feat: expose nativeTheme.shouldUseDarkColorsForSystemIntegratedUI (#46598)

feat: expose shouldUseDarkColorsForSystemIntegratedUI

Closes https://github.com/electron/electron/issues/46429.
Refs https://github.com/electron/electron/pull/19735.

This PR adds a new API `shouldUseDarkColorsForSystemIntegratedUI` to the
`nativeTheme` module. This API returns a boolean indicating whether the
system is using dark colors for system integrated UI elements. This is
useful for applications that want to adapt their UI to match the system
theme, especially for those that use system integrated UI elements like
the shell theme or taskbar appearance.

Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>

.claude/.gitignore

@@ -1 +0,0 @@
-settings.local.json

.claude/settings.json

@@ -1,25 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(e sync)",
-      "Bash(e patches --list-targets:*)",
-      "Bash(git add:*)",
-      "Bash(git am:*)",
-      "Bash(git commit:*)",
-      "Bash(git log:*)",
-      "Bash(git show:*)",
-      "Bash(e patches:*)",
-      "Bash(e sync:*)",
-      "Skill(electron-chromium-upgrade)",
-      "Skill(electron-node-upgrade)",
-      "Read(*)",
-      "Bash(echo:*)",
-      "Bash(e build:*)",
-      "Bash(tee:*)",
-      "Bash(git diff:*)",
-      "Bash(git rev-parse:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}

.claude/skills/chrome-release-cls/SKILL.md

@@ -1,106 +0,0 @@
----
-name: chrome-release-cls
-description: Given a Chrome Releases blog post URL (chromereleases.googleblog.com), extract every CVE/bug and find the underlying Gerrit CL that fixed it by searching the local Chromium checkout and sub-repos. Use when asked to map Chrome security release notes to fixing CLs, or to find which commits correspond to CVEs in a Chrome stable update.
----
-
-# Chrome Release → Fixing CL Mapper
-
-Maps every security fix in a Chrome Releases blog post to the Gerrit CL(s) that fixed it.
-
-## Input
-
-`$ARGUMENTS` — a `https://chromereleases.googleblog.com/...` URL. If empty, ask the user for one.
-
-## Procedure
-
-### 1. Extract CVE → bug ID pairs from the blog post
-
-The blog HTML buries bug IDs inside `<a>` tags, so strip tags first. Run:
-
-```bash
-curl -sL "$URL" | python3 -c '
-import sys, re, html
-t = re.sub(r"<[^>]+>", " ", sys.stdin.read())
-t = re.sub(r"\s+", " ", html.unescape(t))
-seen = set()
-for m in re.finditer(r"\[\s*(\d{6,})\s*\]\s*(Critical|High|Medium|Low)\s*(CVE-\d{4}-\d+):\s*([^.]+?)\.", t):
-    if m.group(3) in seen: continue
-    seen.add(m.group(3))
-    print(f"{m.group(3)}|{m.group(1)}|{m.group(2)}|{m.group(4).strip()}")
-' > /tmp/cve_bugs.txt
-cat /tmp/cve_bugs.txt
-```
-
-If this yields nothing, the page may have changed format — fall back to `grep -oE 'CVE-[0-9]{4}-[0-9]+'` and `grep -oE 'crbug\.com/[0-9]+'` and pair them by order.
-
-### 2. Find the fixing CL for each bug
-
-Search git history in the Chromium checkout and relevant sub-repos for commits whose `Bug:` or `Fixed:` footer references the bug ID, then extract the `Reviewed-on:` Gerrit URL.
-
-Repo selection by component keyword:
-- ANGLE → `third_party/angle`
-- Skia, Graphite → `third_party/skia`
-- PDFium → `third_party/pdfium`
-- Dawn → `third_party/dawn`
-- V8, Turbofan, Maglev, Turboshaft → `v8`
-- everything else → `.` (chromium/src)
-
-Always also fall back to `.` if the hinted repo has no match.
-
-```bash
-cd /root/src/electron/src   # chromium root (parent of electron/)
-
-lookup() {
-  local bug="$1" repos="$2"
-  for repo in $repos . v8 third_party/skia third_party/angle third_party/pdfium third_party/dawn; do
-    local hits
-    hits=$(git -C "$repo" log --all --since='6 months ago' -E \
-           --grep="(Bug|Fixed):.*\\b${bug}\\b" --format='%H' 2>/dev/null | sort -u)
-    [[ -z "$hits" ]] && continue
-    while read -r h; do
-      git -C "$repo" log -1 --format='%B' "$h" | grep '^Reviewed-on:' | sed 's/^/    /'
-      echo "      ↳ $(git -C "$repo" log -1 --format='%s' "$h")"
-    done <<<"$hits"
-    return 0
-  done
-  echo "    (not found locally)"
-}
-```
-
-Drive it from `/tmp/cve_bugs.txt`. Prefer the **non-`[M1xx]`-prefixed** commit subject as the canonical main CL; the `[M1xx]` ones are branch cherry-picks.
-
-### 3. Handle misses
-
-For any bug with no local hit:
-- `git -C <repo> fetch origin` then re-search `--remotes` (fix may be newer than the checkout).
-- Query Gerrit directly: `curl -s "https://chromium-review.googlesource.com/changes/?q=bug:${BUG}&n=10" | tail -n +2 | python3 -m json.tool` (also try `skia-review`, `pdfium-review`, `dawn-review`, `aomedia-review`).
-- **`b/` bug format (Skia, Graphite, Dawn):** These repos reference bugs as `b/<id>` in commit messages rather than `Bug: <id>` footers. The Gerrit `bug:` query will return nothing. Use `message:<id>` search instead:
-  ```bash
-  curl -s "https://skia-review.googlesource.com/changes/?q=message:${BUG}&n=5" | tail -n +2
-  ```
-  Apply the same pattern for `dawn-review.googlesource.com` when the component is Dawn.
-- **Tracing main CLs from merges:** When only `[M1xx]` merge CLs are found, query the CL detail for `cherry_pick_of_change` to find the original main CL number:
-  ```bash
-  curl -s "https://chromium-review.googlesource.com/changes/${CL_NUM}?o=CURRENT_REVISION" | tail -n +2 | python3 -c "
-  import sys, json
-  d = json.load(sys.stdin)
-  print(d.get('cherry_pick_of_change', 'none'))
-  "
-  ```
-- If still nothing and the bug was reported very recently (especially by "Google Threat Intelligence" or marked in-the-wild), the CL is likely still access-restricted — report it as such rather than guessing.
-
-### 4. Special cases
-
-- **Roll CLs — skip and find the upstream fix:** For components whose fixes land in upstream repos (PDFium, Dawn, Skia, Graphite, libaom, libvpx, ffmpeg), the chromium-review hit will be a `Roll src/third_party/...` commit. Do not report the roll CL as the fix. Instead, query the component's own Gerrit instance directly for the actual fixing CL:
-  - PDFium → `pdfium-review.googlesource.com` (use `bug:` or `message:` query)
-  - Dawn → `dawn-review.googlesource.com` (use `message:` query — uses `b/` format)
-  - Skia / Graphite → `skia-review.googlesource.com` (use `message:` query — uses `b/` format)
-  - libaom → `aomedia-review.googlesource.com`
-  
-  Only if the upstream Gerrit instance returns no results should you fall back to reporting the roll CL — in that case, include the roll CL and note that the actual fix is upstream but the specific CL could not be identified.
-- Multiple `Reviewed-on:` lines in one commit body: cherry-picks keep the original line plus a new one. The **first** `Reviewed-on:` is the original CL.
-- A bug may have multiple distinct fix CLs (fix + follow-up hardening) — list all of them.
-
-### 5. Output
-
-Produce a markdown table per severity level: `CVE | Bug | Component | Fix CL (main)`. Link bugs as `https://crbug.com/<id>`. Save raw output (including all branch merges) to `/tmp/cve_cls.txt` and mention the path.

.claude/skills/chrome-release-verify/SKILL.md

@@ -1,123 +0,0 @@
----
-name: chrome-release-verify
-description: End-to-end Chrome security backport for an Electron release branch. Given a Chrome Releases blog URL and a branch (e.g. 41-x-y), determines which CVE fixes are missing from the *actual synced source*, writes the cherry-pick patches locally, validates them with `e sync --3` + `lint --patches`, then pushes a single PR. Use when asked to backport a Chrome security release to N-x-y, "is CVE-X already in N-x-y?", or to produce/validate the cherry-pick set for a release branch.
----
-
-# Chrome Release → Validated Backport PR
-
-Input: `$ARGUMENTS` = `<release-branch> <chrome-releases-blog-url>` (e.g. `41-x-y https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html`). Ask if either is missing.
-
-The flow is **local-first**: nothing is pushed until every patch applies via `e sync --3` and passes `lint --patches`.
-
-## 1. Map CVE → bug → fix CL
-
-Run `/chrome-release-cls <blog-url>` (or its inline procedure) to produce `/tmp/cve_bugs.txt` (`CVE|bug|severity|desc`) and a per-bug canonical fix CL. For each CL also note `repo` (path under `src/`: `.`, `v8`, `third_party/{skia,angle,pdfium,dawn}`, `third_party/libaom/source/libaom`) and `gerrit-host`.
-
-**Prefer the target-milestone merge CL** if one exists (e.g. on `41-x-y` ≈ M146, prefer the `[M146]` cherry-pick over the main CL) — it's already rebased and far less likely to conflict. Find it via `git log --all --grep` on the Change-Id, or Gerrit `?q=bug:<n>`. If Chrome did *not* merge a fix to the target milestone, that's a strong signal the vulnerable code doesn't exist there — flag it for skip rather than forcing a port.
-
-## 2. Prepare a synced worktree
-
-Reuse `bp-<NN>` from `e show configs` if present, else `e worktree add bp-<NN> ~/src/electron-bp-<NN> --source <current> --no-sync`.
-
-```bash
-cd <root>/src/electron
-git fetch origin <branch>
-git checkout -B security-backport/<branch>/<short-date> origin/<branch>
-e use bp-<NN>
-e sync 2>&1 | tee /tmp/bp_sync.log
-```
-
-If sync fails with `NotADirectoryError: '<root>/src/.git/objects/info/alternates'`, remove `GIT_CACHE_PATH` from the bp config's `env` and retry.
-
-## 3. Verify IN-TREE vs NEEDS-BACKPORT
-
-For each bug, three checks against the **synced** repo:
-
-1. `git -C "$repo" log HEAD --since='1 year ago' -E --grep="\b${bug}\b" --format='%h %s'`
-2. Fetch Change-Id from Gerrit, then `git log HEAD --grep="^Change-Id: ${cid}$"`
-3. `grep -rlE "(\b${bug}\b|${cid})" <root>/src/electron/patches/`
-
-Any hit ⇒ IN-TREE. All empty ⇒ NEEDS-BACKPORT.
-
-For each NEEDS-BACKPORT CL, also fetch its file list (`/changes/<proj>~<cl>/revisions/current/files`) and **skip** if every file is under `chrome/browser/`, `chrome/android/`, `ios/`, or `components/**/android/` — Electron doesn't compile those.
-
-Report the table now (`CVE | Sev | Bug | Component | Verdict | CL`) and the proposed backport set; get user sign-off before continuing.
-
-## 4. Write patches locally (no push yet)
-
-For each backport CL, fetch the raw patch and write it into `patches/<dir>/`:
-
-```bash
-curl -s "https://${host}.googlesource.com/changes/${proj//\//%2F}~${cl}/revisions/current/patch" \
-  | base64 -d > "patches/${dir}/cherry-pick-${short}.patch"
-echo "cherry-pick-${short}.patch" >> "patches/${dir}/.patches"
-```
-
-For repos with no Gerrit host `e cherry-pick` supports (e.g. **libaom** on aomedia), instead `git cherry-pick` the upstream commits onto the synced sub-repo HEAD and `git format-patch` the result.
-
-For any newly-created `patches/<dir>/`, append to `patches/config.json` **preserving the compact one-line-per-entry style**:
-
-```json
-  { "patch_dir": "src/electron/patches/<dir>", "repo": "src/third_party/<dir-or-nested-path>" }
-```
-
-## 5. Validate with `e sync --3`
-
-```bash
-e sync --3 2>&1 | tee /tmp/bp_sync3.log
-```
-
-On `Patch failed at NNNN <subject>`:
-
-- `cd` into the failing repo, inspect `git diff` for conflict markers.
-- **Test-only files** (e.g. `web_tests/VirtualTestSuites`, `*_unittest.cc` context drift): take ours (`git checkout --ours -- <file>`) if the security-relevant hunks merged cleanly.
-- **Substantive code conflicts**: check whether a target-milestone merge CL exists and swap to it. If none exists upstream and the surrounding code is structurally different, **drop the patch** (delete the file, remove from `.patches` and `config.json`) and note it for a separate manual-port PR — do not improvise security-fix semantics.
-- After resolving: `git add <files> && git -c commit.gpgsign=false am --continue`, then `e patches <repo>` to export the resolved patch, then re-run `e sync --3`. Repeat until clean.
-
-## 6. Export → lint → re-apply loop
-
-```bash
-e patches all
-node script/lint.js --patches   # must exit 0
-```
-
-If lint reports findings (typically trailing whitespace on `+` content lines), fixing them **changes the bytes the patch writes**, which invalidates the `index <old>..<new>` blob hashes that `e patches` baked in. Hand-editing a `.patch` and pushing it as-is will pass lint locally but fail CI's Apply Patches re-export check with a one-line `index` hash diff.
-
-So whenever lint (or you) modifies any `.patch` file after export, round-trip once more:
-
-```bash
-# fix the lint findings in patches/**/*.patch, then:
-e sync            # re-apply the edited patches (no --3 needed; they applied cleanly last time)
-e patches all     # re-export so index blob hashes match the edited content
-node script/lint.js --patches      # must now exit 0
-git diff --quiet -- patches/ || { echo "patches changed again — repeat the loop"; }
-```
-
-Repeat until `lint --patches` exits 0 **and** `git diff -- patches/` is empty after the final `e patches all`. Only then is the patch set CI-stable.
-
-## 7. Commit, push, PR
-
-```bash
-git add patches/
-git commit -m "chore: cherry-pick <N> changes from <dirs>"
-git push origin HEAD
-gh pr create --repo electron/electron --base <branch> --head <this-branch> \
-  --title "chore: cherry-pick <N> changes from <dirs>" \
-  --label "<branch>" --label backport-check-skip --label semver/patch --label "security 🔒" \
-  --body-file /tmp/pr_body.md
-```
-
-PR body format:
-
-```markdown
-Backports the following changes:
-
-* [`<shortCommit>`](<gerrit-CL-url>) from <patchDir> — <subject> ([<bug>](https://crbug.com/<bug>), CVE-YYYY-NNNN)
-* ...
-
-Notes: Security: backported fixes for CVE-YYYY-NNNN, CVE-YYYY-NNNN, ....
-```
-
-Short commit links to the **Gerrit CL**; bug links to `crbug.com`; CVE comes from the blog mapping (the patch's own `Bug:` footer may differ); `Notes:` is the last line. Mention any dropped patches (with reason) above the `Notes:` line.
-
-Restore `e use <previous>` when done.

.claude/skills/electron-chromium-upgrade/SKILL.md

@@ -1,184 +0,0 @@
----
-name: electron-chromium-upgrade
-description: Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
----
-
-# Electron Chromium Upgrade: Phase One
-
-## Summary
-
-Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then export patches and commit changes atomically.
-
-## Success Criteria
-
-Phase One is complete when:
-- `e sync --3` exits with code 0 (no patch failures)
-- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met.
-
-**CRITICAL** Do not delete or skip patches unless 100% certain the patch is no longer needed. Complicated conflicts or hard to resolve issues should be presented to the user after you have exhausted all other options. Do not delete the patch just because you can't solve it.
-
-**CRITICAL** Never use `git am --skip` and then manually recreate a patch by making a new commit. This destroys the original patch's authorship, commit message, and position in the series. If `git am --continue` reports "No changes", investigate why — the changes were likely absorbed by a prior conflict resolution's 3-way merge. Present this situation to the user rather than skipping and recreating.
-
-## Context
-
-The `roller/chromium/main` branch is created by automation to update Electron's Chromium dependency SHA. No work has been done to handle breaking changes between the old and new versions.
-
-**Key directories:**
-- Current directory: Electron repo (always run `e` commands here)
-- `..` (parent): Chromium repo (where most patches apply)
-- `patches/`: Patch files organized by target
-- `docs/development/patches.md`: Patch system documentation
-
-## Pre-flight Checks
-
-Run these once at the start of each upgrade session:
-
-1. **Clear rerere cache** (if enabled): `git rerere clear` in both the electron and `..` repos. Stale recorded resolutions from a prior attempt can silently apply wrong merges.
-2. **Ensure pre-commit hooks are installed**: Check that `.git/hooks/pre-commit` exists. If not, run `yarn husky` to install it. The hook runs `lint-staged` which handles clang-format for C++ files.
-
-## Workflow
-
-1. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
-2. If succeeds → skip to step 5
-3. If patch fails:
-   - Identify target repo and patch from error output
-   - Analyze failure (see references/patch-analysis.md)
-   - Fix conflict in target repo's working directory
-   - Run `git am --continue` in affected repo
-   - Repeat until all patches for that repo apply
-   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches {target}` to export fixes
-   - Return to step 1
-4. When `e sync --3` succeeds, run `e patches all`
-5. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e sync --3` | Clone deps and apply patches with 3-way merge |
-| `git am --continue` | Continue after resolving conflict (run in target repo) |
-| `e patches {target}` | Export commits from target repo to patch files |
-| `e patches all` | Export all patches from all targets |
-| `e patches {target} --commit-updates` | Export patches and auto-commit trivial changes |
-| `e patches --list-targets` | List targets and config paths |
-
-## Patch System Mental Model
-
-```
-patches/{target}/*.patch  →  [e sync --3]  →  target repo commits
-                          ←  [e patches]   ←
-```
-
-## When to Edit Patches
-
-| Situation | Action |
-|-----------|--------|
-| During active `git am` conflict | Fix in target repo, then `git am --continue` |
-| Modifying patch outside conflict | Edit `.patch` file directly |
-| Creating new patch (rare, avoid) | Commit in target repo, then `e patches {target}` |
-
-Fix existing patches 99% of the time rather than creating new ones.
-
-## Patch Fixing Rules
-
-1. **Preserve authorship**: Keep original author in TODO comments (from patch `From:` field)
-2. **Never change TODO assignees**: `TODO(name)` must retain original name
-3. **Update descriptions**: If upstream changed (e.g., `DCHECK` → `CHECK_IS_TEST`), update patch commit message to reflect current state
-4. **Never skip-and-recreate a patch**: If `git am --continue` says "No changes — did you forget to use 'git add'?", do NOT run `git am --skip` and create a replacement commit. The patch's changes were already absorbed by a prior 3-way merge resolution. This means an earlier conflict resolution pulled in too many changes. Present the situation to the user for guidance — the correct fix may require re-doing an earlier resolution more carefully to keep each patch's changes separate.
-
-# Electron Chromium Upgrade: Phase Two
-
-## Summary
-
-Run `e build -k 999 -- --quiet` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
-
-Run Phase Two immediately after Phase One is complete.
-
-## Success Criteria
-
-Phase Two is complete when:
-- `e build -k 999 -- --quiet` exits with code 0 (no build failures)
-- `e start --version` has been run to check Electron launches
-- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.
-
-## Context
-
-The `roller/chromium/main` branch is created by automation to update Electron's Chromium dependency SHA. No work has been done to handle breaking changes between the old and new versions. Chromium APIs frequently are renamed or refactored. In every case the code in Electron must be updated to account for the change in Chromium, strongly avoid making changes to the code in chromium to fix Electrons build.
-
-**Key directories:**
-- Current directory: Electron repo (always run `e` commands here)
-- `..` (parent): Chromium repo (do not touch this code to fix build issues, just read it to obtain context)
-
-## Workflow
-
-1. Run `e build -k 999 -- --quiet` (the `--quiet` flag suppresses per-target status lines, showing only errors and the final result)
-2. If succeeds → skip to step 6
-3. If build fails:
-    - Identify underlying file in "electron" from the compilation error message
-    - Analyze failure
-    - Fix build issue by adapting Electron's code for the change in Chromium
-    - Run `e build -t {target_that_failed}.o` to build just the failed target we were specifically fixing
-        - You can identify the target_that_failed from the failure line in the build log. E.g. `FAILED: 2e506007-8d5d-4f38-bdd1-b5cd77999a77 "./obj/electron/chromium_src/chrome/process_singleton_posix.o" CXX obj/electron/chromium_src/chrome/process_singleton_posix.o` the target name is `obj/electron/chromium_src/chrome/process_singleton_posix.o`
-    - **Read `references/phase-two-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-    - Return to step 1
-4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
-    - Look for other modified `.patch` files that only have index/hunk header changes
-    - These are dependent patches affected by your fix
-    - Commit them immediately with: `git commit -am "chore: update patches (trivial only)"`
-5. Return to step 1
-6. When `e build` succeeds, run `e start --version`
-7. Check if you have any pending changes in the Chromium repo by running `git status`
-    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e build -k 999 -- --quiet` | Build Electron, continue on errors, suppress status lines |
-| `e build -t {target}.o` | Build just one specific target to verify a fix |
-| `e start --version` | Validate Electron launches after successful build |
-
-## Two Types of Build Fixes
-
-### A. Patch Fixes (for files in chromium_src or patched Chromium files)
-
-When the error is in a file that Electron patches (check with `grep -l "filename" patches/chromium/*.patch`):
-
-1. Edit the file in the Chromium source tree (e.g., `/src/chrome/browser/...`)
-2. Create a fixup commit targeting the original patch commit:
-    ```bash
-    cd ..  # to chromium repo
-    git add <modified-file>
-    git commit --fixup=<original-patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-    ```
-3. Export the updated patch: `e patches chromium`
-4. Commit the updated patch file following `references/phase-one-commit-guidelines.md`.
-
-To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`
-
-The base commit for rebase is the Chromium commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.
-
-### B. Electron Code Fixes (for files in shell/, electron/, etc.)
-
-When the error is in Electron's own source code:
-
-1. Edit files directly in the electron repo
-2. Commit directly (no patch export needed)
-
-# Critical: Read Before Committing
-
-- Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
-- Before ANY Phase Two commits: Read `references/phase-two-commit-guidelines.md`
-
-# Skill Directory Structure
-This skill has additional reference files in `references/`:
-- patch-analysis.md - How to analyze patch failures
-- phase-one-commit-guidelines.md - Commit format for Phase One
-- phase-two-commit-guidelines.md - Commit format for Phase Two
-
-Read these when referenced in the workflow steps.

.claude/skills/electron-chromium-upgrade/references/patch-analysis.md

@@ -1,119 +0,0 @@
-# Analyzing Patch Failures
-
-## Investigation Steps
-
-1. **Read the patch file** at `patches/{target}/{patch_name}.patch`
-
-2. **Examine current state** of the file in Chromium at mentioned line numbers
-
-3. **Check recent upstream changes:**
-   ```bash
-   cd ..  # or relevant target repo
-   git log --oneline -10 -- {file}
-   ```
-
-4. **Find Chromium CL** in commit messages:
-   ```
-   Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/{CL_NUMBER}
-   ```
-
-## Critical: Resolve by Intent, Not by Mechanical Merge
-
-When resolving a patch conflict, do NOT blindly preserve the patch's old code. Instead:
-
-1. **Understand the upstream CL's full scope** — not just the conflicting hunk.
-   Run `git show <commit> --stat` and read diffs for all affected files.
-   Upstream may have removed structs, members, or methods that the patch
-   references in other hunks or files.
-
-2. **Re-read the patch commit message** to understand its *intent* — what
-   behavior does it need to preserve or add?
-
-3. **Implement the intent against the new upstream code.** If the patch's
-   purpose is "add a feature flag guard", add only the guard — don't also
-   restore old code inside the guard that upstream separately removed.
-
-### Lesson: Upstream Removals Break Patch References
-
-- **Trigger:** Patch conflict involves an upstream refactor (not just context drift)
-- **Strategy:** After identifying the upstream CL, check its full diff for
-  removed types, members, and methods. If the patch's old code references
-  something removed, the resolution must use the new upstream mechanism.
-- **Evidence:** An upstream CL removed a `HeadlessModeWindow` struct from a
-  header, but the conflict was only in a `.mm` file. Mechanically keeping the
-  patch's old line (`headless_mode_window_ = ...`) produced code referencing
-  a nonexistent type — caught only on review, not at patch-apply time.
-
-### Lesson: Separate Patch Purpose from Patch Implementation
-
-- **Trigger:** Conflict between "upstream simplified code" vs "patch has older code"
-- **Strategy:** Identify the *minimal* change the patch needs. If the patch
-  wraps code in a conditional, only add the conditional — don't restore old
-  code that was inside the conditional but was separately cleaned up upstream.
-- **Evidence:** An occlusion patch needed only a feature flag check, but the
-  old patch also contained a version check that upstream intentionally removed.
-  Mechanically preserving the old patch code re-added the removed check.
-
-### Lesson: Finish the Adaptation at Conflict Time
-
-- **Trigger:** A patch conflict involves an upstream API removal or replacement
-- **Strategy:** When resolving the conflict, fully adapt the patch to use the
-  new API in the same commit. Don't remove the old code and leave behind stale
-  references that will "be fixed in Phase Two." Each patch fix commit should be
-  a complete resolution.
-- **Evidence:** A safestorage patch conflicted because Chromium removed Keychain V1.
-  The conflict was resolved by removing V1 hunks, but the remaining code still
-  called V1 methods (`FindGenericPassword` with 3 args, `ItemDelete` with
-  `SecKeychainItemRef`). These should have been adapted to V2 APIs in the same
-  commit, not deferred.
-
-## Common Failure Patterns
-
-| Pattern | Cause | Solution |
-|---------|-------|----------|
-| Context lines don't match | Surrounding code changed | Update context in patch |
-| File not found | File renamed/moved | Update patch target path |
-| Function not found | Refactored upstream | Find new function name |
-| `DCHECK` → `CHECK_IS_TEST` | Macro change | Update to new macro |
-| Deleted code | Feature removed | Verify patch still needed |
-
-## Using Git Blame
-
-To find the CL that changed specific lines:
-
-```bash
-cd ..
-git blame -L {start},{end} -- {file}
-git log -1 {commit_sha}  # Look for Reviewed-on: line
-```
-
-## Verifying Patch Necessity
-
-Before deleting a patch, verify:
-1. The patched functionality was intentionally removed upstream
-2. Electron doesn't need the patch for other reasons
-3. No other code depends on the patched behavior
-
-When in doubt, keep the patch and adapt it.
-
-## Phase Two: Build-Time Patch Issues
-
-Sometimes patches that applied successfully in Phase One cause build errors in Phase Two. This can happen when:
-
-1. **Incomplete types**: A patch disables a header include, but new upstream code uses the type
-2. **Missing members**: A patch modifies a class, but upstream added new code referencing the original
-
-### Finding Which Patch Affects a File
-
-```bash
-grep -l "filename.cc" patches/chromium/*.patch
-```
-
-Matching Existing Patch Patterns
-
-When fixing build errors in patched files, examine the existing patch to understand its style:
-- Does it use #if 0 / #endif guards?
-- Does it use #if BUILDFLAG(...) conditionals?
-- What's the pattern for disabled functionality?
-
-Apply fixes consistent with the existing patch style.

.claude/skills/electron-chromium-upgrade/references/phase-one-commit-guidelines.md

@@ -1,102 +0,0 @@
-# Phase One Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes to `patches/` after Phase One succeeds.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Each Commit Must Be Complete
-
-When resolving a patch conflict, fully adapt the patch to the new upstream code in the same commit. If the upstream change removes an API the patch uses, update the patch to use the replacement API now — don't leave stale references knowing they'll need fixing later. The goal is that each commit represents a finished resolution, not a partial one that defers known work to a future phase.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-### Patch conflict fixes
-
-Use `fix(patch):` prefix. The title should name the upstream change, not your response to it:
-
-```
-fix(patch): {topic headline}
-
-Ref: {Chromium CL link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Only add a description body if it provides clarity beyond the title. For straightforward context drift or simple API renames, the title + Ref is sufficient.
-
-Examples:
-- `fix(patch): constant moved to header`
-- `fix(patch): headless mode refactor upstream`
-- `fix(patch): V1 Keychain removal`
-
-### Upstreamed patch removal
-
-When patches are no longer needed (applied cleanly with "already applied" or confirmed upstreamed), group ALL removals into a single commit:
-
-```
-chore: remove upstreamed patch
-```
-
-or (if multiple):
-
-```
-chore: remove upstreamed patches
-```
-
-If the patch file did NOT contain a `Reviewed-on: https://chromium-review.googlesource.com/c/chromium/...` link, add a `Ref:` in the commit. If it did (i.e. cherry-picks), no `Ref:` is needed.
-
-### Trivial patch updates
-
-After all fix commits, stage remaining trivial changes (index, line numbers, context only):
-
-```bash
-git add patches
-git commit -m "chore: update patches (trivial only)"
-```
-
-**Conflict resolution can produce trivial results.** A `git am` conflict doesn't always mean the patch content changed — context drift alone can cause a conflict. After resolving and exporting, inspect the patch diff: if only index hashes, line numbers, and context lines changed (not the patch's own `+`/`-` lines), it's trivial and belongs here, not in a `fix(patch):` commit.
-
-## Atomic Commits
-
-Each patch conflict fix gets its own commit with its own Ref.
-
-IMPORTANT: Try really hard to find the CL reference per the instructions below. Each change you made should in theory have been in response to a change made in Chromium that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
-
-## Finding CL References
-
-Use `git log` or `git blame` on Chromium source files. Look for:
-
-```
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX
-```
-
-If no CL found after searching: `Ref: Unable to locate CL`
-
-## Example Commits
-
-### Patch conflict fix (simple — title is sufficient)
-
-```
-fix(patch): constant moved to header
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7536483
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Patch conflict fix (complex — description adds value)
-
-```
-fix(patch): V1 Keychain removal
-
-Upstream deleted the V1 Keychain API. Removed V1 hunks and adapted
-keychain_password_mac.mm to use KeychainV2 APIs.
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7540447
-
-Co-Authored-By: <AI model attribution>
-```

.claude/skills/electron-chromium-upgrade/references/phase-two-commit-guidelines.md

@@ -1,84 +0,0 @@
-# Phase Two Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes in the Electron repo after any fixes are made during Phase Two that result a target that was failing, successfully building.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters. Exception: upstream Chromium CL titles are used verbatim even if longer.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-## Two Commit Types
-
-### For Electron Source Changes (shell/, electron/, etc.)
-
-```
-{CL-Number}: {upstream CL's original title}
-
-Ref: {Chromium CL link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Use the **upstream CL's original commit title** — do not paraphrase or rewrite it. To find it: `git log -1 --format=%s <chromium-commit-hash>`.
-
-Only add a description body if it provides clarity beyond what the title already says (e.g., when Electron's adaptation is non-obvious). For simple renames, method additions, or straightforward API updates, the title + Ref link is sufficient.
-
-Each change should have its own commit and its own Ref. Logically group into commits that make sense rather than one giant commit. You may include multiple "Ref" links if required.
-
-For a CL link in the format `https://chromium-review.googlesource.com/c/chromium/src/+/2958369` the "CL-Number" is `2958369`.
-
-IMPORTANT: Try really hard to find the CL reference. Each change you made should in theory have been in response to a change in Chromium. Do not give up easily.
-
-### For Patch Updates (patches/chromium/*.patch)
-
-Use the same fixup workflow as Phase One and follow `references/phase-one-commit-guidelines.md` for the commit message format (`fix(patch):` prefix, topic style).
