString(), event, event.getName()
+  "Potential artifact poisoning, which may be controlled by an external user ($@).", event,
+  event.getName()

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -21,5 +21,4 @@ where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   inNonPrivilegedContext(sink.getNode().asExpr())
 select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
-  sink.getNode().toString()
+  "Potential artifact poisoning, which may be controlled by an external user."

actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand.