build: add angle patch dir

* chore: bump chromium in DEPS to 145.0.7562.0

* fix(patch-conflict): update code cache patch for PersistentCache refactor

Upstream refactored code cache to use PersistentCache with new class-based
implementation (NoopCodeCacheHost, LocalCodeCacheHost, CodeCacheWithPersistentCacheHost).
Updated patch to integrate custom scheme support into the new structure while
preserving ProcessLockURLIsCodeCacheScheme checks for embedder-registered schemes.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7044986

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(patch-conflict): update dialog patch for RequestXdgDesktopPortal API

Upstream changed from SetSystemdScopeUnitNameForXdgPortal to RequestXdgDesktopPortal
API pattern. Updated OnServiceStarted signature and kept OnSystemdUnitStarted callback
that calls Electron's file_dialog::StartPortalAvailabilityTestInBackground().

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7204285

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(patch-conflict): remove reference to deleted AbortByPlaceholderLayout flag

Upstream removed the AbortByPlaceholderLayout runtime flag from
runtime_enabled_features.json5. Updated patch to only add ElectronCSSCornerSmoothing
without the removed flag reference.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7226494

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* chore: update patch hunk headers

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(build): guard media_file_system_registry for ChromeOS only

Upstream CL https://chromium-review.googlesource.com/c/chromium/src/+/7100719
moved media_file_system_registry to be ChromeOS-only since Media
Galleries is a Chrome Apps API and Chrome Apps are only available
on Chrome OS now.

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(build): update VideoPixelFormat API for SharedImageFormat

Upstream CL https://chromium-review.googlesource.com/c/chromium/src/+/7207153
removed VideoPixelFormatToGfxBufferFormat as part of migration to
SharedImageFormat. Update to use VideoPixelFormatToSharedImageFormat
which directly returns the SharedImageFormat.

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(build): extend profile methods patch for ShouldEnableXfaForms

The ShouldEnableXfaForms function uses Profile::FromBrowserContext()
which is not available in Electron. Wrap the profile-dependent code
in #if 0 to fall through to the feature flag default.

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: bump chromium in DEPS to 145.0.7563.0

* chore: bump chromium in DEPS to 145.0.7565.0

* chore: bump chromium in DEPS to 145.0.7567.0

* chore: bump chromium in DEPS to 145.0.7568.0

* fix(patch-conflict): update content_main_delegate.h context for IsInitFeatureListEarly

Upstream added a new IsInitFeatureListEarly() virtual method to ContentMainDelegate
just before where our GetBrowserV8SnapshotFilename() method is added. Updated patch
context to account for this new method.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7092856

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* chore: update patch hunk headers

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(patch-update): include v8-cppgc.h for CppHeap complete type

The std::unique_ptr<v8::CppHeap> default argument in node.h requires
the complete CppHeap type definition for the destructor. Added the
v8-cppgc.h include to provide the full type definition.

Ref: Unable to locate CL - libc++ unique_ptr requires complete type for destructor

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* chore: update patch hunk headers

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(build): move NativeAppWindowFrameViewMacClient before constructor

The std::unique_ptr<NativeAppWindowFrameViewMacClient> member requires
the complete type definition to be visible at the point of the constructor
because the unique_ptr destructor may be instantiated during exception
handling. Moved the class definition before the NativeWindowMac constructor.

Ref: Unable to locate CL - libc++ unique_ptr requires complete type for destructor

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

* fix(patch-conflict): update create_browser_v8_snapshot_file_name_fuse context for IsInitFeatureListEarly

The upstream added IsInitFeatureListEarly() virtual method declaration to
ContentMainDelegate class. Updated the patch context to account for this
new function being present before the GetBrowserV8SnapshotFilename()
declaration we add.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7092856

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: update patch hunk headers

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(patch-update): remove reverted IsInitFeatureListEarly from v8 snapshot patch

The upstream added IsInitFeatureListEarly() was reverted, so the patch should
not include this declaration. Only GetBrowserV8SnapshotFilename() should be
added by the create_browser_v8_snapshot_file_name_fuse patch.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7230430

Co-Authored-By: Claude <noreply@anthropic.com>

* 6171655: include single_thread_task_runner.h for complete type

Added include for base/task/single_thread_task_runner.h in osr_converter.cc
to resolve incomplete type error when using
base::SingleThreadTaskRunner::GetCurrentDefault().

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/6171655

Co-Authored-By: Claude <noreply@anthropic.com>

* 7224136: use CHROMIUM_GIT_REVISION directly instead of removed function

Upstream removed GetChromiumGitRevision() function from embedder_support.
Updated to use CHROMIUM_GIT_REVISION macro directly via
build/util/chromium_git_revision.h as recommended in the Chromium CL.

Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7224136

Co-Authored-By: Claude <noreply@anthropic.com>

* fixup! 7224136: use CHROMIUM_GIT_REVISION directly instead of removed function

* fix(build): add missing include

`components/dbus/xdg/systemd.h` for `void OnSystemdUnitStarted(dbus_xdg::SystemdUnitStatus)` in the same patch.

* fix(build): adapt to string-view-ification change in windows jump_list.cc

7186922: Fix unsafe buffer usage in base/win/win_util.cc
https://chromium-review.googlesource.com/c/chromium/src/+/7186922

* chore: update libc++ filenames

* fixup! fix(build): add missing include

* fixup! fix(build): extend profile methods patch for ShouldEnableXfaForms

* fixup! fix(build): guard media_file_system_registry for ChromeOS only

* fixup! fixup! fix(build): extend profile methods patch for ShouldEnableXfaForms

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Keeley Hammond <khammond@slack-corp.com>
Co-authored-by: Claude <svc-devxp-claude@slack-corp.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: clavin <clavin@electronjs.org>

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,3 +1,6 @@
+> [!IMPORTANT]
+> Please note that code reviews and merges will be delayed during our [quiet period in December](https://www.electronjs.org/blog/dec-quiet-period-25) and might not happen until January.
+
 #### Description of Change
 
 <!--

.github/actions/build-electron/action.yml

@@ -17,9 +17,6 @@ inputs:
   is-release:
     description: 'Is release build'
     required: true
-  strip-binaries:
-    description: 'Strip binaries (Linux only)'
-    required: false
   generate-symbols:
     description: 'Generate symbols'
     required: true
@@ -48,6 +45,7 @@ runs:
       shell: bash
       run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
     - name: Build Electron ${{ inputs.step-suffix }}
+      if: ${{ inputs.target-platform != 'win' }}
       shell: bash
       run: |
         rm -rf "src/out/Default/Electron Framework.framework"
@@ -63,22 +61,51 @@ runs:
           sudo launchctl limit maxfiles 65536 200000
         fi
 
-        NINJA_SUMMARIZE_BUILD=1 e build -j $NUMBER_OF_NINJA_PROCESSES
+        if [ "${{ inputs.is-release }}" = "true" ]; then
+          NINJA_SUMMARIZE_BUILD=1 e build --target electron:release_build
+        else
+          NINJA_SUMMARIZE_BUILD=1 e build --target electron:testing_build
+        fi
         cp out/Default/.ninja_log out/electron_ninja_log
         node electron/script/check-symlinks.js
-    - name: Strip Electron Binaries ${{ inputs.step-suffix }}
-      shell: bash
-      if: ${{ inputs.strip-binaries == 'true' }}
+
+        # Upload build stats to Datadog
+        if ! [ -z $DD_API_KEY ]; then
+          npx node electron/script/build-stats.mjs out/Default/siso.INFO --upload-stats || true          
+        else
+          echo "Skipping build-stats.mjs upload because DD_API_KEY is not set"
+        fi
+    - name: Build Electron (Windows) ${{ inputs.step-suffix }}
+      if: ${{ inputs.target-platform == 'win' }}
+      shell: powershell
       run: |
-        cd src
-        electron/script/copy-debug-symbols.py --target-cpu="${{ inputs.target-arch }}" --out-dir=out/Default/debug --compress
-        electron/script/strip-binaries.py --target-cpu="${{ inputs.target-arch }}" --verbose
-        electron/script/add-debug-link.py --target-cpu="${{ inputs.target-arch }}" --debug-dir=out/Default/debug
-    - name: Build Electron dist.zip ${{ inputs.step-suffix }}
+        cd src\electron
+        git pack-refs
+        cd ..
+
+        $env:NINJA_SUMMARIZE_BUILD = 1
+        if ("${{ inputs.is-release }}" -eq "true") {          
+          e build --target electron:release_build
+        } else {
+          e build --target electron:testing_build
+        }
+        Copy-Item out\Default\.ninja_log out\electron_ninja_log
+        node electron\script\check-symlinks.js
+
+        # Upload build stats to Datadog
+        if ($env:DD_API_KEY) {
+          try {
+            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats
+          } catch {
+            Write-Host "Build stats upload failed, continuing..."
+          }
+        } else {
+          Write-Host "Skipping build-stats.mjs upload because DD_API_KEY is not set"
+        }
+    - name: Verify dist.zip ${{ inputs.step-suffix }}
       shell: bash
       run: |
-        cd src
-        e build --target electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES -d explain
+        cd src        
         if [ "${{ inputs.is-asan }}" != "true" ]; then
           target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
           if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
@@ -86,11 +113,10 @@ runs:
           fi
           electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ inputs.target-arch }}.manifest
         fi
-    - name: Build Mksnapshot ${{ inputs.step-suffix }}
+    - name: Fixup Mksnapshot ${{ inputs.step-suffix }}
       shell: bash
       run: |
         cd src
-        e build --target electron:electron_mksnapshot -j $NUMBER_OF_NINJA_PROCESSES
         ELECTRON_DEPOT_TOOLS_DISABLE_LOG=1 e d gn desc out/Default v8:run_mksnapshot_default args > out/Default/mksnapshot_args
         # Remove unused args from mksnapshot_args
         SEDOPTION="-i"
@@ -100,20 +126,6 @@ runs:
         sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
         sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
 
-        if [ "${{ inputs.target-platform }}" = "linux" ]; then
-          if [ "${{ inputs.target-arch }}" = "arm" ]; then
-            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/mksnapshot
-            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/v8_context_snapshot_generator
-          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
-            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/mksnapshot
-            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/v8_context_snapshot_generator
-          else
-            electron/script/strip-binaries.py --file $PWD/out/Default/mksnapshot
-            electron/script/strip-binaries.py --file $PWD/out/Default/v8_context_snapshot_generator
-          fi
-        fi
-
-        e build --target electron:electron_mksnapshot_zip -j $NUMBER_OF_NINJA_PROCESSES
         if [ "${{ inputs.target-platform }}" = "win" ]; then
           cd out/Default
           powershell Compress-Archive -update mksnapshot_args mksnapshot.zip
@@ -147,7 +159,6 @@ runs:
       shell: bash
       run: |
         cd src
-        e build --target electron:electron_chromedriver -j $NUMBER_OF_NINJA_PROCESSES
         e build --target electron:electron_chromedriver_zip
 
         if [ "${{ inputs.is-asan }}" != "true" ]; then
@@ -157,11 +168,6 @@ runs:
           fi
           electron/script/zip_manifests/check-zip-manifest.py out/Default/chromedriver.zip electron/script/zip_manifests/chromedriver_zip.$target_os.${{ inputs.target-arch }}.manifest
         fi
-    - name: Build Node.js headers ${{ inputs.step-suffix }}
-      shell: bash
-      run: |
-        cd src
-        e build --target electron:node_headers
     - name: Create installed_software.json ${{ inputs.step-suffix }}
       shell: powershell
       if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'win' }}
@@ -181,41 +187,23 @@ runs:
         # Needed for msdia140.dll on 64-bit windows
         cd src
         export PATH="$PATH:$(pwd)/third_party/llvm-build/Release+Asserts/bin"
-    - name: Generate & Zip Symbols ${{ inputs.step-suffix }}
+    - name: Zip Symbols ${{ inputs.step-suffix }}
       shell: bash
       run: |
-        # Generate breakpad symbols on release builds
-        if [ "${{ inputs.generate-symbols }}" = "true" ]; then
-          e build --target electron:electron_symbols
-        fi
         cd src
         export BUILD_PATH="$(pwd)/out/Default"
-        e build --target electron:licenses
-        e build --target electron:electron_version_file
         if [ "${{ inputs.is-release }}" = "true" ]; then
           DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
         else
           electron/script/zip-symbols.py -b $BUILD_PATH
         fi
     - name: Generate FFMpeg ${{ inputs.step-suffix }}
-      if: ${{ inputs.is-release == 'true' }}
       shell: bash
+      if: ${{ inputs.is-release == 'true' }}
       run: |
         cd src
-        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
-        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg -j $NUMBER_OF_NINJA_PROCESSES
-    - name: Generate Hunspell Dictionaries ${{ inputs.step-suffix }}
-      shell: bash
-      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
-      run: |
-        e build --target electron:hunspell_dictionaries_zip -j $NUMBER_OF_NINJA_PROCESSES
-    - name: Generate Libcxx ${{ inputs.step-suffix }}
-      shell: bash
-      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
-      run: |
-        e build --target electron:libcxx_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
-        e build --target electron:libcxxabi_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
-        e build --target electron:libcxx_objects_zip -j $NUMBER_OF_NINJA_PROCESSES
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $GN_EXTRA_ARGS"
+        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg
     - name: Remove Clang problem matcher
       shell: bash
       run: echo "::remove-matcher owner=clang::"
@@ -224,7 +212,7 @@ runs:
       shell: bash
       run: |
         cd src/electron
-        node script/yarn create-typescript-definitions
+        node script/yarn.js create-typescript-definitions
     - name: Publish Electron Dist ${{ inputs.step-suffix }}
       if: ${{ inputs.is-release == 'true' }}
       shell: bash
@@ -238,7 +226,29 @@ runs:
           echo 'Uploading Electron release distribution to GitHub releases'
           script/release/uploaders/upload.py --verbose
         fi
+    - name: Generate siso report
+      if: ${{ inputs.target-platform != 'win' && !cancelled() }}
+      shell: bash
+      run: |
+        cd src
+        e d siso report -C out/Default > siso_report.txt
+        SISO_REPORT_PATH=$(grep -o '/.*siso-report-[^ ]*' siso_report.txt)
+        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $GITHUB_ENV
+        cat siso_report.txt
+        echo "SISO REPORT AT $SISO_REPORT_PATH"
+    - name: Generate siso report (Windows)
+      if: ${{ inputs.target-platform == 'win' && !cancelled() }}
+      shell: powershell
+      run: |
+        cd src
+        e d siso report -C out\Default > siso_report.txt
+        $SISO_REPORT_PATH = Get-Content "siso_report.txt" | Select-String "report file:\s*(.+)" | ForEach-Object { 
+          $_.Matches.Groups[1].Value.Trim() 
+        }
+        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH"
+        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $env:GITHUB_ENV
     - name: Generate Artifact Key
+      if: always() && !cancelled()
       shell: bash
       run: |
         if [ "${{ inputs.is-asan }}" = "true" ]; then 
@@ -250,9 +260,11 @@ runs:
     # The current generated_artifacts_<< artifact.key >> name was taken from CircleCI
     # to ensure we don't break anything, but we may be able to improve that.
     - name: Move all Generated Artifacts to Upload Folder ${{ inputs.step-suffix }}
+      if: always() && !cancelled()
       shell: bash
       run: ./src/electron/script/actions/move-artifacts.sh
     - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
+      if: always() && !cancelled()
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}

.github/actions/checkout/action.yml

@@ -152,7 +152,7 @@ runs:
     if: ${{ inputs.target-platform == 'linux' && github.ref == 'refs/heads/main' }}
     shell: bash
     run: |
-      npx node src/electron/script/patches-stats.mjs --upload-stats || true
+      node src/electron/script/patches-stats.mjs --upload-stats || true
   # delete all .git directories under src/ except for
   # third_party/angle/ and third_party/dawn/ because of build time generation of files
   # gen/angle/commit.h depends on third_party/angle/.git/HEAD
@@ -172,7 +172,6 @@ runs:
     run: |
       rm -rf src/android_webview
       rm -rf src/ios/chrome
-      rm -rf src/third_party/blink/web_tests
       rm -rf src/third_party/blink/perf_tests
       rm -rf src/chrome/test/data/xr/webvr_info
       rm -rf src/third_party/angle/third_party/VK-GL-CTS/src

.github/actions/cipd-install/action.yml

@@ -14,6 +14,9 @@ inputs:
     description: 'Target platform, should be linux, win, macos'
   package:
     description: 'Package to install'
+  dependency-version:
+    description: 'Version of the dependency to install'
+    default: ''
 runs:
   using: "composite"
   steps:
@@ -22,15 +25,23 @@ runs:
       run : |
         rm -rf ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }}
     - name: Create ensure file for ${{ inputs.dependency }}
+      if: ${{ inputs.dependency-version == '' }}
       shell: bash
       run: |
         echo '${{ inputs.package }}' `e d gclient getdep --deps-file=${{ inputs.deps-file }} -r '${{ inputs.installation-dir }}:${{ inputs.package }}'` > ${{ inputs.dependency }}_ensure_file
         cat ${{ inputs.dependency }}_ensure_file
-    - name: CIPD installation of ${{ inputs.dependency }} (macOS)
-      if: ${{ inputs.target-platform == 'macos' }}
+
+    - name: Create ensure file for ${{ inputs.dependency }} from dependency-version
+      if: ${{ inputs.dependency-version != '' }}
       shell: bash
       run: |
-        echo "ensuring ${{ inputs.dependency }} on macOS"
+        echo '${{ inputs.package }} ${{ inputs.dependency-version }}'  > ${{ inputs.dependency }}_ensure_file
+        cat ${{ inputs.dependency }}_ensure_file
+    - name: CIPD installation of ${{ inputs.dependency }} (macOS)
+      if: ${{ inputs.target-platform != 'win' }}
+      shell: bash
+      run: |
+        echo "ensuring ${{ inputs.dependency }}"
         e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
     - name: CIPD installation of ${{ inputs.dependency }} (Windows)
       if: ${{ inputs.target-platform == 'win' }}

.github/actions/fix-sync/action.yml

@@ -20,6 +20,7 @@ runs:
   using: "composite"
   steps:
     - name: Fix llvm toolchain
+      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         rm -rf src/third_party/llvm-build
@@ -27,6 +28,7 @@ runs:
         # Refs https://chromium-review.googlesource.com/c/chromium/src/+/6667681
         python3 src/tools/clang/scripts/update.py --package objdump
     - name: Fix esbuild
+      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         cipd-root-prefix-path: src/third_party/devtools-frontend/src/
@@ -36,6 +38,7 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: infra/3pp/tools/esbuild/${platform}
     - name: Fix rustc
+      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         rm -rf src/third_party/rust-toolchain
@@ -59,6 +62,7 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: gn/gn/windows-amd64
     - name: Fix reclient
+      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         dependency: reclient
@@ -67,6 +71,7 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: infra/rbe/client/${platform}
     - name: Configure reclient configs
+      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         python3 src/buildtools/reclient_cfgs/configure_reclient_cfgs.py --rbe_instance "projects/rbe-chrome-untrusted/instances/default_instance" --reproxy_cfg_template reproxy.cfg.template --rewrapper_cfg_project "" --skip_remoteexec_cfg_fetch
@@ -84,6 +89,7 @@ runs:
           python3 src/third_party/depot_tools/download_from_google_storage.py --no_resume --no_auth --bucket chromium-browser-clang -s $DSYM_SHA_FILE -o src/tools/clang/dsymutil/bin/dsymutil
         fi
     - name: Fix ninja
+      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         dependency: ninja
@@ -92,10 +98,20 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: infra/3pp/tools/ninja/${platform}
     - name: Set ninja in path
+      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         echo "$(pwd)/src/third_party/ninja" >> $GITHUB_PATH
+    - name: Fix siso
+      uses: ./src/electron/.github/actions/cipd-install
+      with:
+        dependency: siso
+        deps-file: src/DEPS
+        installation-dir: src/third_party/siso/cipd
+        target-platform: ${{ inputs.target-platform }}
+        package: build/siso/${platform}
     - name: Fixup angle git
+      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         cd src/third_party/angle

.github/actions/free-space-macos/action.yml

@@ -17,28 +17,30 @@ runs:
         }
 
         strip_universal_deep() {
-          opwd=$(pwd)
-          cd $1
-          f=$(find . -perm +111 -type f)
-          for fp in $f
-          do
-            if [[ $(file "$fp") == *"universal binary"* ]]; then
-              if [ "`arch`" == "arm64" ]; then
-                if [[ $(file "$fp") == *"x86_64"* ]]; then
-                  sudo lipo -remove x86_64 "$fp" -o "$fp" || true
-                fi
-              else
-                if [[ $(file "$fp") == *"arm64e)"* ]]; then
-                  sudo lipo -remove arm64e "$fp" -o "$fp" || true
-                fi
-                if [[ $(file "$fp") == *"arm64)"* ]]; then
-                  sudo lipo -remove arm64 "$fp" -o "$fp" || true
+          if [ -d "$1" ]; then
+            opwd=$(pwd)
+            cd $1
+            f=$(find . -perm +111 -type f)
+            for fp in $f
+            do
+              if [[ $(file "$fp") == *"universal binary"* ]]; then
+                if [ "`arch`" == "arm64" ]; then
+                  if [[ $(file "$fp") == *"x86_64"* ]]; then
+                    sudo lipo -remove x86_64 "$fp" -o "$fp" || true
+                  fi
+                else
+                  if [[ $(file "$fp") == *"arm64e)"* ]]; then
+                    sudo lipo -remove arm64e "$fp" -o "$fp" || true
+                  fi
+                  if [[ $(file "$fp") == *"arm64)"* ]]; then
+                    sudo lipo -remove arm64 "$fp" -o "$fp" || true
+                  fi
                 fi
               fi
-            fi
-          done
+            done
 
-          cd $opwd
+            cd $opwd
+          fi
         }
 
         tmpify /Library/Developer/CoreSimulator
@@ -60,18 +62,28 @@ runs:
 
         sudo rm -rf /Applications/Safari.app
         sudo rm -rf /Applications/Xcode_16.1.app
-        sudo rm -rf /Applications/Xcode_16.3.app
         sudo rm -rf /Applications/Xcode_16.2.app
+        sudo rm -rf /Applications/Xcode_16.3.app
+        sudo rm -rf /Applications/Xcode_26*
         sudo rm -rf /Applications/Google Chrome.app
-        sudo rm -rf /Applications/Xcode_16.4.app
         sudo rm -rf /Applications/Google Chrome for Testing.app
-        sudo rm -rf	/Applications/Firefox.app
+        sudo rm -rf /Applications/Firefox.app
+        sudo rm -rf /Applications/Microsoft Edge.app
         sudo rm -rf ~/project/src/third_party/catapult/tracing/test_data
         sudo rm -rf ~/project/src/third_party/angle/third_party/VK-GL-CTS
         sudo rm -rf /Users/runner/Library/Android
         sudo rm -rf $JAVA_HOME_11_arm64
         sudo rm -rf $JAVA_HOME_17_arm64
         sudo rm -rf $JAVA_HOME_21_arm64
+        sudo rm -rf $JAVA_HOME_25_arm64
+        sudo rm -rf /Users/runner/.dotnet/
+        sudo rm -rf /Users/runner/.rustup
+
+        # remove homebrew packages we don't need
+        if command -v brew &> /dev/null; then
+          brew uninstall -f --zap aws-sam-cli session-manager-plugin gcc gcc@13 gcc@14 llvm@18 gradle maven ant azure-cli
+          brew autoremove
+        fi
 
         # lipo off some huge binaries arm64 versions to save space
         strip_universal_deep $(xcode-select -p)/../SharedFrameworks

.github/actions/generate-types/action.yml

@@ -13,12 +13,16 @@ runs:
   - name: Generating Types for SHA in ${{ inputs.sha-file }}
     shell: bash
     run: |
-      git checkout $(cat ${{ inputs.sha-file }})
-      rm -rf node_modules
-      yarn install --frozen-lockfile --ignore-scripts
+      export ELECTRON_DIR=$(pwd)
+      if [ "${{ inputs.sha-file }}" == ".dig-old" ]; then
+        cd /tmp
+        git clone https://github.com/electron/electron.git
+        cd electron
+      fi
+      git checkout $(cat $ELECTRON_DIR/${{ inputs.sha-file }})
+      node script/yarn.js install --immutable
       echo "#!/usr/bin/env node\nglobal.x=1" > node_modules/typescript/bin/tsc
       node node_modules/.bin/electron-docs-parser --dir=./ --outDir=./ --moduleVersion=0.0.0-development
       node node_modules/.bin/electron-typescript-definitions --api=electron-api.json --outDir=artifacts
-      mv artifacts/electron.d.ts artifacts/${{ inputs.filename }}
-      git checkout .
+      mv artifacts/electron.d.ts $ELECTRON_DIR/artifacts/${{ inputs.filename }}
     working-directory: ./electron

.github/actions/install-build-tools/action.yml

@@ -13,8 +13,9 @@ runs:
         git config --global core.fscache true
         git config --global core.longpaths true
         git config --global core.preloadindex true
+        git config --global core.longpaths true
       fi
-      export BUILD_TOOLS_SHA=274cba0474f0d1e4e6adbb66c1da48556cb0add5
+      export BUILD_TOOLS_SHA=a5d9f9052dcc36ee88bef5c8b13acbefd87b7d8d
       npm i -g @electron/build-tools
       # Update depot_tools to ensure python
       e d update_depot_tools

.github/actions/install-dependencies/action.yml

@@ -6,7 +6,7 @@ runs:
   - name: Get yarn cache directory path
     shell: bash
     id: yarn-cache-dir-path
-    run: echo "dir=$(node src/electron/script/yarn cache dir)" >> $GITHUB_OUTPUT
+    run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
   - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
     id: yarn-cache
     with:
@@ -18,4 +18,14 @@ runs:
     shell: bash
     run: |
       cd src/electron
-      node script/yarn install --frozen-lockfile --prefer-offline
+      if [ "$TARGET_ARCH" = "x86" ]; then
+        export npm_config_arch="ia32"
+      fi
+      # if running on linux arm skip yarn Builds
+      ARCH=$(uname -m)
+      if [ "$ARCH" = "armv7l" ]; then
+        echo "Skipping yarn build on linux arm"
+        node script/yarn.js install --immutable --mode=skip-build
+      else
+        node script/yarn.js install --immutable
+      fi

.github/actions/restore-cache-azcopy/action.yml

@@ -97,7 +97,7 @@ runs:
 
       $TEMP_DIR=New-Item -ItemType Directory -Path temp-cache
       $TEMP_DIR_PATH = $TEMP_DIR.FullName
-      C:\ProgramData\Chocolatey\bin\7z.exe -y -snld x $src_cache -o"$TEMP_DIR_PATH"
+      C:\ProgramData\Chocolatey\bin\7z.exe -y -snld20 x $src_cache -o"$TEMP_DIR_PATH"
 
   - name: Move Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}

.github/workflows/archaeologist-dig.yml

@@ -3,19 +3,23 @@ name: Archaeologist
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
    archaeologist-dig:
     name: Archaeologist Dig
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Electron
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
       - name: Setup Node.js/npm
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
         with:
-          node-version: 20.19.x
+          node-version: 22.21.x
       - name: Setting Up Dig Site
         run: |
           echo "remote: ${{ github.event.pull_request.head.repo.clone_url }}"
@@ -41,7 +45,7 @@ jobs:
           sha-file: .dig-old
           filename: electron.old.d.ts
       - name: Upload artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 #v5.0.0
         with:
           name: artifacts
           path: electron/artifacts

.github/workflows/audit-branch-ci.yml

@@ -16,15 +16,25 @@ jobs:
       contents: read
     steps:
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: 22.17.x
-      - run: npm install @actions/cache@4.0.3 @electron/fiddle-core@2.0.1
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Sparse checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          sparse-checkout: |
+            .
+            .github
+            .yarn
+      - run: yarn workspaces focus @electron/gha-workflows
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: audit-errors
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { chdir } = require('node:process');
+            chdir('${{ github.workspace }}/.github/workflows');
+
             const cache = require('@actions/cache');
             const { ElectronVersions } = require('@electron/fiddle-core');
 
@@ -73,6 +83,8 @@ jobs:
                       annotation_level === "failure" &&
                       !message.startsWith("Process completed with exit code") &&
                       !message.startsWith("Response status code does not indicate success") &&
+                      !message.startsWith("The hosted runner lost communication with the server") &&
+                      !message.startsWith("Dependabot encountered an error performing the update") &&
                       !/Unable to make request/.test(message) &&
                       !/The requested URL returned error/.test(message),
                   )

.github/workflows/branch-created.yml

@@ -75,7 +75,7 @@ jobs:
           org: electron
       - name: Generate Release Project Board Metadata
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: generate-project-metadata
         with:
           script: |

.github/workflows/build-git-cache.yml

@@ -6,9 +6,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   build-git-cache-linux:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root
@@ -19,7 +23,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -30,6 +34,8 @@ jobs:
 
   build-git-cache-windows:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -41,7 +47,7 @@ jobs:
       TARGET_OS: 'win'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -52,6 +58,8 @@ jobs:
 
   build-git-cache-macos:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     # This job updates the same git cache as linux, so it needs to run after the linux one.
     needs: build-git-cache-linux
     container:
@@ -64,7 +72,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/build.yml

@@ -43,10 +43,13 @@ defaults:
   run:
     shell: bash
 
+permissions: {}
+
 jobs:
   setup:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: read
     outputs:
         docs: ${{ steps.filter.outputs.docs }}
@@ -54,7 +57,7 @@ jobs:
         build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
         docs-only: ${{ steps.set-output.outputs.docs-only }}
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -63,6 +66,10 @@ jobs:
         filters: |
           docs:
             - 'docs/**'
+            - README.md
+            - SECURITY.md
+            - CONTRIBUTING.md
+            - CODE_OF_CONDUCT.md
           src:
             - '!docs/**'
     - name: Set Outputs for Build Image SHA & Docs Only
@@ -80,17 +87,21 @@ jobs:
     needs: setup
     if: ${{ !inputs.skip-lint }}
     uses: ./.github/workflows/pipeline-electron-lint.yml
+    permissions:
+      contents: read
     with:
       container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
     secrets: inherit
 
   # Docs Only Jobs
   docs-only:
-    needs: setup
+    needs: [setup, checkout-linux]
     if: ${{ needs.setup.outputs.docs-only == 'true' }}
     uses: ./.github/workflows/pipeline-electron-docs-only.yml
+    permissions:
+      contents: read
     with:
-      container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
+      container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
     secrets: inherit
 
   # Checkout Jobs
@@ -98,6 +109,8 @@ jobs:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}}
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -111,7 +124,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -124,8 +137,10 @@ jobs:
 
   checkout-linux:
     needs: setup
-    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-linux}}
+    if: ${{ !inputs.skip-linux}}
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -141,7 +156,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -155,6 +170,8 @@ jobs:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -171,7 +188,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -185,17 +202,22 @@ jobs:
   # GN Check Jobs
   macos-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
+    permissions:
+      contents: read
     needs: checkout-macos
     with:
       target-platform: macos
       target-archs: x64 arm64
-      check-runs-on: macos-14
+      check-runs-on: macos-15
       gn-build-type: testing
     secrets: inherit
 
   linux-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
+    permissions:
+      contents: read
     needs: checkout-linux
+    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       target-platform: linux
       target-archs: x64 arm arm64
@@ -206,6 +228,8 @@ jobs:
 
   windows-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
+    permissions:
+      contents: read
     needs: checkout-windows
     with:
       target-platform: win
@@ -224,8 +248,8 @@ jobs:
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-14-xlarge
-      test-runs-on: macos-13
+      build-runs-on: macos-15-xlarge
+      test-runs-on: macos-15-large
       target-platform: macos
       target-arch: x64
       is-release: false
@@ -243,8 +267,8 @@ jobs:
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-14-xlarge
-      test-runs-on: macos-14
+      build-runs-on: macos-15-xlarge
+      test-runs-on: macos-15
       target-platform: macos
       target-arch: arm64
       is-release: false
@@ -261,6 +285,7 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
     needs: checkout-linux
+    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
       test-runs-on: electron-arc-centralus-linux-amd64-4core
@@ -281,6 +306,7 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
+    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
       test-runs-on: electron-arc-centralus-linux-amd64-4core
@@ -302,11 +328,12 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
+    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
       test-runs-on: electron-arc-centralus-linux-arm64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
+      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init --memory=12g","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
       target-platform: linux
       target-arch: arm
       is-release: false
@@ -322,9 +349,10 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
+    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-arm64-4core
+      test-runs-on: ubuntu-22.04-arm
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/test:arm64v8-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
@@ -383,7 +411,7 @@ jobs:
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     with:
       build-runs-on: electron-arc-centralus-windows-amd64-16core
-      test-runs-on: electron-hosted-windows-arm64-4core
+      test-runs-on: windows-11-arm
       target-platform: win
       target-arch: arm64
       is-release: false
@@ -395,6 +423,8 @@ jobs:
   gha-done:
     name: GitHub Actions Completed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
     if: always() && !contains(needs.*.result, 'failure')
     steps: 

.github/workflows/clean-src-cache.yml

@@ -1,16 +1,20 @@
 name: Clean Source Cache
 
-description: |
-  This workflow cleans up the source cache on the cross-instance cache volume
-  to free up space. It runs daily at midnight and clears files older than 15 days.
+# Description:
+# This workflow cleans up the source cache on the cross-instance cache volume
+# to free up space. It runs daily at midnight and clears files older than 15 days.
 
 on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: {}
+
 jobs:
   clean-src-cache:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root

.github/workflows/issue-labeled.yml

@@ -4,14 +4,15 @@ on:
   issues:
     types: [labeled]
 
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
+permissions: {}
 
 jobs:
   issue-labeled-with-status:
     name: status/{confirmed,reviewed} label added
     if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -31,6 +32,8 @@ jobs:
     name: blocked/* label added
     if: startsWith(github.event.label.name, 'blocked/')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -72,7 +75,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Create comment
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@50068f49b7b2b3857270ead65e2d02e4459b022c # v3.6.2
+        uses: actions-cool/issues-helper@3809910bc12872edc9b8132f122069ac16cd16ee # v3.7.3
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-opened.yml

@@ -11,6 +11,7 @@ jobs:
   add-to-issue-triage:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -28,6 +29,7 @@ jobs:
   set-labels:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -35,18 +37,29 @@ jobs:
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
-      - run: npm install @electron/fiddle-core@1.3.3 mdast-util-from-markdown@2.0.0 unist-util-select@5.1.0 semver@7.6.0
+      - name: Sparse checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          sparse-checkout: |
+            .
+            .github
+            .yarn
+      - run: yarn workspaces focus @electron/gha-workflows
       - name: Add labels
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: add-labels
         env:
           ISSUE_BODY: ${{ github.event.issue.body }}
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           script: |
-            const { fromMarkdown } = await import('${{ github.workspace }}/node_modules/mdast-util-from-markdown/index.js');
-            const { select } = await import('${{ github.workspace }}/node_modules/unist-util-select/index.js');
-            const semver = await import('${{ github.workspace }}/node_modules/semver/index.js');
+            const { chdir } = require('node:process');
+            chdir('${{ github.workspace }}/.github/workflows');
+
+            const { ElectronVersions } = require('@electron/fiddle-core');
+            const { fromMarkdown } = require('mdast-util-from-markdown');
+            const { select } = require('unist-util-select');
+            const semver = require('semver');
 
             const [ owner, repo ] = '${{ github.repository }}'.split('/');
             const issue_number = ${{ github.event.issue.number }};
@@ -77,7 +90,6 @@ jobs:
                     labelExists = true;
                   } catch {}
 
-                  const { ElectronVersions } = await import('${{ github.workspace }}/node_modules/@electron/fiddle-core/dist/index.js');
                   const electronVersions = await ElectronVersions.create(undefined, { ignoreCache: true });
                   const validVersions = [...electronVersions.supportedMajors, ...electronVersions.prereleaseMajors];
 
@@ -134,7 +146,7 @@ jobs:
             }
       - name: Create unsupported major comment
         if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@50068f49b7b2b3857270ead65e2d02e4459b022c # v3.6.2
+        uses: actions-cool/issues-helper@3809910bc12872edc9b8132f122069ac16cd16ee # v3.7.3
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-transferred.yml

@@ -10,6 +10,7 @@ jobs:
   issue-transferred:
     name: Issue Transferred
     runs-on: ubuntu-latest
+    permissions: {}
     if: ${{ !github.event.changes.new_repository.private }}
     steps:
       - name: Generate GitHub App token

.github/workflows/issue-unlabeled.yml

@@ -4,14 +4,15 @@ on:
   issues:
     types: [unlabeled]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   issue-unlabeled-blocked:
     name: All blocked/* labels removed
     if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Check for any blocked labels
         id: check-for-blocked-labels

.github/workflows/linux-publish.yml

@@ -17,9 +17,13 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   checkout-linux:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
@@ -31,7 +35,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -40,6 +44,8 @@ jobs:
 
   publish-x64:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-linux
     with:
       environment: production-release
@@ -50,12 +56,13 @@ jobs:
       is-release: true
       gn-build-type: release
       generate-symbols: true
-      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit
 
   publish-arm:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-linux
     with:
       environment: production-release
@@ -66,12 +73,13 @@ jobs:
       is-release: true
       gn-build-type: release
       generate-symbols: true
-      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit
 
   publish-arm64:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-linux
     with:
       environment: production-release
@@ -82,6 +90,5 @@ jobs:
       is-release: true
       gn-build-type: release
       generate-symbols: true
-      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit

.github/workflows/macos-disk-cleanup.yml

@@ -0,0 +1,104 @@
+name: macOS Disk Space Cleanup
+
+# Description:
+# This workflow runs the disk space reclaimer on macOS runners every night
+# and logs disk space metrics to Datadog for monitoring.
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  macos-disk-cleanup:
+    strategy:
+      fail-fast: false
+      matrix:
+        runner:
+          - macos-15
+          - macos-15-large
+          - macos-15-xlarge
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          sparse-checkout: |
+            .github/actions/free-space-macos
+          sparse-checkout-cone-mode: false
+
+      - name: Get Disk Space Before Cleanup
+        id: disk-before
+        shell: bash
+        run: |
+          echo "Disk space before cleanup:"
+          df -h /
+          FREE_SPACE_BEFORE=$(df -k / | tail -1 | awk '{print $4}')
+          echo "free_kb=$FREE_SPACE_BEFORE" >> $GITHUB_OUTPUT
+
+      - name: Free Space on macOS
+        uses: ./.github/actions/free-space-macos
+
+      - name: Get Disk Space After Cleanup
+        id: disk-after
+        shell: bash
+        run: |
+          echo "Disk space after cleanup:"
+          df -h /
+          FREE_SPACE_AFTER=$(df -k / | tail -1 | awk '{print $4}')
+          echo "free_kb=$FREE_SPACE_AFTER" >> $GITHUB_OUTPUT
+
+      - name: Log Disk Space to Datadog
+        if: ${{ env.DD_API_KEY != '' }}
+        shell: bash
+        env:
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          FREE_BEFORE: ${{ steps.disk-before.outputs.free_kb }}
+          FREE_AFTER: ${{ steps.disk-after.outputs.free_kb }}
+          MATRIX_RUNNER: ${{ matrix.runner }}
+        run: |
+          TIMESTAMP=$(date +%s)
+          FREE_BEFORE_GB=$(echo "scale=2; $FREE_BEFORE / 1024 / 1024" | bc)
+          FREE_AFTER_GB=$(echo "scale=2; $FREE_AFTER / 1024 / 1024" | bc)
+          SPACE_FREED_GB=$(echo "scale=2; ($FREE_AFTER - $FREE_BEFORE) / 1024 / 1024" | bc)
+
+          echo "Free space before: ${FREE_BEFORE_GB}GB"
+          echo "Free space after: ${FREE_AFTER_GB}GB"
+          echo "Space freed: ${SPACE_FREED_GB}GB"
+
+          curl -s -X POST "https://api.datadoghq.com/api/v2/series" \
+            -H "Content-Type: application/json" \
+            -H "DD-API-KEY: ${DD_API_KEY}" \
+            -d @- << EOF
+          {
+            "series": [
+              {
+                "metric": "electron.macos.disk.free_space_before_cleanup_gb",
+                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_BEFORE_GB}}],
+                "type": 3,
+                "unit": "gigabyte",
+                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
+              },
+              {
+                "metric": "electron.macos.disk.free_space_after_cleanup_gb",
+                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_AFTER_GB}}],
+                "type": 3,
+                "unit": "gigabyte",
+                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
+              },
+              {
+                "metric": "electron.macos.disk.space_freed_gb",
+                "points": [{"timestamp": ${TIMESTAMP}, "value": ${SPACE_FREED_GB}}],
+                "type": 3,
+                "unit": "gigabyte",
+                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
+              }
+            ]
+          }
+          EOF
+
+          echo "Disk space metrics logged to Datadog"

.github/workflows/macos-publish.yml

@@ -18,9 +18,13 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   checkout-macos:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
@@ -32,7 +36,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -44,10 +48,12 @@ jobs:
 
   publish-x64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: darwin
@@ -59,10 +65,12 @@ jobs:
 
   publish-x64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: mas
@@ -74,10 +82,12 @@ jobs:
 
   publish-arm64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: darwin
@@ -89,10 +99,12 @@ jobs:
 
   publish-arm64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: mas

.github/workflows/non-maintainer-dependency-change.yml

@@ -7,6 +7,8 @@ on:
       - 'spec/yarn.lock'
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.yarn/**'
+      - '.yarnrc.yml'
 
 permissions: {}
 

.github/workflows/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "@electron/gha-workflows",
+  "version": "0.0.0-development",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@actions/cache": "^4.0.3",
+    "@electron/fiddle-core": "^2.0.1",
+    "mdast-util-from-markdown": "^2.0.0",
+    "semver": "^7.7.2",
+    "unist-util-select": "^5.1.0"
+  }
+}

.github/workflows/pipeline-electron-build-and-test-and-nan.yml

@@ -55,6 +55,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 concurrency:
   group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -62,6 +64,8 @@ concurrency:
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -74,6 +78,10 @@ jobs:
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}
@@ -83,6 +91,8 @@ jobs:
     secrets: inherit
   nn-test:
     uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
+    permissions:
+      contents: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}

.github/workflows/pipeline-electron-build-and-test.yml

@@ -64,14 +64,13 @@ concurrency:
   group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions:
-  contents: read
-  issues: read
-  pull-requests: read  
+permissions: {}
 
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -86,6 +85,10 @@ jobs:
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}

.github/workflows/pipeline-electron-docs-only.yml

@@ -8,19 +8,42 @@ on:
         description: 'Container to run the docs-only ts compile in'
         type: string
 
+permissions: {}
+
 concurrency:
   group: electron-docs-only-${{ github.ref }}
   cancel-in-progress: true
 
+env:  
+  GCLIENT_EXTRA_ARGS: --custom-var=checkout_arm=True --custom-var=checkout_arm64=True
+
 jobs:
   docs-only:
     name: Docs Only Compile
     runs-on: electron-arc-centralus-linux-amd64-4core
+    permissions:
+      contents: read
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Generate DEPS Hash
+      run: |
+        node src/electron/script/generate-deps-hash.js
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
+        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
+    - name: Restore src cache via AKS
+      uses: ./src/electron/.github/actions/restore-cache-aks
+      with:
+        target-platform: linux
+    - name: Checkout Electron
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -31,12 +54,12 @@ jobs:
       shell: bash
       run: |
         cd src/electron
-        node script/yarn create-typescript-definitions
-        node script/yarn tsc -p tsconfig.default_app.json --noEmit
+        node script/yarn.js create-typescript-definitions
+        node script/yarn.js tsc -p tsconfig.default_app.json --noEmit
         for f in build/webpack/*.js
         do
             out="${f:29}"
             if [ "$out" != "base.js" ]; then
-            node script/yarn webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
+            node script/yarn.js webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
             fi
         done

.github/workflows/pipeline-electron-lint.yml

@@ -8,6 +8,8 @@ on:
         description: 'Container to run lint in'
         type: string
 
+permissions: {}
+
 concurrency:
   group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -19,11 +21,13 @@ jobs:
   lint:
     name: Lint
     runs-on: electron-arc-centralus-linux-amd64-4core
+    permissions:
+      contents: read
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -74,11 +78,11 @@ jobs:
         # but then we would lint its contents (at least gn format), and it doesn't pass it.
 
         cd src/electron
-        node script/yarn install --frozen-lockfile
-        node script/yarn lint
+        node script/yarn.js install --immutable
+        node script/yarn.js lint
     - name: Run Script Typechecker
       shell: bash
       run: |
         cd src/electron
-        node script/yarn tsc -p tsconfig.script.json
+        node script/yarn.js tsc -p tsconfig.script.json
     

.github/workflows/pipeline-segment-electron-build.yml

@@ -48,11 +48,6 @@ on:
         required: true
         type: string
         default: '0'
-      strip-binaries: 
-        description: 'Strip the binaries before release (Linux only)'
-        required: false
-        type: boolean
-        default: false
       is-asan: 
         description: 'Building the Address Sanitizer (ASan) Linux build'
         required: false
@@ -64,6 +59,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 concurrency:
   group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -71,6 +68,7 @@ concurrency:
 env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
   CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
+  DD_API_KEY: ${{ secrets.DD_API_KEY }}
   ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
   SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
@@ -85,16 +83,19 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
+    permissions:
+      contents: read
     container: ${{ fromJSON(inputs.build-container) }}
     environment: ${{ inputs.environment }}
     env:
       TARGET_ARCH: ${{ inputs.target-arch }}
+      TARGET_PLATFORM: ${{ inputs.target-platform }}
     steps:
     - name: Create src dir
       run: |
         mkdir src
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -118,9 +119,9 @@ jobs:
       run: df -h
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
       with:
-        node-version: 20.19.x
+        node-version: 22.21.x
         cache: yarn
         cache-dependency-path: src/electron/yarn.lock
     - name: Install Dependencies
@@ -162,7 +163,7 @@ jobs:
       if: ${{ inputs.target-platform == 'linux' }}
       uses: ./src/electron/.github/actions/restore-cache-aks
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -176,7 +177,7 @@ jobs:
         ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
     - name: Init Build Tools
       run: |
-        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }}
+        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }} --remote-build siso
     - name: Run Electron Only Hooks
       run: |
         e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
@@ -186,9 +187,6 @@ jobs:
         echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-    - name: Setup Number of Ninja Processes
-      run: |
-        echo "NUMBER_OF_NINJA_PROCESSES=${{ inputs.target-platform != 'macos' && '300' || '200' }}" >> $GITHUB_ENV
     - name: Free up space (macOS)
       if: ${{ inputs.target-platform == 'macos' }}
       uses: ./src/electron/.github/actions/free-space-macos
@@ -201,7 +199,6 @@ jobs:
         artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
         is-release: '${{ inputs.is-release }}'
         generate-symbols: '${{ inputs.generate-symbols }}'
-        strip-binaries: '${{ inputs.strip-binaries }}'
         upload-to-storage: '${{ inputs.upload-to-storage }}'
         is-asan: '${{ inputs.is-asan }}'
     - name: Set GN_EXTRA_ARGS for MAS Build

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -26,6 +26,8 @@ on:
         type: string
         default: testing
 
+permissions: {}
+
 concurrency:
   group: electron-gn-check-${{ inputs.target-platform }}-${{ github.ref }}
   cancel-in-progress: true
@@ -41,10 +43,12 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.check-runs-on }}
+    permissions:
+      contents: read
     container: ${{ fromJSON(inputs.check-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -111,7 +115,7 @@ jobs:
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-electron-test.yml

@@ -35,10 +35,7 @@ concurrency:
   group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions:
-  contents: read
-  issues: read
-  pull-requests: read
+permissions: {}
 
 env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
@@ -53,6 +50,10 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.test-runs-on }}
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
     container: ${{ fromJSON(inputs.test-container) }}
     strategy:
       fail-fast: false
@@ -68,29 +69,16 @@ jobs:
       if: ${{ inputs.target-arch == 'arm' && inputs.target-platform == 'linux' }}
       run: |
         cp $(which node) /mnt/runner-externals/node20/bin/
-    - name: Install Git on Windows arm64 runners
-      if: ${{ inputs.target-arch == 'arm64' && inputs.target-platform == 'win' }}
-      shell: powershell
-      run: |
-        Set-ExecutionPolicy Bypass -Scope Process -Force
-        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
-        iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
-        choco install -y --no-progress git.install --params "'/GitAndUnixToolsOnPath'"
-        choco install -y --no-progress git
-        choco install -y --no-progress python --version 3.11.9
-        choco install -y --no-progress visualstudio2022-workload-vctools --package-parameters "--add Microsoft.VisualStudio.Component.VC.Tools.ARM64"
-        echo "C:\Program Files\Git\cmd" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-        echo "C:\Program Files\Git\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-        echo "C:\Python311" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-        cp "C:\Python311\python.exe" "C:\Python311\python3.exe"
+        cp $(which node) /mnt/runner-externals/node24/bin/
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
       with:
-        node-version: 20.19.x
+        node-version: 22.21.x
     - name: Add TCC permissions on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: |
+        epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
         configure_user_tccdb () {
           local values=$1
           local dbPath="$HOME/Library/Application Support/com.apple.TCC/TCC.db"
@@ -111,11 +99,12 @@ jobs:
             "'kTCCServiceAppleEvents','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceCamera','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceBluetoothAlways','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
+            "'kTCCServiceScreenCapture','/bin/bash',1,2,3,1,NULL,NULL,NULL,'UNUSED',NULL,0,$epochdate"
         )
         for values in "${userValuesArray[@]}"; do
           # Sonoma and higher have a few extra values
           # Ref: https://github.com/actions/runner-images/blob/main/images/macos/scripts/build/configure-tccdb-macos.sh
-          if [ "$OSTYPE" = "darwin23" ]; then
+          if [ "$OSTYPE" = "darwin23" ] || [ "$OSTYPE" = "darwin24" ]; then
             configure_user_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
             configure_sys_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
           else
@@ -126,12 +115,21 @@ jobs:
     - name: Turn off the unexpectedly quit dialog on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: defaults write com.apple.CrashReporter DialogType server
+    - name: Set xcode to 16.4
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
+    - name: Turn off screenshot nag on macOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: |
+        defaults write ~/Library/Group\ Containers/group.com.apple.replayd/ScreenCaptureApprovals.plist "/bin/bash" -date "3024-09-23 12:00:00 +0000"
+        src/electron/script/actions/screencapture-nag-remover.sh -a $(which bash)
+        src/electron/script/actions/screencapture-nag-remover.sh -a /opt/hca/hosted-compute-agent
     - name: Setup SSH Debugging
       if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
       uses: ./src/electron/.github/actions/ssh-debug
@@ -156,6 +154,7 @@ jobs:
         git config --global core.fscache true
         git config --global core.longpaths true
         git config --global core.preloadindex true
+        git config --global core.longpaths true
         git clone --filter=tree:0 https://chromium.googlesource.com/chromium/tools/depot_tools.git
         # Ensure depot_tools does not update.
         test -d depot_tools && cd depot_tools
@@ -169,43 +168,36 @@ jobs:
         echo "DISABLE_CRASH_REPORTER_TESTS=true" >> $GITHUB_ENV
         echo "IS_ASAN=true" >> $GITHUB_ENV
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Restore Generated Artifacts
       run: ./src/electron/script/actions/restore-artifacts.sh
-    - name: Unzip Dist, Mksnapshot & Chromedriver (win)
+    - name: Unzip Dist (win)
       if: ${{ inputs.target-platform == 'win' }}
       shell: powershell
       run: |
         Set-ExecutionPolicy Bypass -Scope Process -Force
         cd src/out/Default
         Expand-Archive -Force dist.zip -DestinationPath ./
-        Expand-Archive -Force chromedriver.zip -DestinationPath ./
-        Expand-Archive -Force mksnapshot.zip -DestinationPath ./
-    - name: Unzip Dist, Mksnapshot & Chromedriver (unix)
+    - name: Unzip Dist (unix)
       if: ${{ inputs.target-platform != 'win' }}
       run: |
         cd src/out/Default
         unzip -:o dist.zip
-        unzip -:o chromedriver.zip
-        unzip -:o mksnapshot.zip
-    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
-      run: |
-        sudo security authorizationdb write com.apple.trust-settings.admin allow
-        cd src/electron
-        ./script/codesign/generate-identity.sh
-    - name: Install Datadog CLI
-      run: |
-        cd src/electron
-        node script/yarn global add @datadog/datadog-ci
+    #- name: Import & Trust Self-Signed Codesigning Cert on MacOS
+    #  if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+    #  run: |
+    #    sudo security authorizationdb write com.apple.trust-settings.admin allow
+    #    cd src/electron
+    #    ./script/codesign/generate-identity.sh
+
     - name: Run Electron Tests
       shell: bash
       env:
@@ -231,7 +223,7 @@ jobs:
               export ELECTRON_FORCE_TEST_SUITE_EXIT="true"
             fi
           fi
-          node script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
+          node script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
         else
           chown :builduser .. && chmod g+w ..
           chown -R :builduser . && chmod -R g+w .
@@ -248,9 +240,14 @@ jobs:
             export MOCHA_TIMEOUT=180000
             echo "Piping output to ASAN_SYMBOLIZE ($ASAN_SYMBOLIZE)"
             cd electron
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
           else
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
+            if [ "${{ inputs.target-arch }}" = "arm" ]; then
+              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+            else 
+              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+            fi
+            
           fi
         fi
     - name: Upload Test results to Datadog
@@ -262,13 +259,14 @@ jobs:
         DD_TAGS: "os.architecture:${{ inputs.target-arch }},os.family:${{ inputs.target-platform }},os.platform:${{ inputs.target-platform }},asan:${{ inputs.is-asan }}"
       run: |
         if ! [ -z $DD_API_KEY ] && [ -f src/electron/junit/test-results-main.xml ]; then
-          export DATADOG_PATH=`node src/electron/script/yarn global bin`
-          $DATADOG_PATH/datadog-ci junit upload src/electron/junit/test-results-main.xml
-        fi          
+          cd src/electron
+          export DATADOG_PATH=`node script/yarn.js bin datadog-ci`
+          $DATADOG_PATH junit upload junit/test-results-main.xml
+        fi
       if: always() && !cancelled()
     - name: Upload Test Artifacts
       if: always() && !cancelled()
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
       with:
         name: test_artifacts_${{ env.ARTIFACT_KEY }}_${{ matrix.shard }}
         path: src/electron/spec/artifacts

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -26,6 +26,8 @@ on:
         type: string
         default: testing
 
+permissions: {}
+
 concurrency:
   group: electron-node-nan-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -39,6 +41,8 @@ jobs:
   node-tests:
     name: Run Node.js Tests
     runs-on: electron-arc-centralus-linux-amd64-8core
+    permissions:
+      contents: read
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -46,7 +50,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -61,12 +65,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -93,6 +97,8 @@ jobs:
   nan-tests:
     name: Run Nan Tests
     runs-on: electron-arc-centralus-linux-amd64-4core
+    permissions:
+      contents: read
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -100,7 +106,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -115,12 +121,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -132,10 +138,16 @@ jobs:
         unzip -:o dist.zip
     - name: Setup Linux for Headless Testing
       run: sh -e /etc/init.d/xvfb start
+    - name: Add Clang problem matcher
+      shell: bash
+      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
     - name: Run Nan Tests
       run: |
         cd src
         node electron/script/nan-spec-runner.js
+    - name: Remove Clang problem matcher
+      shell: bash
+      run: echo "::remove-matcher owner=clang::"
     - name: Wait for active SSH sessions
       shell: bash
       if: always() && !cancelled()

.github/workflows/pull-request-labeled.yml

@@ -11,6 +11,7 @@ jobs:
     name: backport/requested label added
     if: github.event.label.name == 'backport/requested 🗳'
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Trigger Slack workflow
         uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
@@ -19,12 +20,16 @@ jobs:
           webhook-type: webhook-trigger
           payload: |
             {
-              "url": "${{ github.event.pull_request.html_url }}"
+              "base_ref": ${{ toJSON(github.event.pull_request.base.ref) }},
+              "title": ${{ toJSON(github.event.pull_request.title) }},
+              "url": ${{ toJSON(github.event.pull_request.html_url) }},
+              "user": ${{ toJSON(github.event.pull_request.user.login) }}
             }
   pull-request-labeled-deprecation-review-complete:
     name: deprecation-review/complete label added
     if: github.event.label.name == 'deprecation-review/complete ✅'
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/scorecards.yml

@@ -22,13 +22,13 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       # This is a pre-submit / pre-release.
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,7 +42,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/semantic.yml

@@ -7,8 +7,7 @@ on:
       - edited
       - synchronize
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   main:
@@ -19,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/stable-prep-items.yml

@@ -11,6 +11,7 @@ jobs:
   check-stable-prep-items:
     name: Check Stable Prep Items
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/stale.yml

@@ -10,13 +10,14 @@ permissions: {}
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # tag: v10.1.1
         with:
           repo-token: ${{ steps.generate-token.outputs.token }}
           days-before-stale: 90
@@ -27,10 +28,11 @@ jobs:
             This issue has been automatically marked as stale. **If this issue is still affecting you, please leave any comment** (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the [latest version of Electron](https://www.electronjs.org/releases/stable) or in the [beta](https://www.electronjs.org/releases/beta)—please include it with your comment!
           close-issue-message: >
             This issue has been closed due to inactivity, and will not be monitored.  If this is a bug and you can reproduce this issue on a [supported version of Electron](https://www.electronjs.org/docs/latest/tutorial/electron-timelines#timeline) please open a new issue and include instructions for reproducing the issue.
-          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt,upgrade-follow-up"
+          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt,upgrade-follow-up,tracking-upstream"
           only-pr-labels: not-a-real-label
   pending-repro:
     runs-on: ubuntu-latest
+    permissions: {}
     if: ${{ always() }}
     needs: stale
     steps:
@@ -39,7 +41,7 @@ jobs:
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # tag: v10.1.1
         with:
           repo-token: ${{ steps.generate-token.outputs.token }}
           days-before-stale: -1

.github/workflows/windows-publish.yml

@@ -18,9 +18,13 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   checkout-windows:
     runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -36,7 +40,7 @@ jobs:
       build-image-sha: ${{ inputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -48,6 +52,8 @@ jobs:
 
   publish-x64-win:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-windows
     with:
       environment: production-release
@@ -62,6 +68,8 @@ jobs:
 
   publish-arm64-win:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-windows
     with:
       environment: production-release
@@ -76,6 +84,8 @@ jobs:
 
   publish-x86-win:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
     needs: checkout-windows
     with:
       environment: production-release

.gitignore

@@ -53,3 +53,5 @@ ts-gen
 patches/mtime-cache.json
 
 spec/fixtures/logo.png
+
+.yarn/install-state.gz

.nvmrc

@@ -1 +1 @@
-20
+22

.yarnrc.yml

@@ -0,0 +1,12 @@
+enableScripts: false
+
+nmHoistingLimits: workspaces
+
+nodeLinker: node-modules
+
+npmMinimalAgeGate: 10080
+
+npmPreapprovedPackages:
+  - "@electron/*"
+
+yarnPath: .yarn/releases/yarn-4.12.0.cjs

BUILD.gn

@@ -44,6 +44,7 @@ if (is_mac) {
 
 if (is_linux) {
   import("//build/config/linux/pkg_config.gni")
+  import("//electron/build/linux/strip_binary.gni")
   import("//tools/generate_stubs/rules.gni")
 
   pkg_config("gio_unix") {
@@ -445,6 +446,7 @@ source_set("electron_lib") {
     "shell/services/node/public/mojom",
     "//base:base_static",
     "//base/allocator:buildflags",
+    "//build/util:chromium_git_revision",
     "//chrome:strings",
     "//chrome/app:command_ids",
     "//chrome/app/resources:platform_locale_settings",
@@ -479,6 +481,7 @@ source_set("electron_lib") {
     "//device/bluetooth",
     "//device/bluetooth/public/cpp",
     "//gin",
+    "//gpu/ipc/client",
     "//media/capture/mojom:video_capture",
     "//media/mojo/mojom",
     "//media/mojo/mojom:web_speech_recognition",
@@ -526,6 +529,7 @@ source_set("electron_lib") {
     "//base",
     "//base:i18n",
     "//content/public/app",
+    "//ui/base/unowned_user_data",
   ]
 
   include_dirs = [
@@ -585,7 +589,13 @@ source_set("electron_lib") {
   }
 
   if (is_mac) {
+    # Disable C++ modules to resolve linking error when including MacOS SDK
+    # headers from third_party/electron_node/deps/uv/include/uv/darwin.h
+    # TODO(samuelmaddock): consider revisiting this in the future
+    use_libcxx_modules = false
+
     deps += [
+      "//components/os_crypt/common:keychain_password_mac",
       "//components/remote_cocoa/app_shim",
       "//components/remote_cocoa/browser",
       "//content/browser:mac_helpers",
@@ -654,6 +664,7 @@ source_set("electron_lib") {
       "//ui/events/devices/x11",
       "//ui/events/platform/x11",
       "//ui/gtk:gtk_config",
+      "//ui/linux:display_server_utils",
       "//ui/linux:linux_ui",
       "//ui/linux:linux_ui_factory",
       "//ui/wm",
@@ -686,7 +697,7 @@ source_set("electron_lib") {
     deps += [
       "//components/app_launch_prefetch",
       "//components/crash/core/app:crash_export_thunks",
-      "//ui/native_theme:native_theme_browser",
+      "//third_party/libxml:xml_writer",
       "//ui/wm",
       "//ui/wm/public",
     ]
@@ -753,11 +764,13 @@ source_set("electron_lib") {
   if (enable_pdf_viewer) {
     deps += [
       "//chrome/browser/resources/pdf:resources",
+      "//chrome/browser/ui:browser_element_identifiers",
       "//components/pdf/browser",
       "//components/pdf/browser:interceptors",
       "//components/pdf/common:constants",
       "//components/pdf/common:util",
       "//components/pdf/renderer",
+      "//components/user_education/webui",
       "//pdf",
       "//pdf:content_restriction",
     ]
@@ -1425,6 +1438,18 @@ dist_zip("electron_dist_zip") {
     ":licenses",
   ]
   if (is_linux) {
+    if (is_official_build) {
+      data_deps += [
+        ":strip_chrome_crashpad_handler",
+        ":strip_chrome_sandbox",
+        ":strip_electron_binary",
+        ":strip_libEGL_shlib",
+        ":strip_libGLESv2_shlib",
+        ":strip_libffmpeg_shlib",
+        ":strip_libvk_swiftshader_shlib",
+      ]
+    }
+
     data_deps += [ "//sandbox/linux:chrome_sandbox" ]
   }
   deps = data_deps
@@ -1470,6 +1495,16 @@ group("electron_mksnapshot") {
 
 dist_zip("electron_mksnapshot_zip") {
   data_deps = mksnapshot_deps
+  if (is_linux && is_official_build) {
+    data_deps += [
+      ":strip_libEGL_shlib",
+      ":strip_libGLESv2_shlib",
+      ":strip_libffmpeg_shlib",
+      ":strip_libvk_swiftshader_shlib",
+      ":strip_mksnapshot_binary",
+      ":strip_v8_context_snapshot_generator_binary",
+    ]
+  }
   deps = data_deps
   outputs = [ "$root_build_dir/mksnapshot.zip" ]
 }
@@ -1594,3 +1629,101 @@ group("copy_node_headers") {
 group("node_headers") {
   public_deps = [ ":tar_node_headers" ]
 }
+
+group("testing_build") {
+  public_deps = [
+    ":electron_dist_zip",
+    ":electron_mksnapshot_zip",
+    ":node_headers",
+  ]
+}
+
+group("release_build") {
+  public_deps = [ ":testing_build" ]
+  if (is_official_build) {
+    public_deps += [ ":electron_symbols" ]
+  }
+  if (is_linux) {
+    public_deps += [
+      ":hunspell_dictionaries_zip",
+      ":libcxx_headers_zip",
+      ":libcxx_objects_zip",
+      ":libcxxabi_headers_zip",
+    ]
+  }
+}
+
+if (is_linux && is_official_build) {
+  strip_binary("strip_electron_binary") {
+    binary_input = "$root_out_dir/$electron_project_name"
+    symbol_output = "$root_out_dir/debug/$electron_project_name.debug"
+    compress_debug_sections = true
+    deps = [ ":electron_app" ]
+  }
+
+  strip_binary("strip_chrome_crashpad_handler") {
+    binary_input = "$root_out_dir/chrome_crashpad_handler"
+    symbol_output = "$root_out_dir/debug/chrome_crashpad_handler.debug"
+    compress_debug_sections = true
+    deps = [ "//components/crash/core/app:chrome_crashpad_handler" ]
+  }
+
+  strip_binary("strip_chrome_sandbox") {
+    binary_input = "$root_out_dir/chrome_sandbox"
+    symbol_output = "$root_out_dir/debug/chrome-sandbox.debug"
+    compress_debug_sections = true
+    deps = [ "//sandbox/linux:chrome_sandbox" ]
+  }
+
+  strip_binary("strip_libEGL_shlib") {
+    binary_input = "$root_out_dir/libEGL.so"
+    symbol_output = "$root_out_dir/debug/libEGL.so.debug"
+    compress_debug_sections = true
+    deps = [ "//third_party/angle:libEGL" ]
+  }
+
+  strip_binary("strip_libGLESv2_shlib") {
+    binary_input = "$root_out_dir/libGLESv2.so"
+    symbol_output = "$root_out_dir/debug/libGLESv2.so.debug"
+    compress_debug_sections = true
+    deps = [ "//third_party/angle:libGLESv2" ]
+  }
+
+  strip_binary("strip_libffmpeg_shlib") {
+    binary_input = "$root_out_dir/libffmpeg.so"
+    symbol_output = "$root_out_dir/debug/libffmpeg.so.debug"
+    compress_debug_sections = true
+    deps = [ "//third_party/ffmpeg" ]
+  }
+
+  strip_binary("strip_libvk_swiftshader_shlib") {
+    binary_input = "$root_out_dir/libvk_swiftshader.so"
+    symbol_output = "$root_out_dir/debug/libvk_swiftshader.so.debug"
+    compress_debug_sections = true
+    deps = [ "//third_party/swiftshader/src/Vulkan:swiftshader_libvulkan" ]
+  }
+
+  strip_binary("strip_mksnapshot_binary") {
+    _binary_path = rebase_path(
+            get_label_info(
+                    ":v8_context_snapshot_generator($v8_snapshot_toolchain)",
+                    "root_out_dir") + "/mksnapshot",
+            root_build_dir)
+    binary_input = "$root_out_dir/$_binary_path"
+    symbol_output = "$root_out_dir/debug/${_binary_path}.debug"
+    compress_debug_sections = true
+    deps = mksnapshot_deps
+  }
+
+  strip_binary("strip_v8_context_snapshot_generator_binary") {
+    _binary_path = rebase_path(
+            get_label_info(
+                    ":v8_context_snapshot_generator($v8_snapshot_toolchain)",
+                    "root_out_dir") + "/v8_context_snapshot_generator",
+            root_build_dir)
+    binary_input = "$root_out_dir/$_binary_path"
+    symbol_output = "$root_out_dir/debug/${_binary_path}.debug"
+    compress_debug_sections = true
+    deps = mksnapshot_deps
+  }
+}

DEPS

@@ -2,17 +2,17 @@ gclient_gn_args_from = 'src'
 
 vars = {
   'chromium_version':
-    '141.0.7350.0',
+    '145.0.7568.0',
   'node_version':
-    'v22.18.0',
+    'v24.11.1',
   'nan_version':
-    'e14bdcd1f72d62bca1d541b66da43130384ec213',
+    '675cefebca42410733da8a454c8d9391fcebfbc2',
   'squirrel.mac_version':
     '0e5d146ba13101a1302d59ea6e6e0b3cace4ae38',
   'reactiveobjc_version':
     '74ab5baccc6f7202c8ac69a8d1e152c29dc1ea76',
   'mantle_version':
-    '78d3966b3c331292ea29ec38661b25df0a245948',
+    '2a8e2123a3931038179ee06105c9e6ec336b12ea',
   'engflow_reclient_configs_version':
     '955335c30a752e9ef7bff375baab5e0819b6c00d',
 
@@ -30,9 +30,6 @@ vars = {
   # The path of the sysroots.json file.
   'sysroots_json_path': 'electron/script/sysroots.json',
 
-  # KEEP IN SYNC WITH utils.js FILE
-  'yarn_version': '1.22.22',
-
   # To be able to build clean Chromium from sources.
   'apply_patches': True,
 
@@ -155,7 +152,7 @@ hooks = [
     'action': [
       'python3',
       '-c',
-      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["python3", "script/lib/npx.py", "yarn@' + (Var("yarn_version")) + '", "install", "--frozen-lockfile"]);',
+      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["node", ".yarn/releases/yarn-4.12.0.cjs", "install", "--immutable"]);',
     ],
   },
   {

README.md

@@ -37,9 +37,9 @@ For more installation options and troubleshooting tips, see
 
 Each Electron release provides binaries for macOS, Windows, and Linux.
 
-* macOS (Big Sur and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
+* macOS (Monterey and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
 * Windows (Windows 10 and up): Electron provides `ia32` (`x86`), `x64` (`amd64`), and `arm64` binaries for Windows. Windows on ARM support was added in Electron 5.0.8. Support for Windows 7, 8 and 8.1 was [removed in Electron 23, in line with Chromium's Windows deprecation policy](https://www.electronjs.org/blog/windows-7-to-8-1-deprecation-notice).
-* Linux: The prebuilt binaries of Electron are built on Ubuntu 20.04. They have also been verified to work on:
+* Linux: The prebuilt binaries of Electron are built on Ubuntu 22.04. They have also been verified to work on:
   * Ubuntu 18.04 and newer
   * Fedora 32 and newer
   * Debian 10 and newer

SECURITY.md

@@ -8,6 +8,12 @@ The Electron team will send a response indicating the next steps in handling you
 
 Report security bugs in third-party modules to the person or team maintaining the module. You can also report a vulnerability through the [npm contact form](https://www.npmjs.com/support) by selecting "I'm reporting a security vulnerability".
 
+## Escalation
+
+If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
 ## The Electron Security Notification Process
 
 For context on Electron's security notification process, please see the [Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md#notifications) section of the Security WG's [Membership and Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md) Governance document.

build/args/all.gn

@@ -2,7 +2,7 @@ is_electron_build = true
 root_extra_deps = [ "//electron" ]
 
 # Registry of NMVs --> https://github.com/nodejs/node/blob/main/doc/abi_version_registry.json
-node_module_version = 139
+node_module_version = 143
 
 v8_promise_internal_field_count = 1
 v8_embedder_string = "-electron.0"
@@ -19,15 +19,15 @@ proprietary_codecs = true
 
 enable_printing = true
 
+# Refs https://chromium-review.googlesource.com/c/chromium/src/+/6986517
+# CI is using MacOS 15.5 which doesn't have the required modulemaps.
+use_clang_modules = false
+
 # Removes DLLs from the build, which are only meant to be used for Chromium development.
 # See https://github.com/electron/electron/pull/17985
 angle_enable_vulkan_validation_layers = false
 dawn_enable_vulkan_validation_layers = false
 
-# Removes dxc dll's that are only used experimentally.
-# See https://bugs.chromium.org/p/chromium/issues/detail?id=1474897
-dawn_use_built_dxc = false
-
 # These are disabled because they cause the zip manifest to differ between
 # testing and release builds.
 # See https://chromium-review.googlesource.com/c/chromium/src/+/2774898.
@@ -70,6 +70,8 @@ v8_expose_public_symbols = true
 # sensitive content by enterprise users.
 enterprise_cloud_content_analysis = false
 
-# Disable siso until we are ready to use it.
-# https://chromium-review.googlesource.com/c/chromium/src/+/6638830
-use_siso = false
+# We don't use anything from here, and it causes target collisions
+enable_linux_installer = false
+
+# Disable "Save to Drive" feature in PDF viewer
+enable_pdf_save_to_drive = false

build/checksum_header.py

@@ -12,7 +12,7 @@ TEMPLATE_H = """
 
 namespace electron::snapshot_checksum {
 
-const std::string kChecksum = "{checksum}";
+inline constexpr std::string_view kChecksum = "{checksum}";
 
 }  // namespace electron::snapshot_checksum
 

build/linux/strip_binary.gni

@@ -0,0 +1,70 @@
+# Copyright 2021 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This has been adapted from https://source.chromium.org/chromium/chromium/src/+/main:build/linux/strip_binary.gni;drc=c220a41e0422d45f1657c28146d32e99cc53640b
+# The notable difference is it has an option to compress the debug sections
+
+import("//build/config/clang/clang.gni")
+import("//build/toolchain/toolchain.gni")
+
+# Extracts symbols from a binary into a symbol file.
+#
+# Args:
+#   binary_input: Path to the binary containing symbols to extract, e.g.:
+#       "$root_out_dir/chrome"
+#   symbol_output: Desired output file for symbols, e.g.:
+#       "$root_out_dir/chrome.debug"
+#   stripped_binary_output: Desired output file for stripped file, e.g.:
+#       "$root_out_dir/chrome.stripped"
+#   compress_debug_sections: If true, compress the extracted debug sections
+template("strip_binary") {
+  forward_variables_from(invoker,
+                         [
+                           "deps",
+                           "testonly",
+                         ])
+  action("${target_name}") {
+    llvm_strip_binary = "${clang_base_path}/bin/llvm-strip"
+    llvm_objcopy_binary = "${clang_base_path}/bin/llvm-objcopy"
+    script = "//electron/build/linux/strip_binary.py"
+
+    if (defined(invoker.stripped_binary_output)) {
+      stripped_binary_output = invoker.stripped_binary_output
+    } else {
+      stripped_binary_output = invoker.binary_input + ".stripped"
+    }
+    if (defined(invoker.symbol_output)) {
+      symbol_output = invoker.symbol_output
+    } else {
+      symbol_output = invoker.binary_input + ".debug"
+    }
+
+    inputs = [
+      invoker.binary_input,
+      llvm_strip_binary,
+      llvm_objcopy_binary,
+    ]
+    outputs = [
+      symbol_output,
+      stripped_binary_output,
+    ]
+    args = [
+      "--llvm-strip-binary-path",
+      rebase_path(llvm_strip_binary, root_build_dir),
+      "--llvm-objcopy-binary-path",
+      rebase_path(llvm_objcopy_binary, root_build_dir),
+      "--symbol-output",
+      rebase_path(symbol_output, root_build_dir),
+      "--stripped-binary-output",
+      rebase_path(stripped_binary_output, root_build_dir),
+      "--binary-input",
+      rebase_path(invoker.binary_input, root_build_dir),
+    ]
+
+    if (defined(invoker.compress_debug_sections) &&
+        invoker.compress_debug_sections) {
+      args += [ "--compress-debug-sections" ]
+    }
+  }
+}

build/linux/strip_binary.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+#
+# Copyright 2021 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This has been adapted from https://source.chromium.org/chromium/chromium/src/+/main:build/linux/strip_binary.py;drc=c220a41e0422d45f1657c28146d32e99cc53640b
+# The notable difference is it has an option to compress the debug sections
+
+import argparse
+import subprocess
+import sys
+
+
+def main() -> int:
+  parser = argparse.ArgumentParser(description="Strip binary using LLVM tools.")
+  parser.add_argument("--llvm-strip-binary-path",
+                      help="Path to llvm-strip executable.")
+  parser.add_argument("--llvm-objcopy-binary-path",
+                      required=True,
+                      help="Path to llvm-objcopy executable.")
+  parser.add_argument("--binary-input", help="Input ELF binary.")
+  parser.add_argument("--symbol-output",
+                      help="File to write extracted debug info (.debug).")
+  parser.add_argument("--compress-debug-sections",
+                      action="store_true",
+                      help="Compress extracted debug info.")
+  parser.add_argument("--stripped-binary-output",
+                      help="File to write stripped binary.")
+  args = parser.parse_args()
+
+  # Replicate the behavior of:
+  # eu-strip <binary_input> -o <stripped_binary_output> -f <symbol_output>
+
+  objcopy_args = [
+      "--only-keep-debug",
+      args.binary_input,
+      args.symbol_output,
+  ]
+
+  if args.compress_debug_sections:
+    objcopy_args.insert(0, "--compress-debug-sections")
+
+  subprocess.check_output([args.llvm_objcopy_binary_path] + objcopy_args)
+  subprocess.check_output([
+      args.llvm_strip_binary_path,
+      "--strip-debug",
+      "--strip-unneeded",
+      "-o",
+      args.stripped_binary_output,
+      args.binary_input,
+  ])
+  subprocess.check_output([
+      args.llvm_objcopy_binary_path,
+      f"--add-gnu-debuglink={args.symbol_output}",
+      args.stripped_binary_output,
+  ])
+
+  return 0
+
+
+if __name__ == "__main__":
+  sys.exit(main())

build/siso/backend.star

@@ -3,7 +3,7 @@
 load("@builtin//struct.star", "module")
 
 def __platform_properties(ctx):
-    container_image = "docker://gcr.io/chops-public-images-prod/rbe/siso-chromium/linux@sha256:ef35d347f4a4a2d32b76fd908e66e96f59bf8ba7379fd5626548244c45343b2b"
+    container_image = "docker://gcr.io/chops-public-images-prod/rbe/siso-chromium/linux@sha256:d7cb1ab14a0f20aa669c23f22c15a9dead761dcac19f43985bf9dd5f41fbef3a"
     return {
         "default": {
             "OSFamily": "Linux",

build/siso/main.star

@@ -0,0 +1,66 @@
+load("@builtin//encoding.star", "json")
+load("@builtin//path.star", "path")
+load("@builtin//runtime.star", "runtime")
+load("@builtin//struct.star", "module")
+load("@config//main.star", upstream_init = "init")
+load("@config//win_sdk.star", "win_sdk")
+load("@config//gn_logs.star", "gn_logs")
+
+def init(ctx):
+    mod = upstream_init(ctx)
+    step_config = json.decode(mod.step_config)
+
+    # Buildbarn doesn't support input_root_absolute_path so disable that
+    for rule in step_config["rules"]:    
+      input_root_absolute_path = rule.get("input_root_absolute_path", False)
+      if input_root_absolute_path:
+        rule.pop("input_root_absolute_path", None)
+
+    # Only wrap clang rules with a remote wrapper if not on Linux. These are currently only
+    # needed for X-Compile builds, which run on Windows and Mac.
+    if runtime.os != "linux":
+      for rule in step_config["rules"]:
+        if rule["name"].startswith("clang/") or rule["name"].startswith("clang-cl/"):
+          rule["remote_wrapper"] = "../../buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper"
+          if "inputs" not in rule:
+            rule["inputs"] = []
+          rule["inputs"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
+          rule["inputs"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
+
+      if "executables" not in step_config:
+        step_config["executables"] = []
+      step_config["executables"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
+      step_config["executables"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
+
+    if runtime.os == "darwin":
+      # Update platforms to match our default siso config instead of reclient configs.
+      step_config["platforms"].update({
+          "clang": step_config["platforms"]["default"],
+          "clang_large": step_config["platforms"]["default"],          
+      })      
+
+    if runtime.os == "windows":
+      # Add additional Windows SDK headers needed by Electron      
+      win_toolchain_dir = win_sdk.toolchain_dir(ctx)
+      if win_toolchain_dir:
+        sdk_version = gn_logs.read(ctx).get("windows_sdk_version")
+        step_config["input_deps"][win_toolchain_dir + ":headers"].extend([
+          # third_party/electron_node/deps/uv/include/uv/win.h includes mswsock.h
+          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/mswsock.h"),
+          # third_party/electron_node/src/debug_utils.cc includes lm.h
+          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/Lm.h"),          
+        ])
+      
+      # Update platforms to match our default siso config instead of reclient configs.
+      step_config["platforms"].update({
+          "clang-cl": step_config["platforms"]["default"],
+          "clang-cl_large": step_config["platforms"]["default"],
+          "lld-link": step_config["platforms"]["default"],
+      })
+
+    return module(
+      "config",
+      step_config = json.encode(step_config),
+      filegroups = mod.filegroups,
+      handlers = mod.handlers,
+    )

build/zip.py

@@ -41,6 +41,8 @@ PATHS_TO_SKIP = [
   'resources/inspector',
   'gen/third_party/devtools-frontend/src',
   'gen/ui/webui',
+  # Skip because these get zipped separately in script/zip-symbols.py
+  'debug',
 ]
 
 def skip_path(dep, dist_zip, target_cpu):
@@ -80,6 +82,11 @@ def main(argv):
       dep = dep.strip()
       if not skip_path(dep, dist_zip, target_cpu):
         dist_files.add(dep)
+  # On Linux, filter out any files which have a .stripped companion
+  if sys.platform == 'linux':
+    dist_files = {
+      dep for dep in dist_files if f"{dep.removeprefix('./')}.stripped" not in dist_files
+    }
   if sys.platform == 'darwin' and not should_flatten:
     execute(['zip', '-r', '-y', dist_zip] + list(dist_files))
   else:
@@ -96,10 +103,13 @@ def main(argv):
           dirname = os.path.dirname(dep)
           arcname = (
             os.path.join(dirname, 'chrome-sandbox')
-            if basename == 'chrome_sandbox'
+            if basename.removesuffix('.stripped') == 'chrome_sandbox'
             else dep
           )
           name_to_write = arcname
+          # On Linux, strip the .stripped suffix from the name before zipping
+          if sys.platform == 'linux':
+            name_to_write = name_to_write.removesuffix('.stripped')
           if should_flatten:
             if flatten_relative_to:
               if name_to_write.startswith(flatten_relative_to):

chromium_src/BUILD.gn

@@ -23,6 +23,8 @@ static_library("chrome") {
     "//chrome/browser/browser_process.h",
     "//chrome/browser/devtools/devtools_contents_resizing_strategy.cc",
     "//chrome/browser/devtools/devtools_contents_resizing_strategy.h",
+    "//chrome/browser/devtools/devtools_dispatch_http_request_params.cc",
+    "//chrome/browser/devtools/devtools_dispatch_http_request_params.h",
     "//chrome/browser/devtools/devtools_embedder_message_dispatcher.cc",
     "//chrome/browser/devtools/devtools_embedder_message_dispatcher.h",
     "//chrome/browser/devtools/devtools_eye_dropper.cc",
@@ -381,6 +383,8 @@ static_library("chrome") {
         "//chrome/browser/pdf/chrome_pdf_stream_delegate.h",
         "//chrome/browser/pdf/pdf_extension_util.cc",
         "//chrome/browser/pdf/pdf_extension_util.h",
+        "//chrome/browser/pdf/pdf_help_bubble_handler_factory.cc",
+        "//chrome/browser/pdf/pdf_help_bubble_handler_factory.h",
         "//chrome/browser/pdf/pdf_viewer_stream_manager.cc",
         "//chrome/browser/pdf/pdf_viewer_stream_manager.h",
         "//chrome/browser/plugins/pdf_iframe_navigation_throttle.cc",
@@ -389,6 +393,8 @@ static_library("chrome") {
       deps += [
         "//components/pdf/browser",
         "//components/pdf/renderer",
+        "//ui/base/interaction",
+        "//ui/webui/resources/cr_components/help_bubble:mojo_bindings",
       ]
     }
   } else {

docs/api/app.md

@@ -421,6 +421,7 @@ Returns:
     * `oom` - Process ran out of memory
     * `launch-failed` - Process never successfully launched
     * `integrity-failure` - Windows code integrity checks failed
+    * `memory-eviction` - Process proactively terminated to prevent a future out-of-memory (OOM) situation
   * `exitCode` number - The exit code for the process
       (e.g. status from waitpid if on POSIX, from GetExitCodeProcess on Windows).
   * `serviceName` string (optional) - The non-localized name of the process.
@@ -564,8 +565,9 @@ and subscribing to the `ready` event if the app is not ready yet.
   * `steal` boolean _macOS_ - Make the receiver the active app even if another app is
   currently active.
 
-On Linux, focuses on the first visible window. On macOS, makes the application
-the active app. On Windows, focuses on the application's first window.
+On macOS, makes the application the active app. On Windows, focuses on the application's
+first window. On Linux, either focuses on the first visible window (X11) or requests
+focus but may instead show a notification or flash the app icon (Wayland).
 
 You should seek to use the `steal` option as sparingly as possible.
 
@@ -1214,6 +1216,13 @@ Disables hardware acceleration for current app.
 
 This method can only be called before app is ready.
 
+### `app.isHardwareAccelerationEnabled()`
+
+Returns `boolean` - whether hardware acceleration is currently enabled.
+
+ > [!NOTE]
+ > This information is only usable after the `gpu-info-update` event is emitted.
+
 ### `app.disableDomainBlockingFor3DAPIs()`
 
 By default, Chromium disables 3D APIs (e.g. WebGL) until restart on a per
@@ -1397,7 +1406,75 @@ details. Disabled by default.
 This API must be called after the `ready` event is emitted.
 
 > [!NOTE]
-> Rendering accessibility tree can significantly affect the performance of your app. It should not be enabled by default.
+> Rendering accessibility tree can significantly affect the performance of your app. It should not be enabled by default. Calling this method will enable the following accessibility support features: `nativeAPIs`, `webContents`, `inlineTextBoxes`, and `extendedProperties`.
+
+### `app.getAccessibilitySupportFeatures()` _macOS_ _Windows_
+
+Returns `string[]` - Array of strings naming currently enabled accessibility support components. Possible values:
+
+* `nativeAPIs` - Native OS accessibility APIs integration enabled.
+* `webContents` - Web contents accessibility tree exposure enabled.
+* `inlineTextBoxes` - Inline text boxes (character bounding boxes) enabled.
+* `extendedProperties` - Extended accessibility properties enabled.
+* `screenReader` - Screen reader specific mode enabled.
+* `html` - HTML accessibility tree construction enabled.
+* `labelImages` - Accessibility support for automatic image annotations.
+* `pdfPrinting` - Accessibility support for PDF printing enabled.
+
+Notes:
+
+* The array may be empty if no accessibility modes are active.
+* Use `app.isAccessibilitySupportEnabled()` for the legacy boolean check;
+  prefer this method for granular diagnostics or telemetry.
+
+Example:
+
+```js
+const { app } = require('electron')
+
+app.whenReady().then(() => {
+  if (app.getAccessibilitySupportFeatures().includes('screenReader')) {
+    // Change some app UI to better work with Screen Readers.
+  }
+})
+```
+
+### `app.setAccessibilitySupportFeatures(features)` _macOS_ _Windows_
+
+* `features` string[] - An array of the accessibility features to enable.
+
+Possible values are:
+
+* `nativeAPIs` - Native OS accessibility APIs integration enabled.
+* `webContents` - Web contents accessibility tree exposure enabled.
+* `inlineTextBoxes` - Inline text boxes (character bounding boxes) enabled.
+* `extendedProperties` - Extended accessibility properties enabled.
+* `screenReader` - Screen reader specific mode enabled.
+* `html` - HTML accessibility tree construction enabled.
+* `labelImages` - Accessibility support for automatic image annotations.
+* `pdfPrinting` - Accessibility support for PDF printing enabled.
+
+To disable all supported features, pass an empty array `[]`.
+
+Example:
+
+```js
+const { app } = require('electron')
+
+app.whenReady().then(() => {
+  // Enable a subset of features:
+  app.setAccessibilitySupportFeatures([
+    'screenReader',
+    'pdfPrinting',
+    'webContents'
+  ])
+
+  // Other logic
+
+  // Some time later, disable all features:
+  app.setAccessibilitySupportFeatures([])
+})
+```
 
 ### `app.showAboutPanel()`
 

docs/api/base-window.md

@@ -1262,15 +1262,16 @@ Sets the properties for the window's taskbar button.
 
 #### `win.setAccentColor(accentColor)` _Windows_
 
-* `accentColor` boolean | string - The accent color for the window. By default, follows user preference in System Settings.
+* `accentColor` boolean | string | null - The accent color for the window. By default, follows user preference in System Settings. To reset to system default, pass `null`.
 
 Sets the system accent color and highlighting of active window border.
 
 The `accentColor` parameter accepts the following values:
 
-* **Color string** - Sets a custom accent color using standard CSS color formats (Hex, RGB, RGBA, HSL, HSLA, or named colors). Alpha values in RGBA/HSLA formats are ignored and the color is treated as fully opaque.
-* **`true`** - Uses the system's default accent color from user preferences in System Settings.
-* **`false`** - Explicitly disables accent color highlighting for the window.
+* **Color string** - Like `true`, but sets a custom accent color using standard CSS color formats (Hex, RGB, RGBA, HSL, HSLA, or named colors). Alpha values in RGBA/HSLA formats are ignored and the color is treated as fully opaque.
+* **`true`** - Enable accent color highlighting for the window with the system accent color regardless of whether accent colors are enabled for windows in System `Settings.`
+* **`false`** - Disable accent color highlighting for the window regardless of whether accent colors are currently enabled for windows in System Settings.
+* **`null`** - Reset window accent color behavior to follow behavior set in System Settings.
 
 Examples:
 
@@ -1283,11 +1284,14 @@ win.setAccentColor('#ff0000')
 // RGB format (alpha ignored if present).
 win.setAccentColor('rgba(255,0,0,0.5)')
 
-// Use system accent color.
+// Enable accent color, using the color specified in System Settings.
 win.setAccentColor(true)
 
 // Disable accent color.
 win.setAccentColor(false)
+
+// Reset window accent color behavior to follow behavior set in System Settings.
+win.setAccentColor(null)
 ```
 
 #### `win.getAccentColor()` _Windows_

docs/api/browser-window.md

@@ -140,6 +140,10 @@ state is `hidden` in order to minimize power consumption.
   move.
 * On Linux the type of modal windows will be changed to `dialog`.
 * On Linux many desktop environments do not support hiding a modal window.
+* On Wayland (Linux) it is generally not possible to programmatically resize windows
+  after creation, or to position, move, focus, or blur windows without user input.
+  If your app needs these capabilities, run it in Xwayland by appending the flag
+  `--ozone-platform=x11`.
 
 ## Class: BrowserWindow extends `BaseWindow`
 
@@ -656,10 +660,15 @@ the [close event](#event-close).
 
 Focuses on the window.
 
+On Wayland (Linux), the desktop environment may show a notification or flash
+the app icon if the window or app is not already focused.
+
 #### `win.blur()`
 
 Removes focus from the window.
 
+Not supported on Wayland (Linux).
+
 #### `win.isFocused()`
 
 Returns `boolean` - Whether the window is focused.
@@ -676,6 +685,8 @@ Shows and gives focus to the window.
 
 Shows the window but doesn't focus on it.
 
+Not supported on Wayland (Linux).
+
 #### `win.hide()`
 
 Hides the window.
@@ -824,6 +835,8 @@ Closes the currently open [Quick Look][quick-look] panel.
 
 Resizes and moves the window to the supplied bounds. Any properties that are not supplied will default to their current values.
 
+On Wayland (Linux), has the same limitations as `setSize` and `setPosition`.
+
 ```js
 const { BrowserWindow } = require('electron')
 
@@ -866,6 +879,8 @@ See [Setting `backgroundColor`](#setting-the-backgroundcolor-property).
 Resizes and moves the window's client area (e.g. the web page) to
 the supplied bounds.
 
+On Wayland (Linux), has the same limitations as `setContentSize` and `setPosition`.
+
 #### `win.getContentBounds()`
 
 Returns [`Rectangle`](structures/rectangle.md) - The `bounds` of the window's client area as `Object`.
@@ -895,6 +910,8 @@ Returns `boolean` - whether the window is enabled.
 
 Resizes the window to `width` and `height`. If `width` or `height` are below any set minimum size constraints the window will snap to its minimum size.
 
+On Wayland (Linux), may not work as some window managers restrict programmatic window resizing.
+
 #### `win.getSize()`
 
 Returns `Integer[]` - Contains the window's width and height.
@@ -907,6 +924,8 @@ Returns `Integer[]` - Contains the window's width and height.
 
 Resizes the window's client area (e.g. the web page) to `width` and `height`.
 
+On Wayland (Linux), may not work as some window managers restrict programmatic window resizing.
+
 #### `win.getContentSize()`
 
 Returns `Integer[]` - Contains the window's client area's width and height.
@@ -1044,12 +1063,16 @@ this method throws an error.
 
 #### `win.moveTop()`
 
-Moves window to top(z-order) regardless of focus
+Moves window to top(z-order) regardless of focus.
+
+Not supported on Wayland (Linux).
 
 #### `win.center()`
 
 Moves window to the center of the screen.
 
+Not supported on Wayland (Linux).
+
 #### `win.setPosition(x, y[, animate])`
 
 * `x` Integer
@@ -1058,6 +1081,8 @@ Moves window to the center of the screen.
 
 Moves window to `x` and `y`.
 
+Not supported on Wayland (Linux).
+
 #### `win.getPosition()`
 
 Returns `Integer[]` - Contains the window's current position.
@@ -1227,7 +1252,8 @@ Captures a snapshot of the page within `rect`. Omitting `rect` will capture the
 
 Returns `Promise<void>` - the promise will resolve when the page has finished loading
 (see [`did-finish-load`](web-contents.md#event-did-finish-load)), and rejects
-if the page fails to load (see [`did-fail-load`](web-contents.md#event-did-fail-load)).
+if the page fails to load (see
+[`did-fail-load`](web-contents.md#event-did-fail-load)). A noop rejection handler is already attached, which avoids unhandled rejection errors. If the existing page has a beforeUnload handler, [`did-fail-load`](web-contents.md#event-did-fail-load) will be called unless [`will-prevent-unload`](web-contents.md#event-did-fail-load) is handled.
 
 Same as [`webContents.loadURL(url[, options])`](web-contents.md#contentsloadurlurl-options).
 
@@ -1442,15 +1468,16 @@ Sets the properties for the window's taskbar button.
 
 #### `win.setAccentColor(accentColor)` _Windows_
 
-* `accentColor` boolean | string - The accent color for the window. By default, follows user preference in System Settings.
+* `accentColor` boolean | string | null - The accent color for the window. By default, follows user preference in System Settings. To reset to system default, pass `null`.
 
 Sets the system accent color and highlighting of active window border.
 
 The `accentColor` parameter accepts the following values:
 
-* **Color string** - Sets a custom accent color using standard CSS color formats (Hex, RGB, RGBA, HSL, HSLA, or named colors). Alpha values in RGBA/HSLA formats are ignored and the color is treated as fully opaque.
-* **`true`** - Uses the system's default accent color from user preferences in System Settings.
-* **`false`** - Explicitly disables accent color highlighting for the window.
+* **Color string** - Like `true`, but sets a custom accent color using standard CSS color formats (Hex, RGB, RGBA, HSL, HSLA, or named colors). Alpha values in RGBA/HSLA formats are ignored and the color is treated as fully opaque.
+* **`true`** - Enable accent color highlighting for the window with the system accent color regardless of whether accent colors are enabled for windows in System `Settings.`
+* **`false`** - Disable accent color highlighting for the window regardless of whether accent colors are currently enabled for windows in System Settings.
+* **`null`** - Reset window accent color behavior to follow behavior set in System Settings.
 
 Examples:
 
@@ -1463,11 +1490,14 @@ win.setAccentColor('#ff0000')
 // RGB format (alpha ignored if present).
 win.setAccentColor('rgba(255,0,0,0.5)')
 
-// Use system accent color.
+// Enable accent color, using the color specified in System Settings.
 win.setAccentColor(true)
 
 // Disable accent color.
 win.setAccentColor(false)
+
+// Reset window accent color behavior to follow behavior set in System Settings.
+win.setAccentColor(null)
 ```
 
 #### `win.getAccentColor()` _Windows_
@@ -1570,11 +1600,18 @@ events.
 
 Prevents the window contents from being captured by other apps.
 
-On macOS it sets the NSWindow's [`sharingType`](https://developer.apple.com/documentation/appkit/nswindow/sharingtype-swift.property?language=objc) to [`NSWindowSharingNone`](https://developer.apple.com/documentation/appkit/nswindow/sharingtype-swift.enum/none?language=objc).
-On Windows it calls [`SetWindowDisplayAffinity`](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowdisplayaffinity) with `WDA_EXCLUDEFROMCAPTURE`.
+On Windows, it calls [`SetWindowDisplayAffinity`](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowdisplayaffinity) with `WDA_EXCLUDEFROMCAPTURE`.
 For Windows 10 version 2004 and up the window will be removed from capture entirely,
 older Windows versions behave as if `WDA_MONITOR` is applied capturing a black window.
 
+On macOS, it sets the `NSWindow`'s
+[`sharingType`](https://developer.apple.com/documentation/appkit/nswindow/sharingtype-swift.property?language=objc)
+to
+[`NSWindowSharingNone`](https://developer.apple.com/documentation/appkit/nswindow/sharingtype-swift.enum/none?language=objc).
+Unfortunately, due to an intentional change in macOS, newer Mac applications that use
+`ScreenCaptureKit` will capture your window despite `win.setContentProtection(true)`.
+See [here](https://github.com/electron/electron/issues/48258#issuecomment-3269893618).
+
 #### `win.isContentProtected()` _macOS_ _Windows_
 
 Returns `boolean` - whether or not content protection is currently enabled.

docs/api/client-request.md

@@ -25,6 +25,11 @@ following properties:
     with which the request is associated. Defaults to the empty string. The
     `session` option supersedes `partition`. Thus if a `session` is explicitly
     specified, `partition` is ignored.
+  * `bypassCustomProtocolHandlers` boolean (optional) - When set to `true`,
+    custom protocol handlers registered for the request's URL scheme will not be
+    called. This allows forwarding an intercepted request to the built-in
+    handler. [webRequest](web-request.md) handlers will still be triggered
+    when bypassing custom protocols. Defaults to `false`.
   * `credentials` string (optional) - Can be `include`, `omit` or
     `same-origin`. Whether to send
     [credentials](https://fetch.spec.whatwg.org/#credentials) with this

docs/api/clipboard.md

@@ -2,7 +2,16 @@
 
 > Perform copy and paste operations on the system clipboard.
 
-Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process) (non-sandboxed only)
+Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process) _Deprecated_ (non-sandboxed only)
+
+> [!NOTE]
+> Using the `clipoard` API from the renderer process is deprecated.
+
+> [!IMPORTANT]
+> If you want to call this API from a renderer process,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
 
 On Linux, there is also a `selection` clipboard. To manipulate it
 you need to pass `selection` to each method:

docs/api/command-line-switches.md

@@ -49,6 +49,10 @@ Disables the disk cache for HTTP requests.
 
 Disable HTTP/2 and SPDY/3.1 protocols.
 
+### --disable-geolocation _macOS_
+
+Disables the Geolocation API. Permission requests for geolocation will be denied internally regardless of the decision made by a handler set via `session.setPermissionRequestHandler`. This functionality is currently implemented only for macOS. Has no effect on other platforms.
+
 ### --disable-renderer-backgrounding
 
 Prevents Chromium from lowering the priority of invisible pages' renderer
@@ -86,7 +90,7 @@ Field trials to be forcefully enabled or disabled.
 
 For example: `WebRTC-Audio-Red-For-Opus/Enabled/`
 
-### --host-rules=`rules`
+### --host-rules=`rules` _Deprecated_
 
 A comma-separated list of `rules` that control how hostnames are mapped.
 
@@ -104,9 +108,23 @@ These mappings apply to the endpoint host in a net request (the TCP connect
 and host resolver in a direct connection, and the `CONNECT` in an HTTP proxy
 connection, and the endpoint host in a `SOCKS` proxy connection).
 
+**Deprecated:** Use the `--host-resolver-rules` switch instead.
+
 ### --host-resolver-rules=`rules`
 
-Like `--host-rules` but these `rules` only apply to the host resolver.
+A comma-separated list of `rules` that control how hostnames are mapped.
+
+For example:
+
+* `MAP * 127.0.0.1` Forces all hostnames to be mapped to 127.0.0.1
+* `MAP *.google.com proxy` Forces all google.com subdomains to be resolved to
+  "proxy".
+* `MAP test.com [::1]:77` Forces "test.com" to resolve to IPv6 loopback. Will
+  also force the port of the resulting socket address to be 77.
+* `MAP * baz, EXCLUDE www.google.com` Remaps everything to "baz", except for
+  "www.google.com".
+
+These `rules` only apply to the host resolver.
 
 ### --ignore-certificate-errors
 
@@ -179,6 +197,11 @@ Disables the Chromium [sandbox](https://www.chromium.org/developers/design-docum
 Forces renderer process and Chromium helper processes to run un-sandboxed.
 Should only be used for testing.
 
+### --no-stdio-init
+
+Disable stdio initialization during node initialization.
+Used to avoid node initialization crash when the nul device is disabled on Windows platform.
+
 ### --proxy-bypass-list=`hosts`
 
 Instructs Electron to bypass the proxy server for the given semi-colon-separated

docs/api/crash-reporter.md

@@ -4,6 +4,12 @@
 
 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process)
 
+> [!IMPORTANT]
+> If you want to call this API from a renderer process with context isolation enabled,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
+
 The following is an example of setting up Electron to automatically submit
 crash reports to a remote server:
 

docs/api/desktop-capturer.md

@@ -102,6 +102,10 @@ Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`Desktop
 
 ## Caveats
 
+`desktopCapturer.getSources(options)` only returns a single source on Linux when using Pipewire.
+
+PipeWire supports a single capture for both screens and windows. If you request the window and screen type, the selected source will be returned as a window capture.
+
 `navigator.mediaDevices.getUserMedia` does not work on macOS for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this.
 
 It is possible to circumvent this limitation by capturing system audio with another macOS app like Soundflower and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.

docs/api/environment-variables.md

@@ -186,14 +186,3 @@ the one downloaded by `npm install`. Usage:
 ```sh
 export ELECTRON_OVERRIDE_DIST_PATH=/Users/username/projects/electron/out/Testing
 ```
-
-## Set By Electron
-
-Electron sets some variables in your environment at runtime.
-
-### `ORIGINAL_XDG_CURRENT_DESKTOP`
-
-This variable is set to the value of `XDG_CURRENT_DESKTOP` that your application
-originally launched with.  Electron sometimes modifies the value of `XDG_CURRENT_DESKTOP`
-to affect other logic within Chromium so if you want access to the _original_ value
-you should look up this environment variable instead.

docs/api/ipc-renderer.md

@@ -20,6 +20,12 @@ changes:
 
 Process: [Renderer](../glossary.md#renderer-process)
 
+> [!IMPORTANT]
+> If you want to call this API from a renderer process with context isolation enabled,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
+
 The `ipcRenderer` module is an  [EventEmitter][event-emitter]. It provides a few
 methods so you can send synchronous and asynchronous messages from the render
 process (web page) to the main process. You can also receive replies from the

docs/api/menu-item.md

@@ -1,3 +1,5 @@
+# MenuItem
+
 ## Class: MenuItem
 
 > Add items to native application menus and context menus.
@@ -32,7 +34,8 @@ See [`Menu`](menu.md) for examples.
   * `sublabel` string (optional) _macOS_ - Available in macOS >= 14.4
   * `toolTip` string (optional) _macOS_ - Hover text for this menu item.
   * `accelerator` string (optional) - An [Accelerator](../tutorial/keyboard-shortcuts.md#accelerators) string.
-  * `icon` ([NativeImage](native-image.md) | string) (optional)
+  * `icon` ([NativeImage](native-image.md) | string) (optional) - Can be a
+    [NativeImage](native-image.md) or the file path of an icon.
   * `enabled` boolean (optional) - If false, the menu item will be greyed out and
     unclickable.
   * `acceleratorWorksWhenHidden` boolean (optional) _macOS_ - default is `true`, and when `false` will prevent the accelerator from triggering the item if the item is not visible.

docs/api/menu.md

@@ -2,10 +2,15 @@
 
 ## Class: Menu
 
-> Create native application menus and context menus.
+> Create application menus and context menus.
 
 Process: [Main](../glossary.md#main-process)
 
+The presentation of menus varies depending on the operating system:
+
+- Under Windows and Linux, menus are visually similar to Chromium.
+- Under macOS, these will be native menus.
+
 > [!TIP]
 > See also: [A detailed guide about how to implement menus in your application](../tutorial/menus.md).
 

docs/api/native-image.md

@@ -4,6 +4,12 @@
 
 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process)
 
+> [!IMPORTANT]
+> If you want to call this API from a renderer process with context isolation enabled,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
+
 The `nativeImage` module provides a unified interface for manipulating
 system images. These can be handy if you want to provide multiple scaled
 versions of the same icon or take advantage of macOS [template images][template-image].
@@ -196,8 +202,7 @@ Creates a new `NativeImage` instance from `dataUrl`, a base 64 encoded [Data URL
 Returns `NativeImage`
 
 Creates a new `NativeImage` instance from the `NSImage` that maps to the
-given image name. See Apple's [`NSImageName`](https://developer.apple.com/documentation/appkit/nsimagename#2901388)
-documentation for a list of possible values.
+given image name. See Apple's [`NSImageName`](https://developer.apple.com/documentation/appkit/nsimagename#2901388) documentation and [SF Symbols](https://developer.apple.com/sf-symbols/) for a list of possible values.
 
 The `hslShift` is applied to the image with the following rules:
 
@@ -225,6 +230,15 @@ echo -e '#import <Cocoa/Cocoa.h>\nint main() { NSLog(@"%@", SYSTEM_IMAGE_NAME);
 
 where `SYSTEM_IMAGE_NAME` should be replaced with any value from [this list](https://developer.apple.com/documentation/appkit/nsimagename?language=objc).
 
+For SF Symbols, usage looks as follows:
+
+```js
+const image = nativeImage.createFromNamedImage('square.and.pencil')
+```
+
+where `'square.and.pencil'` is the symbol name from the
+[SF Symbols app](https://developer.apple.com/sf-symbols/).
+
 ## Class: NativeImage
 
 > Natively wrap images such as tray, dock, and application icons.

docs/api/process.md

@@ -211,6 +211,10 @@ Returns `Object`:
   system.
 * `free` Integer - The total amount of memory not being used by applications or disk
   cache.
+* `fileBacked` Integer _macOS_ - The amount of memory that currently has been paged out to storage.
+  Includes memory for file caches, network buffers, and other system services.
+* `purgeable` Integer _macOS_ - The amount of memory that is marked as "purgeable". The system can reclaim it
+  if memory pressure increases.
 * `swapTotal` Integer _Windows_ _Linux_ - The total amount of swap memory in Kilobytes available to the
   system.
 * `swapFree` Integer _Windows_ _Linux_ - The free amount of swap memory in Kilobytes available to the

docs/api/service-worker-main.md

@@ -1,11 +1,7 @@
-# ServiceWorkerMain
+## Class: ServiceWorkerMain
 
 > An instance of a Service Worker representing a version of a script for a given scope.
 
-Process: [Main](../glossary.md#main-process)
-
-## Class: ServiceWorkerMain
-
 Process: [Main](../glossary.md#main-process)<br />
 _This class is not exported from the `'electron'` module. It is only available as a return value of other methods in the Electron API._
 

docs/api/session.md

@@ -66,7 +66,7 @@ The `session` module has the following properties:
 
 ### `session.defaultSession`
 
-A `Session` object, the default session object of the app.
+A `Session` object, the default session object of the app, available after `app.whenReady` is called.
 
 ## Class: Session
 
@@ -939,14 +939,18 @@ session.fromPartition('some-partition').setPermissionRequestHandler((webContents
     * `top-level-storage-access` -  Allow top-level sites to request third-party cookie access on behalf of embedded content originating from another site in the same related website set using the [Storage Access API](https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API).
     * `usb` - Expose non-standard Universal Serial Bus (USB) compatible devices services to the web with the [WebUSB API](https://developer.mozilla.org/en-US/docs/Web/API/WebUSB_API).
     * `deprecated-sync-clipboard-read` _Deprecated_ - Request access to run `document.execCommand("paste")`
+    * `fileSystem` - Access to read, write, and file management capabilities using the [File System API](https://developer.mozilla.org/en-US/docs/Web/API/File_System_API).
   * `requestingOrigin` string - The origin URL of the permission check
   * `details` Object - Some properties are only available on certain permission types.
     * `embeddingOrigin` string (optional) - The origin of the frame embedding the frame that made the permission check.  Only set for cross-origin sub frames making permission checks.
     * `securityOrigin` string (optional) - The security origin of the `media` check.
     * `mediaType` string (optional) - The type of media access being requested, can be `video`,
-      `audio` or `unknown`
+      `audio` or `unknown`.
     * `requestingUrl` string (optional) - The last URL the requesting frame loaded.  This is not provided for cross-origin sub frames making permission checks.
-    * `isMainFrame` boolean - Whether the frame making the request is the main frame
+    * `isMainFrame` boolean - Whether the frame making the request is the main frame.
+    * `filePath` string (optional) - The path of a `fileSystem` request.
+    * `isDirectory` boolean (optional) - Whether a `fileSystem` request is a directory.
+    * `fileAccessType` string (optional) - The access type of a `fileSystem` request. Can be `writable` or `readable`.
 
 Sets the handler which can be used to respond to permission checks for the `session`.
 Returning `true` will allow the permission and `false` will reject it.  Please note that
@@ -968,6 +972,9 @@ session.fromPartition('some-partition').setPermissionCheckHandler((webContents,
 })
 ```
 
+> [!NOTE]
+> `isMainFrame` will always be `false` for a `fileSystem` request as a result of Chromium limitations.
+
 #### `ses.setDisplayMediaRequestHandler(handler[, opts])`
 
 * `handler` Function | null

docs/api/shared-texture.md

@@ -0,0 +1,58 @@
+# sharedTexture
+
+> Import shared textures into Electron and converts platform specific handles into [`VideoFrame`](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame). Supports all Web rendering systems, and can be transferred across Electron processes. Read [here](https://github.com/electron/electron/blob/main/shell/common/api/shared_texture/README.md) for more information.
+
+Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process)
+
+## Methods
+
+The `sharedTexture` module has the following methods:
+
+**Note:** Experimental APIs are marked as such and could be removed in the future.
+
+### `sharedTexture.importSharedTexture(options)` _Experimental_
+
+* `options` Object - Options for importing shared textures.
+  * `textureInfo` [SharedTextureImportTextureInfo](structures/shared-texture-import-texture-info.md) - The information of the shared texture to import.
+  * `allReferencesReleased` Function (optional) - Called when all references in all processes are released. You should keep the imported texture valid until this callback is called.
+
+Imports the shared texture from the given options.
+
+> [!NOTE]
+> This method is only available in the main process.
+
+Returns `SharedTextureImported` - The imported shared texture.
+
+### `sharedTexture.sendSharedTexture(options, ...args)` _Experimental_
+
+* `options` Object - Options for sending shared texture.
+  * `frame` [WebFrameMain](web-frame-main.md) - The target frame to transfer the shared texture to. For `WebContents`, you can pass `webContents.mainFrame`. If you provide a `webFrameMain` that is not a main frame, you'll need to enable `webPreferences.nodeIntegrationInSubFrames` for this, since this feature requires [IPC](https://www.electronjs.org/docs/latest/api/web-frame-main#frameipc-readonly) between main and the frame.
+  * `importedSharedTexture` [SharedTextureImported](structures/shared-texture-imported.md) - The imported shared texture.
+* `...args` any[] - Additional arguments to pass to the renderer process.
+
+Send the imported shared texture to a renderer process. You must register a receiver at renderer process before calling this method. This method has a 1000ms timeout. Ensure the receiver is set and the renderer process is alive before calling this method.
+
+> [!NOTE]
+> This method is only available in the main process.
+
+Returns `Promise<void>` - Resolves when the transfer is complete.
+
+### `sharedTexture.setSharedTextureReceiver(callback)` _Experimental_
+
+* `callback` Function\<Promise\<void\>\> - The function to receive the imported shared texture.
+  * `receivedSharedTextureData` Object - The data received from the main process.
+    * `importedSharedTexture` [SharedTextureImported](structures/shared-texture-imported.md) - The imported shared texture.
+  * `...args` any[] - Additional arguments passed from the main process.
+
+Set a callback to receive imported shared textures from the main process.
+
+> [!NOTE]
+> This method is only available in the renderer process.
+
+## Properties
+
+The `sharedTexture` module has the following properties:
+
+### `sharedTexture.subtle` _Experimental_
+
+A [`SharedTextureSubtle`](structures/shared-texture-subtle.md) property, provides subtle APIs for interacting with shared texture for advanced users.

docs/api/structures/base-window-options.md

@@ -72,6 +72,9 @@
   some GTK+3 desktop environments. Default is `false`.
 * `transparent` boolean (optional) - Makes the window [transparent](../../tutorial/custom-window-styles.md#transparent-windows).
   Default is `false`. On Windows, does not work unless the window is frameless.
+  When you add a [`View`](../view.md) to a `BaseWindow`, you'll need to call
+  [`view.setBackgroundColor`](../view.md#viewsetbackgroundcolorcolor) with a transparent
+  background color on that view to make its background transparent as well.
 * `type` string (optional) - The type of window, default is normal window. See more about
   this below.
 * `visualEffectState` string (optional) _macOS_ - Specify how the material
@@ -102,9 +105,10 @@
   should have rounded corners. Default is `true`. Setting this property
   to `false` will prevent the window from being fullscreenable on macOS.
   On Windows versions older than Windows 11 Build 22000 this property has no effect, and frameless windows will not have rounded corners.
-* `thickFrame` boolean (optional) - Use `WS_THICKFRAME` style for frameless windows on
-  Windows, which adds standard window frame. Setting it to `false` will remove
-  window shadow and window animations. Default is `true`.
+* `thickFrame` boolean (optional) _Windows_ - Use `WS_THICKFRAME` style for
+  frameless windows on Windows, which adds the standard window frame. Setting it
+  to `false` will remove window shadow and window animations, and disable window
+  resizing via dragging the window edges. Default is `true`.
 * `vibrancy` string (optional) _macOS_ - Add a type of vibrancy effect to
   the window, only on macOS. Can be `appearance-based`, `titlebar`, `selection`,
   `menu`, `popover`, `sidebar`, `header`, `sheet`, `window`, `hud`, `fullscreen-ui`,

docs/api/structures/offscreen-shared-texture.md

@@ -2,7 +2,10 @@
 
 * `textureInfo` Object - The shared texture info.
   * `widgetType` string - The widget type of the texture. Can be `popup` or `frame`.
-  * `pixelFormat` string - The pixel format of the texture. Can be `rgba` or `bgra`.
+  * `pixelFormat` string - The pixel format of the texture.
+    * `rgba` - The texture format is 8-bit unorm RGBA.
+    * `bgra` - The texture format is 8-bit unorm BGRA.
+    * `rgbaf16` - The texture format is 16-bit float RGBA.
   * `codedSize` [Size](size.md) - The full dimensions of the video frame.
   * `colorSpace` [ColorSpace](color-space.md) - The color space of the video frame.
   * `visibleRect` [Rectangle](rectangle.md) - A subsection of [0, 0, codedSize.width, codedSize.height]. In OSR case, it is expected to have the full section area.

docs/api/structures/render-process-gone-details.md

@@ -8,6 +8,7 @@
   * `oom` - Process ran out of memory
   * `launch-failed` - Process never successfully launched
   * `integrity-failure` - Windows code integrity checks failed
+  * `memory-eviction` - Process proactively terminated to prevent a future out-of-memory (OOM) situation
 * `exitCode` Integer - The exit code of the process, unless `reason` is
   `launch-failed`, in which case `exitCode` will be a platform-specific
   launch failure error code.

docs/api/structures/shared-texture-import-texture-info.md

@@ -0,0 +1,12 @@
+# SharedTextureImportTextureInfo Object
+
+* `pixelFormat` string - The pixel format of the texture.
+  * `bgra` - 32bpp BGRA (byte-order), 1 plane.
+  * `rgba` - 32bpp RGBA (byte-order), 1 plane.
+  * `rgbaf16` - Half float RGBA, 1 plane.
+  * `nv12` - 12bpp with Y plane followed by a 2x2 interleaved UV plane.
+* `colorSpace` [ColorSpace](color-space.md) (optional) - The color space of the texture.
+* `codedSize` [Size](size.md) - The full dimensions of the shared texture.
+* `visibleRect` [Rectangle](rectangle.md) (optional) - A subsection of [0, 0, codedSize.width, codedSize.height]. In common cases, it is the full section area.
+* `timestamp` number (optional) - A timestamp in microseconds that will be reflected to `VideoFrame`.
+* `handle` [SharedTextureHandle](shared-texture-handle.md) - The shared texture handle.

docs/api/structures/shared-texture-imported-subtle.md

@@ -0,0 +1,9 @@
+# SharedTextureImportedSubtle Object
+
+* `getVideoFrame` Function\<[VideoFrame](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame)\> - Create a `VideoFrame` that uses the imported shared texture in the current process. You can call `VideoFrame.close()` once you've finished using the object. The underlying resources will wait for GPU finish internally.
+* `release` Function - Release the resources. If you transferred and get multiple `SharedTextureImported` objects, you have to `release` every one of them. The resource on the GPU process will be destroyed when the last one is released.
+  * `callback` Function (optional) - Callback when the GPU command buffer finishes using this shared texture. It provides a precise event to safely release dependent resources. For example, if this object is created by `finishTransferSharedTexture`, you can use this callback to safely release the original one that called `startTransferSharedTexture` in other processes. You can also release the source shared texture that was used to `importSharedTexture` safely.
+* `startTransferSharedTexture` Function\<[SharedTextureTransfer](shared-texture-transfer.md)\> - Create a `SharedTextureTransfer` that can be serialized and transferred to other processes.
+* `getFrameCreationSyncToken` Function\<[SharedTextureSyncToken](shared-texture-sync-token.md)\> - This method is for advanced users. If used, it is typically called after `finishTransferSharedTexture`, and should be passed to the object which was called `startTransferSharedTexture` to prevent the source object release the underlying resource before the target object actually acquire the reference at gpu process asyncly.
+* `setReleaseSyncToken` Function - This method is for advanced users. If used, this object's underlying resource will not be released until the set sync token is fulfilled at gpu process. By using sync tokens, users are not required to use release callbacks for lifetime management.
+  * `syncToken` [SharedTextureSyncToken](shared-texture-sync-token.md) - The sync token to set.

docs/api/structures/shared-texture-imported.md

@@ -0,0 +1,6 @@
+# SharedTextureImported Object
+
+* `textureId` string - The unique identifier of the imported shared texture.
+* `getVideoFrame` Function\<[VideoFrame](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame)\> - Create a `VideoFrame` that uses the imported shared texture in the current process. You can call `VideoFrame.close()` once you've finished using the object. The underlying resources will wait for GPU finish internally.
+* `release` Function - Release this object's reference of the imported shared texture. The underlying resource will be alive until every reference is released.
+* `subtle` [SharedTextureImportedSubtle](shared-texture-imported-subtle.md) - Provides subtle APIs to interact with the imported shared texture for advanced users.

docs/api/structures/shared-texture-subtle.md

@@ -0,0 +1,6 @@
+# SharedTextureSubtle Object
+
+* `importSharedTexture` Function\<[SharedTextureImportedSubtle](shared-texture-imported-subtle.md)\> - Imports the shared texture from the given options. Returns the imported shared texture.
+  * `textureInfo` [SharedTextureImportTextureInfo](shared-texture-import-texture-info.md) - The information of shared texture to import.
+* `finishTransferSharedTexture` Function\<[SharedTextureImportedSubtle](shared-texture-imported-subtle.md)\> - Finishes the transfer of the shared texture and gets the transferred shared texture. Returns the imported shared texture from the transfer object.
+  * `transfer` [SharedTextureTransfer](shared-texture-transfer.md) - The transfer object of the shared texture.

docs/api/structures/shared-texture-sync-token.md

@@ -0,0 +1,3 @@
+# SharedTextureSyncToken Object
+
+* `syncToken` string - The opaque data for sync token.

docs/api/structures/shared-texture-transfer.md

@@ -0,0 +1,10 @@
+# SharedTextureTransfer Object
+
+* `transfer` string _Readonly_ - The opaque transfer data of the shared texture. This can be transferred across Electron processes.
+* `syncToken` string _Readonly_ - The opaque sync token data for frame creation.
+* `pixelFormat` string _Readonly_ - The pixel format of the transferring texture.
+* `codedSize` [Size](size.md) _Readonly_ - The full dimensions of the shared texture.
+* `visibleRect` [Rectangle](rectangle.md) _Readonly_ - A subsection of [0, 0, codedSize.width(), codedSize.height()]. In common cases, it is the full section area.
+* `timestamp` number _Readonly_ - A timestamp in microseconds that will be reflected to `VideoFrame`.
+
+Use `sharedTexture.subtle.finishTransferSharedTexture` to get [`SharedTextureImportedSubtle`](shared-texture-imported-subtle.md) back.

docs/api/structures/web-preferences.md

@@ -21,7 +21,9 @@
   associated with the window, making it compatible with the Chromium
   OS-level sandbox and disabling the Node.js engine. This is not the same as
   the `nodeIntegration` option and the APIs available to the preload script
-  are more limited. Read more about the option [here](../../tutorial/sandbox.md).
+  are more limited. Default is `true` since Electron 20. The sandbox will
+  automatically be disabled when `nodeIntegration` is set to `true`.
+  Read more about the option [here](../../tutorial/sandbox.md).
 * `session` [Session](../session.md#class-session) (optional) - Sets the session used by the
   page. Instead of passing the Session object directly, you can also choose to
   use the `partition` option instead, which accepts a partition string. When
@@ -87,6 +89,11 @@
      paint event. Defaults to `false`. See the
     [offscreen rendering tutorial](../../tutorial/offscreen-rendering.md) for
     more details.
+  * `sharedTexturePixelFormat` string (optional) _Experimental_ - The requested output format of the shared texture. Defaults to `argb`.
+    The name is originated from Chromium [`media::VideoPixelFormat`](https://source.chromium.org/chromium/chromium/src/+/main:media/base/video_types.h) enum suffix and only subset of them are supported.
+    The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
+    * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
+    * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
   the specified `preload` script in a separate JavaScript context. Defaults
   to `true`. The context that the `preload` script runs in will only have

docs/api/system-preferences.md

@@ -14,7 +14,7 @@ console.log(systemPreferences.getEffectiveAppearance())
 
 The `systemPreferences` object emits the following events:
 
-### Event: 'accent-color-changed' _Windows_
+### Event: 'accent-color-changed' _Windows_ _Linux_
 
 Returns:
 
@@ -182,7 +182,7 @@ Some popular `key` and `type`s are:
 Removes the `key` in `NSUserDefaults`. This can be used to restore the default
 or global value of a `key` previously set with `setUserDefault`.
 