-
-## Dependent Patch Header Updates
-
-After any patch modification, check for other affected patches:
-
-```bash
-git status
-# If other .patch files show as modified with only index, line number, and context changes:
-git add patches/
-git commit -m "chore: update patches (trivial only)"
-```
-
-## Finding CL References
-
-Use git log or git blame on Chromium source files. Look for:
-
-```
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX
-```
-
-If no CL found after searching: `Ref: Unable to locate CL`
-
-## Example Commits
-
-### Electron Source Fix (simple — title is self-explanatory)
-
-```
-7535923: Rename ozone buildflags
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7535923
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Electron Source Fix (complex — description adds value)
-
-```
-7534194: Convert some functions in ui::Clipboard to async
-
-Adapted ExtractCustomPlatformNames calls to use RunLoop pattern
-consistent with existing ReadImage implementation, since upstream
-converted the API from synchronous return to callback-based.
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7534194
-
-Co-Authored-By: <AI model attribution>
-```

.claude/skills/electron-node-upgrade/SKILL.md

@@ -1,323 +0,0 @@
----
-name: electron-node-upgrade
-description: Guide for performing Node.js version upgrades in the Electron project. Use when working on the roller/node/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Node.js changes, building, running the Node.js test suite, and proper commit formatting for patch fixes.
----
-
-# Electron Node.js Upgrade: Phase One
-
-## Summary
-
-Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then export patches and commit changes atomically.
-
-## Success Criteria
-
-Phase One is complete when:
-- `e sync --3` exits with code 0 (no patch failures)
-- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met.
-
-**CRITICAL** Do not delete or skip patches unless 100% certain the patch is no longer needed. For major version upgrades, patches that shim deprecated V8 APIs or backport upstream changes are often deletable because the new Node.js version already incorporates them — but verify before removing. Complicated conflicts or hard to resolve issues should be presented to the user after you have exhausted all other options. Do not delete the patch just because you can't solve it.
-
-**CRITICAL** Never use `git am --skip` and then manually recreate a patch by making a new commit. This destroys the original patch's authorship, commit message, and position in the series. If `git am --continue` reports "No changes", investigate why — the changes were likely absorbed by a prior conflict resolution's 3-way merge. Present this situation to the user rather than skipping and recreating.
-
-## Context
-
-The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions.
-
-There are two types of Node.js version updates:
-- **Bumps** (patch/minor): Automated by `electron-roller[bot]` with commit title `chore: bump node to v{version}`. Trivial patch index updates are handled automatically by `patchup[bot]`. These often land cleanly, but may require manual patch fixes.
-- **Major upgrades** (e.g., v22 → v24): Manual, large PRs with commit title `chore: upgrade Node.js to v{X}.{Y}.{Z}`. These typically involve deleting obsolete patches, adapting many others, and updating `@types/node` in `package.json`.
-
-**Key directories:**
-- Current directory: Electron repo (always run `e` commands here)
-- `../third_party/electron_node`: Node.js repo (where patches apply)
-- `patches/node/`: Patch files for Node.js
-- `docs/development/patches.md`: Patch system documentation
-
-## Pre-flight Checks
-
-Run these once at the start of each upgrade session:
-
-1. **Clear rerere cache** (if enabled): `git rerere clear` in both the electron and `../third_party/electron_node` repos. Stale recorded resolutions from a prior attempt can silently apply wrong merges.
-2. **Ensure pre-commit hooks are installed**: Check that `.git/hooks/pre-commit` exists. If not, run `yarn husky` to install it. The hook runs `lint-staged` which handles clang-format for C++ files.
-
-## Workflow
-
-1. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
-2. If succeeds → skip to step 5
-3. If patch fails:
-   - Identify target repo and patch from error output
-   - Analyze failure (see references/patch-analysis.md)
-   - Fix conflict in `../third_party/electron_node` working directory
-   - Run `git am --continue` in `../third_party/electron_node`
-   - Repeat until all patches for that repo apply
-   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches node` to export fixes
-   - Return to step 1
-4. When `e sync --3` succeeds, run `e patches all`
-5. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e sync --3` | Clone deps and apply patches with 3-way merge |
-| `git am --continue` | Continue after resolving conflict (run in node repo) |
-| `e patches node` | Export commits from node repo to patch files |
-| `e patches all` | Export all patches from all targets |
-| `e patches node --commit-updates` | Export patches and auto-commit trivial changes |
-| `e patches --list-targets` | List targets and config paths |
-
-## Patch System Mental Model
-
-```
-patches/node/*.patch  →  [e sync --3]  →  ../third_party/electron_node commits
-                      ←  [e patches]   ←
-```
-
-## When to Edit Patches
-
-| Situation | Action |
-|-----------|--------|
-| During active `git am` conflict | Fix in node repo, then `git am --continue` |
-| Modifying patch outside conflict | Edit `.patch` file directly |
-| Creating new patch (rare, avoid) | Commit in node repo, then `e patches node` |
-
-Fix existing patches 99% of the time rather than creating new ones.
-
-## Patch Fixing Rules
-
-1. **Preserve authorship**: Keep original author in TODO comments (from patch `From:` field)
-2. **Never change TODO assignees**: `TODO(name)` must retain original name
-3. **Update descriptions**: If upstream changed APIs or macros, update patch commit message to reflect current state
-4. **Never skip-and-recreate a patch**: If `git am --continue` says "No changes — did you forget to use 'git add'?", do NOT run `git am --skip` and create a replacement commit. The patch's changes were already absorbed by a prior 3-way merge resolution. This means an earlier conflict resolution pulled in too many changes. Present the situation to the user for guidance — the correct fix may require re-doing an earlier resolution more carefully to keep each patch's changes separate.
-
-# Electron Node.js Upgrade: Phase Two
-
-## Summary
-
-Run `e build -k 999 -- --quiet` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
-
-Run Phase Two immediately after Phase One is complete.
-
-## Success Criteria
-
-Phase Two is complete when:
-- `e build -k 999 -- --quiet` exits with code 0 (no build failures)
-- `e start --version` has been run to check Electron launches
-- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.
-
-## Context
-
-The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions. Node.js APIs (especially internal V8 integration, OpenSSL/BoringSSL compatibility, and build system files) frequently change between versions. In every case the code in Electron must be updated to account for the change in Node.js, strongly avoid making changes to the code in Node.js to fix Electron's build.
-
-**Key directories:**
-- Current directory: Electron repo (always run `e` commands here)
-- `../third_party/electron_node`: Node.js repo (do not touch this code to fix build issues, just read it to obtain context)
-
-## Workflow
-
-1. Run `e build -k 999 -- --quiet` (the `--quiet` flag suppresses per-target status lines, showing only errors and the final result)
-2. If succeeds → skip to step 6
-3. If build fails:
-    - Identify underlying file in "electron" from the compilation error message
-    - Analyze failure
-    - Fix build issue by adapting Electron's code for the change in Node.js
-    - Run `e build -t {target_that_failed}.o` to build just the failed target we were specifically fixing
-        - You can identify the target_that_failed from the failure line in the build log. E.g. `FAILED: 2e506007-8d5d-4f38-bdd1-b5cd77999a77 "./obj/electron/shell/browser/api/electron_api_utility_process.o" CXX obj/electron/shell/browser/api/electron_api_utility_process.o` the target name is `obj/electron/shell/browser/api/electron_api_utility_process.o`
-    - **Read `references/phase-two-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-    - Return to step 1
-4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
-    - Look for other modified `.patch` files that only have index/hunk header changes
-    - These are dependent patches affected by your fix
-    - Commit them immediately with: `git commit -am "chore: update patches (trivial only)"`
-5. Return to step 1
-6. When `e build` succeeds, run `e start --version`
-7. Check if you have any pending changes in the Node.js repo by running `git status` in `../third_party/electron_node`
-    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e build -k 999 -- --quiet` | Build Electron, continue on errors, suppress status lines |
-| `e build -t {target}.o` | Build just one specific target to verify a fix |
-| `e start --version` | Validate Electron launches after successful build |
-
-## Two Types of Build Fixes
-
-### A. Patch Fixes (for files in patched Node.js files)
-
-When the error is in a file that Electron patches (check with `grep -l "filename" patches/node/*.patch`):
-
-1. Edit the file in the Node.js source tree (`../third_party/electron_node/...`)
-2. Create a fixup commit targeting the original patch commit:
-    ```bash
-    cd ../third_party/electron_node
-    git add <modified-file>
-    git commit --fixup=<original-patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-    ```
-3. Export the updated patch: `e patches node`
-4. Commit the updated patch file following `references/phase-one-commit-guidelines.md`.
