github
diff --git a/‎.github/workflows/codegen.yml renamed to ‎.github/workflows/python-tooling.yml
Lines changed: 6 additions & 5 deletions b/‎.github/workflows/codegen.yml renamed to ‎.github/workflows/python-tooling.yml
Lines changed: 6 additions & 5 deletions
diff --git a/‎.pre-commit-config.yaml
Lines changed: 6 additions & 4 deletions b/‎.pre-commit-config.yaml
Lines changed: 6 additions & 4 deletions
diff --git a/‎Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected
Lines changed: 1 addition & 0 deletions b/‎actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected
Lines changed: 1 addition & 0 deletions
diff --git a/‎actions/ql/integration-tests/query-suite/test.py
Lines changed: 1 addition & 1 deletion b/‎actions/ql/integration-tests/query-suite/test.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/CompositeActionsSinks.ql
Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/CompositeActionsSinks.ql
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/src/Models/CompositeActionsSources.ql
Lines changed: 2 additions & 0 deletions b/‎actions/ql/src/Models/CompositeActionsSources.ql
Lines changed: 2 additions & 0 deletions
@@ -1,10 +1,11 @@
-name: Codegen
+name: Python tooling
 
 on:
   pull_request:
     paths:
       - "misc/bazel/**"
       - "misc/codegen/**"
+      - "misc/scripts/models-as-data/bulk_generate_mad.py"
       - "*.bazel*"
       - .github/workflows/codegen.yml
       - .pre-commit-config.yaml
@@ -17,17 +18,17 @@ permissions:
   contents: read
 
 jobs:
-  codegen:
+  check-python-tooling:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
-          python-version-file: 'misc/codegen/.python-version'
+          python-version: '3.12'
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
-          extra_args: autopep8 --all-files
+          extra_args: black --all-files
       - name: Run codegen tests
         shell: bash
         run: |
 
@@ -1,5 +1,7 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+default_language_version:
+  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -14,11 +16,11 @@ repos:
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+  - repo: https://github.com/psf/black
+    rev: 25.1.0
     hooks:
-      - id: autopep8
-        files: ^misc/codegen/.*\.py
+      - id: black
+        files: ^(misc/codegen/.*|misc/scripts/models-as-data/bulk_generate_mad)\.py$
 
   - repo: local
     hooks:
 
@@ -0,0 +1 @@
+
@@ -2,7 +2,7 @@
 import pytest
 from query_suites import *
 
-well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
 
 @runs_on.posix
 @pytest.mark.parametrize("query_suite", well_known_query_suites)
 
@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
 
@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
 
@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
 
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
 
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {`
`214`	`214`	`)`
`215`	`215`	`)`
`216`	`216`	`}`
	`217`	`+`
	`218`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`217`	`219`	`}`
`218`	`220`
`219`	`221`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {`
`15`	`15`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`16`	`16`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }`
	`18`	`+`
	`19`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`24`	`24`	`predicate isSink(DataFlow::Node sink) {`
`25`	`25`	`sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`module MyFlow = TaintTracking::Global<MyConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`34`	`34`	`isSink(node) and`
`35`	`35`	`set instanceof DataFlow::FieldContent`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`37`	`39`	`}`
`38`	`40`
`39`	`41`	`module MyFlow = TaintTracking::Global<MyConfig>;`