-### `systemPreferences.getAccentColor()` _Windows_ _macOS_
+### `systemPreferences.getAccentColor()`
 
 Returns `string` - The users current system wide accent color preference in RGBA
 hexadecimal form.

docs/api/web-contents.md

@@ -1079,7 +1079,7 @@ Emitted when the [mainFrame](web-contents.md#contentsmainframe-readonly), an `<i
 Returns `Promise<void>` - the promise will resolve when the page has finished loading
 (see [`did-finish-load`](web-contents.md#event-did-finish-load)), and rejects
 if the page fails to load (see
-[`did-fail-load`](web-contents.md#event-did-fail-load)). A noop rejection handler is already attached, which avoids unhandled rejection errors.
+[`did-fail-load`](web-contents.md#event-did-fail-load)). A noop rejection handler is already attached, which avoids unhandled rejection errors. If the existing page has a beforeUnload handler, [`did-fail-load`](web-contents.md#event-did-fail-load) will be called unless [`will-prevent-unload`](web-contents.md#event-did-fail-load) is handled.
 
 Loads the `url` in the window. The `url` must contain the protocol prefix,
 e.g. the `http://` or `file://`. If the load should bypass http cache then

docs/api/web-frame.md

@@ -4,6 +4,12 @@
 
 Process: [Renderer](../glossary.md#renderer-process)
 
+> [!IMPORTANT]
+> If you want to call this API from a renderer process with context isolation enabled,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
+
 `webFrame` export of the Electron module is an instance of the `WebFrame`
 class representing the current frame. Sub-frames can be retrieved by
 certain properties and methods (e.g. `webFrame.firstChild`).
@@ -139,7 +145,7 @@ by its key, which is returned from `webFrame.insertCSS(css)`.
 
 Inserts `text` to the focused element.
 
-### `webFrame.executeJavaScript(code[, userGesture, callback])`
+### `webFrame.executeJavaScript(code[, userGesture][, callback])`
 
 * `code` string
 * `userGesture` boolean (optional) - Default is `false`.
@@ -160,7 +166,7 @@ In the browser window some HTML APIs like `requestFullScreen` can only be
 invoked by a gesture from the user. Setting `userGesture` to `true` will remove
 this limitation.
 
-### `webFrame.executeJavaScriptInIsolatedWorld(worldId, scripts[, userGesture, callback])`
+### `webFrame.executeJavaScriptInIsolatedWorld(worldId, scripts[, userGesture][, callback])`
 
 * `worldId` Integer - The ID of the world to run the javascript
             in, `0` is the default main world (where content runs), `999` is the

docs/api/web-utils.md

@@ -4,6 +4,12 @@
 
 Process: [Renderer](../glossary.md#renderer-process)
 
+> [!IMPORTANT]
+> If you want to call this API from a renderer process with context isolation enabled,
+> place the API call in your preload script and
+> [expose](../tutorial/context-isolation.md#after-context-isolation-enabled) it using the
+> [`contextBridge`](context-bridge.md) API.
+
 ## Methods
 
 The `webUtils` module has the following methods:
@@ -17,11 +23,27 @@ Returns `string` - The file system path that this `File` object points to. In th
 This method superseded the previous augmentation to the `File` object with the `path` property.  An example is included below.
 
 ```js @ts-nocheck
-// Before
-const oldPath = document.querySelector('input').files[0].path
-
-// After
-const { webUtils } = require('electron')
-
-const newPath = webUtils.getPathForFile(document.querySelector('input').files[0])
+// Before (renderer)
+const oldPath = document.querySelector('input[type=file]').files[0].path
+```
+
+```js @ts-nocheck
+// After
+
+// Renderer:
+
+const file = document.querySelector('input[type=file]').files[0]
+electronApi.doSomethingWithFile(file)
+
+// Preload script:
+
+const { contextBridge, webUtils } = require('electron')
+
+contextBridge.exposeInMainWorld('electronApi', {
+  doSomethingWithFile (file) {
+    const path = webUtils.getPathForFile(file)
+    // Do something with the path, e.g., send it over IPC to the main process.
+    // It's best not to expose the full file path to the web content if possible.
+  }
+})
 ```

docs/api/window-open.md

@@ -39,8 +39,8 @@ consider using `webContents.setWindowOpenHandler` to customize the
 BrowserWindow creation.
 
 A subset of [`WebPreferences`](structures/web-preferences.md) can be set directly,
-unnested, from the features string: `zoomFactor`, `nodeIntegration`, `preload`,
-`javascript`, `contextIsolation`, and `webviewTag`.
+unnested, from the features string: `zoomFactor`, `nodeIntegration`, `javascript`,
+`contextIsolation`, and `webviewTag`.
 
 For example:
 

docs/breaking-changes.md

@@ -12,23 +12,63 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.
 
+## Planned Breaking API Changes (40.0)
+
+### Deprecated: `clipboard` API access from renderer processes
+
+Using the `clipboard` API directly in the renderer process is deprecated.
+If you want to call this API from a renderer process, place the API call in
+your preload script and expose it using the [contextBridge](https://www.electronjs.org/docs/latest/api/context-bridge) API.
+
+### Behavior Changed: MacOS dSYM files now compressed with tar.xz
+
+Debug symbols for MacOS (dSYM) now use xz compression in order to handle larger file sizes. `dsym.zip` files are now
+`dsym.tar.xz` files. End users using debug symbols may need to update their zip utilities.
+
 ## Planned Breaking API Changes (39.0)
 
-### Removed: `ELECTRON_OZONE_PLATFORM_HINT` evironment variable
+### Deprecated: `--host-rules` command line switch
 
-The default value of the `--ozone-plaftform` flag [changed to `auto`](https://chromium-review.googlesource.com/c/chromium/src/+/6775426) in Electron 38.
+Chromium is deprecating the `--host-rules` switch.
 
-You should use the `XDG_SESSION_TYPE=wayland` environment variable instead to use Wayland.
+You should use `--host-resolver-rules` instead.
+
+### Behavior Changed: window.open popups are always resizable
+
+Per current [WHATWG spec](https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev), the `window.open` API will now always create a resizable popup window.
+
+To restore previous behavior:
+
+```js
+webContents.setWindowOpenHandler((details) => {
+  return {
+    action: 'allow',
+    overrideBrowserWindowOptions: {
+      resizable: details.features.includes('resizable=yes')
+    }
+  }
+})
+```
+
+### Behavior Changed: shared texture OSR `paint` event data structure
+
+When using shared texture offscreen rendering feature, the `paint` event now emits a more structured object.
+It moves the `sharedTextureHandle`, `planes`, `modifier` into a unified `handle` property.
+See the [OffscreenSharedTexture](./api/structures/offscreen-shared-texture.md) API structure for more details.
 
 ## Planned Breaking API Changes (38.0)
 
-### Deprecated: `ELECTRON_OZONE_PLATFORM_HINT` environment variable
+### Removed: `ELECTRON_OZONE_PLATFORM_HINT` environment variable
 
-The default value of the `--ozone-plaftform` flag [changed to `auto`](https://chromium-review.googlesource.com/c/chromium/src/+/6775426).
+The default value of the `--ozone-platform` flag [changed to `auto`](https://chromium-review.googlesource.com/c/chromium/src/+/6775426).
 
-You should use the `XDG_SESSION_TYPE=wayland` environment variable instead to use Wayland.
+Electron now defaults to running as a native Wayland app when launched in a Wayland session (when `XDG_SESSION_TYPE=wayland`).
+Users can force XWayland by passing `--ozone-platform=x11`.
 
-This environment variable will be [removed soon](https://chromium-review.googlesource.com/c/chromium/src/+/6819616).
+### Removed: `ORIGINAL_XDG_CURRENT_DESKTOP` environment variable
+
+Previously, Electron changed the value of `XDG_CURRENT_DESKTOP` internally to `Unity`, and stored the original name of the desktop session
+in a separate variable. `XDG_CURRENT_DESKTOP` is no longer overriden and now reflects the actual desktop environment.
 
 ### Removed: macOS 11 support
 
@@ -53,29 +93,6 @@ The `webFrame.findFrameByRoutingId(routingId)` function will be removed.
 
 You should use `webFrame.findFrameByToken(frameToken)` instead.
 
-### Behavior Changed: window.open popups are always resizable
-
-Per current [WHATWG spec](https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev), the `window.open` API will now always create a resizable popup window.
-
-To restore previous behavior:
-
-```js
-webContents.setWindowOpenHandler((details) => {
-  return {
-    action: 'allow',
-    overrideBrowserWindowOptions: {
-      resizable: details.features.includes('resizable=yes')
-    }
-  }
-})
-```
-
-### Behavior Changed: shared texture OSR `paint` event data structure
-
-When using shared texture offscreen rendering feature, the `paint` event now emits a more structured object.
-It moves the `sharedTextureHandle`, `planes`, `modifier` into a unified `handle` property.
-See [here](https://www.electronjs.org/docs/latest/api/structures/offscreen-shared-texture) for more details.
-
 ## Planned Breaking API Changes (37.0)
 
 ### Utility Process unhandled rejection behavior change

docs/development/build-instructions-gn.md

@@ -191,12 +191,6 @@ $ ./out/Testing/electron
 
 ### Packaging
 
-On linux, first strip the debugging and symbol information:
-
-```sh
-$ electron/script/strip-binaries.py -d out/Release
-```
-
 To package the electron build as a distributable zip file:
 
 ```sh

docs/development/build-instructions-linux.md

@@ -6,77 +6,17 @@ Follow the guidelines below for building **Electron itself** on Linux, for the p
 
 ## Prerequisites
 
-* At least 25GB disk space and 8GB RAM.
-* Python >= 3.9.
-* [Node.js](https://nodejs.org/download/) >= 22.12.0
-* [clang](https://clang.llvm.org/get_started.html) 3.4 or later.
-* Development headers of GTK 3 and libnotify.
+Due to Electron's dependency on Chromium, prerequisites and dependencies for Electron change over time. [Chromium's documentation on building on Linux](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/build_instructions.md) has up to date information for building Chromium on Linux. This documentation can generally
+be followed for building Electron on Linux as well.
 
-On Ubuntu >= 20.04, install the following libraries:
-
-```sh
-$ sudo apt-get install build-essential clang libdbus-1-dev libgtk-3-dev \
-                       libnotify-dev libasound2-dev libcap-dev \
-                       libcups2-dev libxtst-dev \
-                       libxss1 libnss3-dev gcc-multilib g++-multilib curl \
-                       gperf bison python3-dbusmock openjdk-8-jre
-```
-
-On Ubuntu < 20.04, install the following libraries:
-
-```sh
-$ sudo apt-get install build-essential clang libdbus-1-dev libgtk-3-dev \
-                       libnotify-dev libgnome-keyring-dev \
-                       libasound2-dev libcap-dev libcups2-dev libxtst-dev \
-                       libxss1 libnss3-dev gcc-multilib g++-multilib curl \
-                       gperf bison python-dbusmock openjdk-8-jre
-```
-
-On RHEL / CentOS, install the following libraries:
-
-```sh
-$ sudo yum install clang dbus-devel gtk3-devel libnotify-devel \
-                   libgnome-keyring-devel xorg-x11-server-utils libcap-devel \
-                   cups-devel libXtst-devel alsa-lib-devel libXrandr-devel \
-                   nss-devel python-dbusmock openjdk-8-jre
-```
-
-On Fedora, install the following libraries:
-
-```sh
-$ sudo dnf install clang dbus-devel gperf gtk3-devel \
-                   libnotify-devel libgnome-keyring-devel libcap-devel \
-                   cups-devel libXtst-devel alsa-lib-devel libXrandr-devel \
-                   nss-devel python-dbusmock
-```
-
-On Arch Linux / Manjaro, install the following libraries:
-
-```sh
-$ sudo pacman -Syu base-devel clang libdbus gtk2 libnotify \
-                   libgnome-keyring alsa-lib libcap libcups libxtst \
-                   libxss nss gcc-multilib curl gperf bison \
-                   python2 python-dbusmock jdk8-openjdk
-```
-
-Other distributions may offer similar packages for installation via package
-managers such as pacman. Or one can compile from source code.
+Additionally, Electron's [Linux dependency installer](https://github.com/electron/build-images/blob/main/tools/install-deps.sh) can be referenced to get the current dependencies that Electron requires in addition to what Chromium installs via [build/install-deps.sh](https://chromium.googlesource.com/chromium/src/+/HEAD/build/install-build-deps.sh).
 
 ### Cross compilation
 
-If you want to build for an `arm` target you should also install the following
-dependencies:
+If you want to build for an `arm` target, you can use Electron's [Linux dependency installer](https://github.com/electron/build-images/blob/main/tools/install-deps.sh) to install the additional dependencies by passing the `--arm argument`:
 
 ```sh
-$ sudo apt-get install libc6-dev-armhf-cross linux-libc-dev-armhf-cross \
-                       g++-arm-linux-gnueabihf
-```
-
-Similarly for `arm64`, install the following:
-
-```sh
-$ sudo apt-get install libc6-dev-arm64-cross linux-libc-dev-arm64-cross \
-                       g++-aarch64-linux-gnu
+$ sudo install-deps.sh --arm
 ```
 
 And to cross-compile for `arm` or targets, you should pass the

docs/faq.md

@@ -12,19 +12,28 @@ network problems. The best resolution is to try switching networks, or
 wait a bit and try installing again.
 
 You can also attempt to download Electron directly from
-[electron/electron/releases](https://github.com/electron/electron/releases)
+[GitHub Releases](https://github.com/electron/electron/releases)
 if installing via `npm` is failing.
 
-## When will Electron upgrade to latest Chrome?
+If you need to install Electron through a custom mirror or proxy, see
+the [Advanced Installation](./tutorial/installation.md) documentation for more details.
 
-The Chrome version of Electron is usually bumped within one or two weeks after
-a new stable Chrome version gets released. This estimate is not guaranteed and
-depends on the amount of work involved with upgrading.
+## How are Electron binaries downloaded?
 
-Only the stable channel of Chrome is used. If an important fix is in beta or dev
-channel, we will back-port it.
+When you run `npm install electron`, the Electron binary for the corresponding version is downloaded
+into your project's `node_modules` folder via npm's `postinstall` lifecycle script.
 
-For more information, please see the [security introduction](tutorial/security.md).
+This logic is handled by the [`@electron/get`](https://github.com/electron/get) utility package
+under the hood.
+
+## When will Electron upgrade to latest Chromium?
+
+Every new major version of Electron releases with a Chromium major version upgrade. By releasing every
+8 weeks, Electron is able to pull in every other major Chromium release on the very same day that it
+releases upstream. Security fixes will be backported to stable release channels ahead of time.
+
+See the [Electron Releases](./tutorial/electron-timelines.md) documentation for more details or
+[releases.electronjs.org](https://releases.electronjs.org) to see our Release Status dashboard.
 
 ## When will Electron upgrade to latest Node.js?
 

docs/glossary.md

@@ -12,6 +12,15 @@ The ASAR format was created primarily to improve performance on Windows when
 reading large quantities of small files (e.g. when loading your app's JavaScript
 dependency tree from `node_modules`).
 
+### ASAR integrity
+
+ASAR integrity is an security feature that validates the contents of your app's
+ASAR archives at runtime. When enabled, your Electron app will verify the
+header hash of its ASAR archive on runtime. If no hash is present or if there is a mismatch in the
+hashes, the app will forcefully terminate.
+
+See the [ASAR Integrity](./tutorial/asar-integrity.md) guide for more details.
+
 ### code signing
 
 Code signing is a process where an app developer digitally signs their code to

docs/tutorial/asar-integrity.md

@@ -5,7 +5,7 @@ slug: asar-integrity
 hide_title: false
 ---
 
-ASAR integrity is an experimental feature that validates the contents of your app's
+ASAR integrity is a security feature that validates the contents of your app's
 [ASAR archives](./asar-archives.md) at runtime.
 
 ## Version support
@@ -64,13 +64,10 @@ flipFuses(
 )
 ```
 
-:::tip Fuses in Electron Forge
-
-With Electron Forge, you can configure your app's fuses with
-[@electron-forge/plugin-fuses](https://www.electronforge.io/config/plugins/fuses)
-in your Forge configuration file.
-
-:::
+> [!TIP]
+> With Electron Forge, you can configure your app's fuses with
+> [@electron-forge/plugin-fuses](https://www.electronforge.io/config/plugins/fuses)
+> in your Forge configuration file.
 
 ## Providing the header hash
 
@@ -80,7 +77,7 @@ on package time. The process of providing this packaged hash is different for ma
 ### Using Electron tooling
 
 Electron Forge and Electron Packager do this setup automatically for you with no additional
-configuration. The minimum required versions for ASAR integrity are:
+configuration whenever `asar` is enabled. The minimum required versions for ASAR integrity are:
 
 * `@electron/packager@18.3.1`
 * `@electron/forge@7.4.0`
@@ -109,7 +106,7 @@ Valid `algorithm` values are currently `SHA256` only. The `hash` is a hash of th
 The `@electron/asar` package exposes a `getRawHeader` method whose result can then be hashed to generate this value
 (e.g. using the [`node:crypto`](https://nodejs.org/api/crypto.html) module).
 