-
-To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`
-
-The base commit for rebase is the Node.js commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.
-
-### B. Electron Code Fixes (for files in shell/, electron/, etc.)
-
-When the error is in Electron's own source code:
-
-1. Edit files directly in the electron repo
-2. Commit directly (no patch export needed)
-
-# Electron Node.js Upgrade: Phase Three
-
-## Summary
-
-Run the Node.js test suite via `script/node-spec-runner.js`, fix failing tests, and commit fixes until all tests pass. Certain tests are permanently disabled (listed in `script/node-disabled-tests.json`) and should not be run.
-
-Run Phase Three immediately after Phase Two is complete.
-
-## Success Criteria
-
-Phase Three is complete when:
-- `node script/node-spec-runner.js --default` exits with zero failures
-- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met.
-
-## Context
-
-Electron runs a subset of Node.js's upstream test suite using a custom runner (`script/node-spec-runner.js`). Tests are executed with the built Electron binary via `ELECTRON_RUN_AS_NODE=true`. Many tests need adaptation because Electron uses BoringSSL (not OpenSSL) and Chromium's V8 (which may differ from Node.js's bundled V8).
-
-**Key files:**
-- `script/node-spec-runner.js` — Test runner script
-- `script/node-disabled-tests.json` — Permanently disabled tests (do not try to fix these)
-- `../third_party/electron_node/test/` — Node.js test files (where patches apply)
-- `patches/node/fix_crypto_tests_to_run_with_bssl.patch` — BoringSSL crypto test adaptations
-- `patches/node/test_formally_mark_some_tests_as_flaky.patch` — Flaky test list
-
-## Workflow
-
-1. Run `node script/node-spec-runner.js --default` from the electron repo
-2. If all tests pass → Phase Three is complete
-3. If tests fail:
-    - Identify the failing test file(s) from the output
-    - Analyze each failure (see "Common Failure Patterns" below)
-    - Fix the test in `../third_party/electron_node/test/...`
-    - Re-run the specific failing test to verify: `node script/node-spec-runner.js {test-path}`
-        - The test path is relative to the node `test/` directory, e.g. `test/parallel/test-crypto-key-objects-raw.js`
-        - Do NOT use `--default` when running specific tests — it adds the full suite flags
-        - Do NOT run tests directly with `ELECTRON_RUN_AS_NODE` — the runner handles environment setup (e.g. temporarily switching `package.json` from ESM to CommonJS)
-    - Commit the fix using the fixup workflow and commit guidelines
-    - Return to step 1
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `node script/node-spec-runner.js --default` | Run full Node.js test suite |
-| `node script/node-spec-runner.js test/parallel/test-foo.js` | Run a single test |
-| `NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs` | Regenerate snapshot for a snapshot-based test |
-
-## Common Failure Patterns
-
-### BoringSSL incompatibilities
-
-Electron uses BoringSSL (via Chromium) instead of OpenSSL. Many crypto features are missing or behave differently:
-
-| Unsupported in BoringSSL | Guard pattern |
-|--------------------------|---------------|
-| ChaCha20-Poly1305 | `if (!process.features.openssl_is_boringssl)` |
-| AES-CCM (aes-128-ccm, aes-256-ccm) | `if (ciphers.includes('aes-128-ccm'))` |
-| AES-KW (key wrapping) | `if (!process.features.openssl_is_boringssl)` |
-| DSA keys | `if (!process.features.openssl_is_boringssl)` |
-| Ed448 / X448 curves | `if (!process.features.openssl_is_boringssl)` |
-| DH key PEM loading | `if (!process.features.openssl_is_boringssl)` |
-| PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) | `if (hasOpenSSL(3, 5))` (already guards these) |
-
-When guarding tests, prefer checking cipher availability (`ciphers.includes(algo)`) over blanket BoringSSL checks where possible, as it's more precise and self-documenting.
-
-New upstream tests that exercise these features will need guards added to the `fix_crypto_tests_to_run_with_bssl` patch.
-
-### Snapshot test mismatches
-
-Some tests compare output against committed `.snapshot` files using `assert.strictEqual` — these are NOT wildcard comparisons. When Chromium's V8 produces different output (e.g. different stack traces due to V8 enhancements), the snapshot must be regenerated:
-
-```bash
-NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs
-```
-
-Then inspect the diff to verify the changes are expected, and commit the updated snapshot into the appropriate patch.
-
-### V8 behavioral differences
-
-Chromium's V8 may be ahead of Node.js's bundled V8. This can cause:
-- Different stack trace formats (e.g. thenable async stack frames)
-- Different error messages
-- Features available in Chromium V8 that aren't in stock Node.js V8 (or vice versa)
-
-## Two Types of Test Fixes
-
-### A. Patch Fixes (most common for test failures)
-
-Most test fixes go into existing patches in `patches/node/`. Use the fixup workflow:
-
-1. Edit the test file in `../third_party/electron_node/test/...`
-2. Find the relevant patch commit: `git log --oneline | grep -i "keyword"`
-    - Crypto/BoringSSL tests → `fix crypto tests to run with bssl`
-    - Snapshot tests → the specific snapshot patch (e.g. `test: accomodate V8 thenable`)
-    - Flaky tests → `test: formally mark some tests as flaky`
-3. Create a fixup commit:
-    ```bash
-    cd ../third_party/electron_node
-    git add test/path/to/test.js
-    git commit --fixup=<patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-    ```
-4. Export: `e patches node`
-5. **Read `references/phase-three-commit-guidelines.md` NOW**, then commit the updated patch file.
-
-### B. New Patches (rare)
-
-Only create a new patch when the fix doesn't belong in any existing patch. The new patch commit in `../third_party/electron_node` must include a description explaining why the patch exists and when it can be removed — the lint check enforces this.
-
-## Adding to Disabled Tests
-
-Only add a test to `script/node-disabled-tests.json` as a **last resort** — when the test is fundamentally incompatible with Electron's architecture (not just a BoringSSL difference that can be guarded). Tests disabled here are completely skipped and never run.
-
-# Critical: Read Before Committing
-
-- Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
-- Before ANY Phase Two commits: Read `references/phase-two-commit-guidelines.md`
-- Before ANY Phase Three commits: Read `references/phase-three-commit-guidelines.md`
-
-# High-Churn Patches
-
-These patches consistently require the most work during Node.js upgrades:
-
-- **`fix_handle_boringssl_and_openssl_incompatibilities.patch`** — Electron uses BoringSSL (via Chromium) while Node.js expects OpenSSL. This patch is large and complex, and upstream OpenSSL API changes frequently break it.
-- **`fix_crypto_tests_to_run_with_bssl.patch`** — Companion to the above; adapts Node.js crypto tests for BoringSSL. Can grow significantly during major upgrades.
-- **`support_v8_sandboxed_pointers.patch`** — V8 sandbox pointer support requires careful adaptation when V8 APIs change.
-- **`build_add_gn_build_files.patch`** — The GN build file patch is large and touches many build targets. Upstream build system changes frequently conflict.
-
-# Major Version Upgrades
-
-Major Node.js version transitions (e.g., v22 → v24) are significantly more involved than patch bumps:
-
-1. **Expect patch deletions.** Electron uses Chromium's V8, which is often ahead of the V8 version bundled in Node.js. Many patches exist to bridge this gap — shimming newer V8 APIs that Chromium's V8 has but Node.js' older V8 doesn't. When Node.js bumps to a newer major version, its V8 catches up to Chromium's, and those bridge patches can be deleted. In the v22 → v24 upgrade, 17 patches were deleted for this reason.
-2. **Update `@types/node`** in `package.json` to match the new major version.
-3. **Post-upgrade regressions are expected.** Even after the upgrade lands, follow-up fix PRs for edge cases (ESM path handling, certificate loading, platform-specific issues) are normal.
-
-# Skill Directory Structure
-This skill has additional reference files in `references/`:
-- patch-analysis.md - How to analyze patch failures
-- phase-one-commit-guidelines.md - Commit format for Phase One
-- phase-two-commit-guidelines.md - Commit format for Phase Two
-- phase-three-commit-guidelines.md - Commit format for Phase Three
-
-Read these when referenced in the workflow steps.

.claude/skills/electron-node-upgrade/references/patch-analysis.md

@@ -1,112 +0,0 @@
-# Analyzing Patch Failures
-
-## Investigation Steps
-
-1. **Read the patch file** at `patches/node/{patch_name}.patch`
-
-2. **Examine current state** of the file in the Node.js repo at mentioned line numbers
-
-3. **Check recent upstream changes:**
-   ```bash
-   cd ../third_party/electron_node
-   git log --oneline -10 -- {file}
-   ```
-
-4. **Find Node.js PR** in commit messages:
-   ```
-   PR-URL: https://github.com/nodejs/node/pull/{PR_NUMBER}
-   ```
-
-## Critical: Resolve by Intent, Not by Mechanical Merge
-
-When resolving a patch conflict, do NOT blindly preserve the patch's old code. Instead:
-
-1. **Understand the upstream commit's full scope** — not just the conflicting hunk.
-   Run `git show <commit> --stat` and read diffs for all affected files.
-   Upstream may have removed structs, members, or methods that the patch
-   references in other hunks or files.
-
-2. **Re-read the patch commit message** to understand its *intent* — what
-   behavior does it need to preserve or add?
-
-3. **Implement the intent against the new upstream code.** If the patch's
-   purpose is "add BoringSSL compatibility", add only the compatibility
-   layer — don't also restore old code that upstream separately removed.
-
-### Lesson: Upstream Removals Break Patch References
-
-- **Trigger:** Patch conflict involves an upstream refactor (not just context drift)
-- **Strategy:** After identifying the upstream commit, check its full diff for
-  removed types, members, and methods. If the patch's old code references
-  something removed, the resolution must use the new upstream mechanism.
-
-### Lesson: Separate Patch Purpose from Patch Implementation
-
-- **Trigger:** Conflict between "upstream simplified code" vs "patch has older code"
-- **Strategy:** Identify the *minimal* change the patch needs. If the patch
-  wraps code in a conditional, only add the conditional — don't restore old
-  code that was inside the conditional but was separately cleaned up upstream.
-
-### Lesson: Finish the Adaptation at Conflict Time
-
-- **Trigger:** A patch conflict involves an upstream API removal or replacement
-- **Strategy:** When resolving the conflict, fully adapt the patch to use the
-  new API in the same commit. Don't remove the old code and leave behind stale
-  references that will "be fixed in Phase Two." Each patch fix commit should be
-  a complete resolution.
-
-## Common Failure Patterns
-
-| Pattern | Cause | Solution |
-|---------|-------|----------|
-| Context lines don't match | Surrounding code changed | Update context in patch |
-| File not found | File renamed/moved | Update patch target path |
-| Function not found | Refactored upstream | Find new function name |
-| OpenSSL → BoringSSL mismatch | Crypto API change | Update to BoringSSL-compatible API |
-| GYP/GN build change | Build system refactor | Adapt build patch to new structure |
-| Deleted code | Feature removed | Verify patch still needed |
-| V8 API bridge patch conflicts | Node.js caught up to Chromium's V8 | Patch may be deletable — verify the API is now in Node.js' V8 natively |
-
-## Using Git Blame
-
-To find the commit that changed specific lines:
-
-```bash
-cd ../third_party/electron_node
-git blame -L {start},{end} -- {file}
-git log -1 {commit_sha}  # Look for PR-URL: line
-```
-
-## Verifying Patch Necessity
-
-Before deleting a patch, verify:
-1. The patched functionality was intentionally removed upstream
-2. Electron doesn't need the patch for other reasons
-3. No other code depends on the patched behavior
-
-**V8 bridge patches:** Electron uses Chromium's V8, which is often ahead of the V8 bundled in Node.js. Many patches exist to bridge this version gap — adapting Node.js code to work with newer V8 APIs that Chromium's V8 exposes. During major Node.js upgrades, Node.js' V8 catches up to Chromium's, and these bridge patches often become unnecessary. Check whether the API the patch shims is now available natively in the new Node.js version's V8.
-
-When in doubt, keep the patch and adapt it.
-
-## Phase Two: Build-Time Patch Issues
-
-Sometimes patches that applied successfully in Phase One cause build errors in Phase Two. This can happen when:
-
-1. **Incomplete types**: A patch disables a header include, but new upstream code uses the type
-2. **Missing members**: A patch modifies a class, but upstream added new code referencing the original
-
-### Finding Which Patch Affects a File
-
-```bash
-grep -l "filename.cc" patches/node/*.patch
-```
-
-### Matching Existing Patch Patterns
-
-When fixing build errors in patched files, examine the existing patch to understand its style:
-- Does it use `#if 0` / `#endif` guards?
-- Does it use `#if BUILDFLAG(...)` conditionals?
-- Does it use `#ifndef` / `#ifdef` guards for BoringSSL vs OpenSSL?
-- What's the pattern for disabled functionality?
-
-Apply fixes consistent with the existing patch style.

.claude/skills/electron-node-upgrade/references/phase-one-commit-guidelines.md

@@ -1,111 +0,0 @@
-# Phase One Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes to `patches/` after Phase One succeeds.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Each Commit Must Be Complete
-
-When resolving a patch conflict, fully adapt the patch to the new upstream code in the same commit. If the upstream change removes an API the patch uses, update the patch to use the replacement API now — don't leave stale references knowing they'll need fixing later. The goal is that each commit represents a finished resolution, not a partial one that defers known work to a future phase.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-### Patch conflict fixes
-
-Use `fix(patch):` prefix. The title should name the upstream change, not your response to it:
-
-```
-fix(patch): {topic headline}
-
-Ref: {Node.js commit or issue link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Only add a description body if it provides clarity beyond the title. For straightforward context drift or simple API renames, the title + Ref is sufficient.
-
-Examples:
-- `fix(patch): stop using v8::PropertyCallbackInfo<T>::This()`
-- `fix(patch): BoringSSL and OpenSSL incompatibilities`
-- `fix(patch): refactor module_wrap.cc FixedArray::Get params`
-
-### Upstreamed patch removal
-
-When patches are no longer needed (applied cleanly with "already applied" or confirmed upstreamed), group ALL removals into a single commit:
-
-```
-chore: remove upstreamed patch
-```
-
-or (if multiple):
-
-```
-chore: remove upstreamed patches
-```
-
-Most Node.js patches in Electron are Electron-authored (no upstream `PR-URL:`). If the patch originated from an upstream Node.js PR, no extra `Ref:` is needed. Otherwise, add a `Ref:` pointing to the relevant Node.js issue or commit if one exists.
-
-### Trivial patch updates
-
-After all fix commits, stage remaining trivial changes (index, line numbers, context only):
-
-```bash
-git add patches
-git commit -m "chore: update patches (trivial only)"
-```
-
-**Conflict resolution can produce trivial results.** A `git am` conflict doesn't always mean the patch content changed — context drift alone can cause a conflict. After resolving and exporting, inspect the patch diff: if only index hashes, line numbers, and context lines changed (not the patch's own `+`/`-` lines), it's trivial and belongs here, not in a `fix(patch):` commit.
-
-## Atomic Commits
-
-Each patch conflict fix gets its own commit with its own Ref.
-
-IMPORTANT: Try really hard to find the PR or commit reference per the instructions below. Each change you made should in theory have been in response to a change made in Node.js that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
-
-## Finding Commit/Issue References
-
-Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
-
-```
-PR-URL: https://github.com/nodejs/node/pull/XXXXX
-```
-
-or issue references in the patch itself:
-
-```
-Refs: https://github.com/nodejs/node/issues/XXXXX
-```
-
-Note: Most Node.js patches in Electron are Electron-authored and won't have upstream references. In that case, check `git log` in the Node.js repo to find which upstream commit caused the conflict.