-### Windows
+#### Windows
 
 When packaging for Windows, you must populate a valid [resource](https://learn.microsoft.com/en-us/windows/win32/menurc/resources)
 entry of type `Integrity` and name `ElectronAsar`. The value of this resource should be a JSON encoded dictionary
@@ -125,9 +122,6 @@ in the form included below:
 ]
 ```
 
-:::info
-
-For an implementation example, see [`src/resedit.ts`](https://github.com/electron/packager/blob/main/src/resedit.ts)
-in the Electron Packager code.
-
-:::
+> [!NOTE]
+> For an implementation example, see [`src/resedit.ts`](https://github.com/electron/packager/blob/main/src/resedit.ts)
+> in the Electron Packager code.

docs/tutorial/code-signing.md

@@ -233,10 +233,10 @@ can find [its documentation here](https://www.electron.build/code-signing).
 [Azure Trusted Signing][] is Microsoft's modern cloud-based alternative to EV certificates.
 It is the cheapest option for code signing on Windows, and it gets rid of SmartScreen warnings.
 
-As of May 2025, Azure Trusted Signing is [available][trusted-signing-availability] to US and
-Canada-based organizations with 3+ years of verifiable business history. Microsoft is looking
-to make the program more widely available. If you're reading this at a later point, it could
-make sense to check if the eligibility criteria have changed.
+As of October 2025, Azure Trusted Signing is available to US and Canada-based organizations
+with 3+ years of verifiable business history and to individual developers in the US and Canada.
+Microsoft is looking to make the program more widely available. If you're reading this at a
+later point, it could make sense to check if the eligibility criteria have changed.
 
 #### Using Electron Forge
 
@@ -267,6 +267,5 @@ See the [Windows Store Guide][].
 [maker-squirrel]: https://www.electronforge.io/config/makers/squirrel.windows
 [maker-msi]: https://www.electronforge.io/config/makers/wix-msi
 [azure trusted signing]: https://azure.microsoft.com/en-us/products/trusted-signing
-[trusted-signing-availability]: https://techcommunity.microsoft.com/blog/microsoft-security-blog/trusted-signing-public-preview-update/4399713
 [forge-trusted-signing]: https://www.electronforge.io/guides/code-signing/code-signing-windows#using-azure-trusted-signing
 [builder-trusted-signing]: https://www.electron.build/code-signing-win#using-azure-trusted-signing-beta

docs/tutorial/devtools-extension.md

@@ -94,7 +94,7 @@ If the extension works on Chrome but not on Electron, file a bug in Electron's
 [issue tracker][issue-tracker] and describe which part
 of the extension is not working as expected.
 
-[devtools-extension]: https://developer.chrome.com/extensions/devtools
+[devtools-extension]: https://developer.chrome.com/docs/extensions/how-to/devtools/extend-devtools
 [session]: ../api/session.md
 [react-devtools]: https://chrome.google.com/webstore/detail/react-developer-tools/fmkadmapgofadopljbjfkapdkoienihi
 [load-extension]: ../api/extensions-api.md#extensionsloadextensionpath-options

docs/tutorial/electron-timelines.md

@@ -9,10 +9,12 @@ check out our [Electron Versioning](./electron-versioning.md) doc.
 
 | Electron | Alpha | Beta | Stable | EOL | Chrome | Node | Supported |
 | ------- | ----- | ------- | ------ | ------ | ---- | ---- | ---- |
-| 38.0.0 |  2025-Jun-26 | 2025-Aug-06 | 2025-Sep-02 | 2026-Mar-10 | M140 | TBD | ✅ |
+| 40.0.0 |  2025-Oct-30 | 2025-Dec-03 | 2026-Jan-13 | 2026-Jun-30 | M144 | TBD | ✅ |
+| 39.0.0 |  2025-Sep-04 | 2025-Oct-01 | 2025-Oct-28 | 2026-May-05 | M142 | v22.20 | ✅ |
+| 38.0.0 |  2025-Jun-26 | 2025-Aug-06 | 2025-Sep-02 | 2026-Mar-10 | M140 | v22.18 | ✅ |
 | 37.0.0 |  2025-May-01 | 2025-May-28 | 2025-Jun-24 | 2026-Jan-13 | M138 | v22.16 | ✅ |
-| 36.0.0 |  2025-Mar-06 | 2025-Apr-02 | 2025-Apr-29 | 2025-Oct-28 | M136 | v22.14 | ✅ |
-| 35.0.0 |  2025-Jan-16 | 2025-Feb-05 | 2025-Mar-04 | 2025-Sep-02 | M134 | v22.14 | ✅ |
+| 36.0.0 |  2025-Mar-06 | 2025-Apr-02 | 2025-Apr-29 | 2025-Oct-28 | M136 | v22.14 | 🚫 |
+| 35.0.0 |  2025-Jan-16 | 2025-Feb-05 | 2025-Mar-04 | 2025-Sep-02 | M134 | v22.14 | 🚫 |
 | 34.0.0 |  2024-Oct-17 | 2024-Nov-13 | 2025-Jan-14 | 2025-Jun-24 | M132 | v20.18 | 🚫 |
 | 33.0.0 |  2024-Aug-22 | 2024-Sep-18 | 2024-Oct-15 | 2025-Apr-29 | M130 | v20.18 | 🚫 |
 | 32.0.0 |  2024-Jun-14 | 2024-Jul-24 | 2024-Aug-20 | 2025-Mar-04 | M128 | v20.16 | 🚫 |
@@ -120,22 +122,3 @@ and that number is reduced to two in major version 10, the three-argument versio
 continue to work until, at minimum, major version 12. Past the minimum two-version
 threshold, we will attempt to support backwards compatibility beyond two versions
 until the maintainers feel the maintenance burden is too high to continue doing so.
-
-### End-of-life
-
-When a release branch reaches the end of its support cycle, the series
-will be deprecated in NPM and a final end-of-support release will be
-made. This release will add a warning to inform that an unsupported
-version of Electron is in use.
-
-These steps are to help app developers learn when a branch they're
-using becomes unsupported, but without being excessively intrusive
-to end users.
-
-If an application has exceptional circumstances and needs to stay
-on an unsupported series of Electron, developers can silence the
-end-of-support warning by omitting the final release from the app's
-`package.json` `devDependencies`. For example, since the 1-6-x series
-ended with an end-of-support 1.6.18 release, developers could choose
-to stay in the 1-6-x series without warnings with `devDependency` of
-`"electron": 1.6.0 - 1.6.17`.

docs/tutorial/esm.md

@@ -32,7 +32,7 @@ This table gives a general overview of where ESM is supported and which ESM load
 | Main                 | Node.js    | N/A                   | <ul><li> [You must use `await` generously before the app's `ready` event](#you-must-use-await-generously-before-the-apps-ready-event) </li></ul> |
 | Renderer (Sandboxed) | Chromium   | Unsupported           | <ul><li> [Sandboxed preload scripts can't use ESM imports](#sandboxed-preload-scripts-cant-use-esm-imports) </li></ul> |
 | Renderer (Unsandboxed & Context Isolated) | Chromium | Node.js | <ul><li> [Unsandboxed ESM preload scripts will run after page load on pages with no content](#unsandboxed-esm-preload-scripts-will-run-after-page-load-on-pages-with-no-content) </li> <li>[ESM Preload Scripts must have the `.mjs` extension](#esm-preload-scripts-must-have-the-mjs-extension)</li></ul> |
-| Renderer (Unsandboxed & Non Context Isolated) | Chromium | Node.js | <ul><li>[Unsandboxed ESM preload scripts will run after page load on pages with no content](#unsandboxed-esm-preload-scripts-will-run-after-page-load-on-pages-with-no-content)</li><li>[ESM Preload Scripts must have the `.mjs` extension](#esm-preload-scripts-must-have-the-mjs-extension)</li><li>[ESM preload scripts must be context isolated to use dynamic Node.js ESM imports](#esm-preload-scripts-must-be-context-isolated-to-use-dynamic-nodejs-esm-imports)</li></ul> |
+| Renderer (Unsandboxed & Non Context Isolated) | Chromium | Node.js | <ul><li>[Unsandboxed ESM preload scripts will run after page load on pages with no content](#unsandboxed-esm-preload-scripts-will-run-after-page-load-on-pages-with-no-content)</li><li>[ESM Preload Scripts must have the `.mjs` extension](#esm-preload-scripts-must-have-the-mjs-extension)</li></ul> |
 
 ## Main process
 

docs/tutorial/fuses.md

@@ -4,11 +4,24 @@
 
 ## What are fuses?
 
-For a subset of Electron functionality it makes sense to disable certain features for an entire application.  For example, 99% of apps don't make use of `ELECTRON_RUN_AS_NODE`, these applications want to be able to ship a binary that is incapable of using that feature.  We also don't want Electron consumers building Electron from source as that is both a massive technical challenge and has a high cost of both time and money.
+From a security perspective, it makes sense to disable certain unused Electron features
+that are powerful but may make your app's security posture weaker. For example, any app that doesn't
+use the `ELECTRON_RUN_AS_NODE` environment variable would want to disable the feature to prevent a
+subset of "living off the land" attacks.
 
-Fuses are the solution to this problem, at a high level they are "magic bits" in the Electron binary that can be flipped when packaging your Electron app to enable / disable certain features / restrictions.  Because they are flipped at package time before you code sign your app the OS becomes responsible for ensuring those bits aren't flipped back via OS level code signing validation (Gatekeeper / App Locker).
+We also don't want Electron consumers forking to achieve this goal, as building from source and
+maintaining a fork is a massive technical challenge and costs a lot of time and money.
 
-## Current Fuses
+Fuses are the solution to this problem. At a high level, they are "magic bits" in the Electron binary
+that can be flipped when packaging your Electron app to enable or disable certain features/restrictions.
+
+Because they are flipped at package time before you code sign your app, the OS becomes responsible
+for ensuring those bits aren't flipped back via OS-level code signing validation
+(e.g. [Gatekeeper](https://support.apple.com/en-ca/guide/security/sec5599b66df/web) on macOS or
+[AppLocker](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview)
+on Windows).
+
+## Current fuses
 
 ### `runAsNode`
 
@@ -16,7 +29,11 @@ Fuses are the solution to this problem, at a high level they are "magic bits" in
 
 **@electron/fuses:** `FuseV1Options.RunAsNode`
 
-The runAsNode fuse toggles whether the `ELECTRON_RUN_AS_NODE` environment variable is respected or not.  Please note that if this fuse is disabled then `process.fork` in the main process will not function as expected as it depends on this environment variable to function. Instead, we recommend that you use [Utility Processes](../api/utility-process.md), which work for many use cases where you need a standalone Node.js process (like a Sqlite server process or similar scenarios).
+The `runAsNode` fuse toggles whether the [`ELECTRON_RUN_AS_NODE`](../api/environment-variables.md)
+environment variable is respected or not. With this fuse disabled, [`child_process.fork`](https://nodejs.org/api/child_process.html#child_processforkmodulepath-args-options) in the main process will not function
+as expected, as it depends on this environment variable to function. Instead, we recommend that you
+use [Utility Processes](../api/utility-process.md), which work for many use cases where you need a
+standalone Node.js process (e.g. a SQLite server process).
 
 ### `cookieEncryption`
 
@@ -24,7 +41,12 @@ The runAsNode fuse toggles whether the `ELECTRON_RUN_AS_NODE` environment variab
 
 **@electron/fuses:** `FuseV1Options.EnableCookieEncryption`
 
-The cookieEncryption fuse toggles whether the cookie store on disk is encrypted using OS level cryptography keys.  By default the sqlite database that Chromium uses to store cookies stores the values in plaintext.  If you wish to ensure your apps cookies are encrypted in the same way Chrome does then you should enable this fuse.  Please note it is a one-way transition, if you enable this fuse existing unencrypted cookies will be encrypted-on-write but if you then disable the fuse again your cookie store will effectively be corrupt and useless.  Most apps can safely enable this fuse.
+The `cookieEncryption` fuse toggles whether the cookie store on disk is encrypted using OS level
+cryptography keys. By default, the SQLite database that Chromium uses to store cookies stores the
+values in plaintext. If you wish to ensure your app's cookies are encrypted in the same way Chrome
+does, then you should enable this fuse. Please note it is a one-way transition—if you enable this
+fuse, existing unencrypted cookies will be encrypted-on-write, but subsequently disabling the fuse
+later will make your cookie store corrupt and useless. Most apps can safely enable this fuse.
 
 ### `nodeOptions`
 
@@ -32,7 +54,11 @@ The cookieEncryption fuse toggles whether the cookie store on disk is encrypted
 
 **@electron/fuses:** `FuseV1Options.EnableNodeOptionsEnvironmentVariable`
 
-The nodeOptions fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api/cli.html#node_optionsoptions)  and [`NODE_EXTRA_CA_CERTS`](https://github.com/nodejs/node/blob/main/doc/api/cli.md#node_extra_ca_certsfile) environment variables are respected.  The `NODE_OPTIONS` environment variable can be used to pass all kinds of custom options to the Node.js runtime and isn't typically used by apps in production.  Most apps can safely disable this fuse.
+The `nodeOptions` fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api/cli.html#node_optionsoptions)
+and [`NODE_EXTRA_CA_CERTS`](https://github.com/nodejs/node/blob/main/doc/api/cli.md#node_extra_ca_certsfile)
+environment variables are respected. The `NODE_OPTIONS` environment variable can be used to pass all
+kinds of custom options to the Node.js runtime and isn't typically used by apps in production.
+Most apps can safely disable this fuse.
 
 ### `nodeCliInspect`
 
@@ -40,7 +66,9 @@ The nodeOptions fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api
 
 **@electron/fuses:** `FuseV1Options.EnableNodeCliInspectArguments`
 
-The nodeCliInspect fuse toggles whether the `--inspect`, `--inspect-brk`, etc. flags are respected or not.  When disabled it also ensures that `SIGUSR1` signal does not initialize the main process inspector.  Most apps can safely disable this fuse.
+The `nodeCliInspect` fuse toggles whether the `--inspect`, `--inspect-brk`, etc. flags are respected
+or not. When disabled, it also ensures that `SIGUSR1` signal does not initialize the main process
+inspector. Most apps can safely disable this fuse.
 
 ### `embeddedAsarIntegrityValidation`
 
@@ -48,9 +76,12 @@ The nodeCliInspect fuse toggles whether the `--inspect`, `--inspect-brk`, etc. f
 
 **@electron/fuses:** `FuseV1Options.EnableEmbeddedAsarIntegrityValidation`
 
-The embeddedAsarIntegrityValidation fuse toggles an experimental feature on macOS and Windows that validates the content of the `app.asar` file when it is loaded.  This feature is designed to have a minimal performance impact but may marginally slow down file reads from inside the `app.asar` archive.
+The `embeddedAsarIntegrityValidation` fuse toggles a feature on macOS and Windows that validates the
+content of the `app.asar` file when it is loaded. This feature is designed to have a minimal
+performance impact but may marginally slow down file reads from inside the `app.asar` archive.
+Most apps can safely enable this fuse.
 
-For more information on how to use asar integrity validation please read the [Asar Integrity](asar-integrity.md) documentation.
+For more information on how to use ASAR integrity validation, please read the [Asar Integrity](asar-integrity.md) documentation.
 
 ### `onlyLoadAppFromAsar`
 
@@ -58,7 +89,15 @@ For more information on how to use asar integrity validation please read the [As
 
 **@electron/fuses:** `FuseV1Options.OnlyLoadAppFromAsar`
 
-The onlyLoadAppFromAsar fuse changes the search system that Electron uses to locate your app code.  By default Electron will search in the following order `app.asar` -> `app` -> `default_app.asar`.  When this fuse is enabled the search order becomes a single entry `app.asar` thus ensuring that when combined with the `embeddedAsarIntegrityValidation` fuse it is impossible to load non-validated code.
+The `onlyLoadAppFromAsar` fuse changes the search system that Electron uses to locate your app code.
+By default, Electron will search for this code in the following order:
+
+1. `app.asar`
+1. `app`
+1. `default_app.asar`
+
+When this fuse is enabled, Electron will _only_ search for `app.asar`. When combined with the [`embeddedAsarIntegrityValidation`](#embeddedasarintegrityvalidation) fuse, this fuse ensures that
+it is impossible to load non-validated code.
 
 ### `loadBrowserProcessSpecificV8Snapshot`
 
@@ -66,11 +105,17 @@ The onlyLoadAppFromAsar fuse changes the search system that Electron uses to loc
 
 **@electron/fuses:** `FuseV1Options.LoadBrowserProcessSpecificV8Snapshot`
 
-The loadBrowserProcessSpecificV8Snapshot fuse changes which V8 snapshot file is used for the browser process.  By default Electron's processes will all use the same V8 snapshot file.  When this fuse is enabled the browser process uses the file called `browser_v8_context_snapshot.bin` for its V8 snapshot. The other processes will use the V8 snapshot file that they normally do.
+V8 snapshots can be useful to improve app startup performance. V8 lets you take snapshots of
+initialized heaps and then load them back in to avoid the cost of initializing the heap.
 
-V8 snapshots can be useful to improve app startup performance. V8 lets you take snapshots of initialized heaps and then load them back in to avoid the cost of initializing the heap.
+The `loadBrowserProcessSpecificV8Snapshot` fuse changes which V8 snapshot file is used for the browser
+process. By default, Electron's processes will all use the same V8 snapshot file. When this fuse is
+enabled, the main process uses the file called `browser_v8_context_snapshot.bin` for its V8 snapshot.
+Other processes will use the V8 snapshot file that they normally do.
 
-Using separate snapshots for renderer processes and the main process can improve security, especially to make sure that the renderer doesn't use a snapshot with `nodeIntegration` enabled. See [#35170](https://github.com/electron/electron/issues/35170) for details.
+Using separate snapshots for renderer processes and the main process can improve security, especially
+to make sure that the renderer doesn't use a snapshot with `nodeIntegration` enabled.
+See [electron/electron#35170](https://github.com/electron/electron/issues/35170) for details.
 
 ### `grantFileProtocolExtraPrivileges`
 
@@ -78,19 +123,25 @@ Using separate snapshots for renderer processes and the main process can improve
 
 **@electron/fuses:** `FuseV1Options.GrantFileProtocolExtraPrivileges`
 
-The grantFileProtocolExtraPrivileges fuse changes whether pages loaded from the `file://` protocol are given privileges beyond what they would receive in a traditional web browser.  This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be [serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead.  If you aren't serving pages from `file://` you should disable this fuse.
+The `grantFileProtocolExtraPrivileges` fuse changes whether pages loaded from the `file://` protocol
+are given privileges beyond what they would receive in a traditional web browser. This behavior was
+core to Electron apps in original versions of Electron, but is no longer required as apps should be
+[serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead.
+
+If you aren't serving pages from `file://`, you should disable this fuse.
 
 The extra privileges granted to the `file://` protocol by this fuse are incompletely documented below:
 
 * `file://` protocol pages can use `fetch` to load other assets over `file://`
 * `file://` protocol pages can use service workers
-* `file://` protocol pages have universal access granted to child frames also running on `file://` protocols regardless of sandbox settings
+* `file://` protocol pages have universal access granted to child frames also running on `file://`
+  protocols regardless of sandbox settings
 
-## How do I flip the fuses?
+## How do I flip fuses?
 
 ### The easy way
 
-We've made a handy module, [`@electron/fuses`](https://npmjs.com/package/@electron/fuses), to make flipping these fuses easy.  Check out the README of that module for more details on usage and potential error cases.
+[`@electron/fuses`](https://npmjs.com/package/@electron/fuses) is a JavaScript utility designed to make flipping these fuses easy. Check out the README of that module for more details on usage and potential error cases.
 
 ```js @ts-nocheck
 const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses')
@@ -106,29 +157,37 @@ flipFuses(
 )
 ```
 
-You can validate the fuses have been flipped or check the fuse status of an arbitrary Electron app using the fuses CLI.
+You can validate the fuses that have been flipped or check the fuse status of an arbitrary Electron
+app using the `@electron/fuses` CLI.
 
 ```bash
 npx @electron/fuses read --app /Applications/Foo.app
 ```
 
+>[!NOTE]
+> If you are using Electron Forge to distribute your application, you can flip fuses using
+> [`@electron-forge/plugin-fuses`](https://www.electronforge.io/config/plugins/fuses),
+> which comes pre-installed with all templates.
+
 ### The hard way
 
-#### Quick Glossary
+> [!IMPORTANT]
+> Glossary:
+>
+> * **Fuse Wire**: A sequence of bytes in the Electron binary used to control the fuses
+> * **Sentinel**: A static known sequence of bytes you can use to locate the fuse wire
+> * **Fuse Schema**: The format/allowed values for the fuse wire
 
-* **Fuse Wire**: A sequence of bytes in the Electron binary used to control the fuses
-* **Sentinel**: A static known sequence of bytes you can use to locate the fuse wire
-* **Fuse Schema**: The format / allowed values for the fuse wire
+Manually flipping fuses requires editing the Electron binary and modifying the fuse wire to be the
+sequence of bytes that represent the state of the fuses you want.
 
-Manually flipping fuses requires editing the Electron binary and modifying the fuse wire to be the sequence of bytes that represent the state of the fuses you want.
-
-Somewhere in the Electron binary there will be a sequence of bytes that look like this:
+Somewhere in the Electron binary, there will be a sequence of bytes that look like this:
 
 ```text
 | ...binary | sentinel_bytes | fuse_version | fuse_wire_length | fuse_wire | ...binary |
 ```
 
-* `sentinel_bytes` is always this exact string `dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX`
+* `sentinel_bytes` is always this exact string: `dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX`
 * `fuse_version` is a single byte whose unsigned integer value represents the version of the fuse schema
 * `fuse_wire_length` is a single byte whose unsigned integer value represents the number of fuses in the following fuse wire
 * `fuse_wire` is a sequence of N bytes, each byte represents a single fuse and its state.
@@ -136,6 +195,6 @@ Somewhere in the Electron binary there will be a sequence of bytes that look lik
   * "1" (0x31) indicates the fuse is enabled
   * "r" (0x72) indicates the fuse has been removed and changing the byte to either 1 or 0 will have no effect.
 
-To flip a fuse you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
+To flip a fuse, you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
 
 You can view the current schema [here](https://github.com/electron/electron/blob/main/build/fuses/fuses.json5).

docs/tutorial/installation.md

@@ -26,12 +26,12 @@ any dependencies in your app will not be installed.
 
 ## Customization
 
-If you want to change the architecture that is downloaded (e.g., `ia32` on an
-`x64` machine), you can use the `--arch` flag with npm install or set the
+If you want to change the architecture that is downloaded (e.g., `x64` on an
+`arm64` machine), you can use the `--arch` flag with npm install or set the
 `npm_config_arch` environment variable:
 
 ```shell
-npm install --arch=ia32 electron
+npm install --arch=x64 electron
 ```
 
 In addition to changing the architecture, you can also specify the platform
@@ -60,7 +60,7 @@ where `$VERSION` is the exact version of Electron).
 If you are unable to access GitHub or you need to provide a custom build, you
 can do so by either providing a mirror or an existing cache directory.
 
-#### Mirror
+### Mirror
 
 You can use environment variables to override the base URL, the path at which to
 look for Electron binaries, and the binary filename. The URL used by `@electron/get`
@@ -95,7 +95,7 @@ Electron release you may have to set `electron_use_remote_checksums=1` directly,
 or configure it in a `.npmrc` file, to force Electron to use the remote `SHASUMS256.txt`
 file to verify the checksum instead of the embedded checksums.
 
-#### Cache
+### Cache
 
 Alternatively, you can override the local cache. `@electron/get` will cache
 downloaded binaries in a local directory to not stress your network. You can use
@@ -120,7 +120,7 @@ The cache contains the version's official zip file as well as a checksum, and is
 │   └── electron-v15.3.1-darwin-x64.zip
 ```
 
-## Skip binary download
+## Postinstall script
 
 Under the hood, Electron's JavaScript API binds to a binary that contains its
 implementations. Because this binary is crucial to the function of any Electron app,

docs/tutorial/native-file-drag-drop.md

@@ -110,4 +110,10 @@ the item is a Markdown file located in the root of the project:
 
 ![Drag and drop](../images/drag-and-drop.gif)
 
+## Dragging files into your app
+
+You can use the standard
+[Drag and Drop web API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Drag_and_Drop_API)
+for dragging and dropping files into your app.
+
 [`contextBridge`]: ../api/context-bridge.md