-
-If no reference found after searching: `Ref: Unable to locate reference`
-
-## Example Commits
-
-### Patch conflict fix (simple — title is sufficient)
-
-```
-fix(patch): stop using v8::PropertyCallbackInfo<T>::This()
-
-Ref: https://github.com/nodejs/node/issues/60616
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Patch conflict fix (complex — description adds value)
-
-```
-fix(patch): BoringSSL and OpenSSL incompatibilities
-
-Upstream updated OpenSSL APIs that diverge from BoringSSL. Adapted
-the compatibility shims in crypto patches to use the BoringSSL
-equivalents.
-
-Ref: Unable to locate reference
-
-Co-Authored-By: <AI model attribution>
-```

.claude/skills/electron-node-upgrade/references/phase-three-commit-guidelines.md

@@ -1,80 +0,0 @@
-# Phase Three Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes after fixing a test failure during Phase Three.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-## Commit Types
-
-### Patch updates (most test fixes)
-
-Test fixes go into existing patches via the fixup workflow. Use `fix(patch):` prefix with a descriptive topic:
-
-```
-fix(patch): {topic headline}
-
-Ref: {Node.js commit or issue link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Examples:
-- `fix(patch): guard DH key test for BoringSSL`
-- `fix(patch): adapt new crypto tests for BoringSSL`
-- `fix(patch): correct thenable snapshot for Chromium V8`
-- `fix(patch): skip AES-KW tests with BoringSSL`
-
-Group related test fixes into a single commit when they address the same root cause (e.g., multiple crypto tests all needing BoringSSL guards for the same missing cipher). Don't create one commit per test file if they share the same fix pattern.
-
-### Snapshot regeneration
-
-When a snapshot test fails because Chromium's V8 produces different output, regenerate it:
-
-```bash
-NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs
-```
-
-Then commit the updated snapshot patch with a title describing what changed:
-
-```
-fix(patch): correct {name} snapshot for Chromium V8
-
-Ref: {V8 CL or issue link if known}
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Trivial patch updates
-
-After any patch modification, check for dependent patches that only have index/hunk header changes:
-
-```bash
-git status
-# If other .patch files show as modified with only trivial changes:
-git add patches/
-git commit -m "chore: update patches (trivial only)"
-```
-
-## Finding References
-
-For BoringSSL-related test fixes, the reference is typically the upstream Node.js PR that added the new test:
-
-```bash
-cd ../third_party/electron_node
-git log --oneline -5 -- test/parallel/test-crypto-foo.js
-git log -1 <commit> --format="%B" | grep "PR-URL"
-```
-
-For V8 behavioral differences, reference the Chromium CL:
-
-```
-Ref: https://chromium-review.googlesource.com/c/v8/v8/+/NNNNNNN
-```
-
-If no reference found after searching: `Ref: Unable to locate reference`

.claude/skills/electron-node-upgrade/references/phase-two-commit-guidelines.md

@@ -1,96 +0,0 @@
-# Phase Two Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes in the Electron repo after any fixes are made during Phase Two that result a target that was failing, successfully building.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters. Exception: upstream Node.js PR titles are used verbatim even if longer.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-## Two Commit Types
-
-### For Electron Source Changes (shell/, electron/, etc.)
-
-When the upstream Node.js commit has a `PR-URL:`:
-
-```
-node#{PR-Number}: {upstream PR's original title}
-
-Ref: {Node.js PR link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-When there is no `PR-URL:` but there is an issue reference or commit:
-
-```
-fix: {description of the adaptation}
-
-Ref: {Node.js issue or commit link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Use the **upstream commit's original title** when available — do not paraphrase or rewrite it. To find it: check the commit message in `../third_party/electron_node` for `PR-URL:` or `Refs:` lines.
-
-Only add a description body if it provides clarity beyond what the title already says (e.g., when Electron's adaptation is non-obvious). For simple renames, method additions, or straightforward API updates, the title + Ref link is sufficient.
-
-Each change should have its own commit and its own Ref. Logically group into commits that make sense rather than one giant commit. You may include multiple "Ref" links if required.
-
-IMPORTANT: Try really hard to find a reference. Each change you made should in theory have been in response to a change in Node.js. Check `git log` and `git blame` in the Node.js repo. Do not give up easily.
-
-### For Patch Updates (patches/node/*.patch)
-
-Use the same fixup workflow as Phase One and follow `references/phase-one-commit-guidelines.md` for the commit message format (`fix(patch):` prefix, topic style).
-
-## Dependent Patch Header Updates
-
-After any patch modification, check for other affected patches:
-
-```bash
-git status
-# If other .patch files show as modified with only index, line number, and context changes:
-git add patches/
-git commit -m "chore: update patches (trivial only)"
-```
-
-## Finding References
-
-Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
-
-```
-PR-URL: https://github.com/nodejs/node/pull/XXXXX
-Refs: https://github.com/nodejs/node/issues/XXXXX
-```
-
-Note: Many Node.js patches in Electron are Electron-authored and won't have upstream `PR-URL:` lines. Check the patch's own commit message for `Refs:` lines, or use `git log` in the Node.js repo to find which upstream commit caused the build break.
-
-If no reference found after searching: `Ref: Unable to locate reference`
-
-## Example Commits
-
-### Electron Source Fix (with upstream PR)
-
-```
-node#61898: src: stop using v8::PropertyCallbackInfo<T>::This()
-
-Ref: https://github.com/nodejs/node/pull/61898
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Electron Source Fix (with issue reference, no PR)
-
-```
-fix: adapt to v8::PropertyCallbackInfo<T>::This() removal
-
-Updated NodeBindings to use HolderV2() after upstream Node.js
-stopped using the deprecated This() API.
-
-Ref: https://github.com/nodejs/node/issues/60616
-
-Co-Authored-By: <AI model attribution>
-```

.devcontainer/devcontainer.json

@@ -1,5 +1,4 @@
 {
-	"name": "Electron Core Development Environment",
 	"dockerComposeFile": "docker-compose.yml",
 	"service": "buildtools",
 	"onCreateCommand": ".devcontainer/on-create-command.sh",
@@ -34,15 +33,27 @@
 				"surajbarkale.ninja",
 				"ms-vscode.cpptools",
 				"mutantdino.resourcemonitor",
-				"dsanders11.vscode-electron-build-tools",
-				"oxc.oxc-vscode",
+				"dbaeumer.vscode-eslint",
 				"shakram02.bash-beautify",
-				"marshallofsound.gnls-electron"
+				"marshallofsound.gnls-electron",
 			],
 			"settings": {
 				"editor.tabSize": 2,
 				"bashBeautify.tabSize": 2,
 				"typescript.tsdk": "node_modules/typescript/lib",
+				"[gn]": {
+					"editor.formatOnSave": true
+				},
+				"[javascript]": {
+					"editor.codeActionsOnSave": {
+						"source.fixAll.eslint": true
+					}
+				},
+				"[typescript]": {
+					"editor.codeActionsOnSave": {
+						"source.fixAll.eslint": true
+					}
+				},
 				"javascript.preferences.quoteStyle": "single",
 				"typescript.preferences.quoteStyle": "single"
 			}

.devcontainer/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   buildtools:
-    image: ghcr.io/electron/devcontainer:eac3529546ea8f3aa356d31e345715eef342233b
+    image: ghcr.io/electron/devcontainer:424eedbf277ad9749ffa9219068aa72ed4a5e373
 
     volumes:
       - ..:/workspaces/gclient/src/electron:cached

.devcontainer/on-create-command.sh

@@ -48,8 +48,7 @@ if [ ! -f $buildtools/configs/evm.testing.json ]; then
             \"gen\": {
                 \"args\": [
                     \"import(\\\"//electron/build/args/testing.gn\\\")\",
-                    \"use_remoteexec = true\",
-                    \"use_siso=true\"
+                    \"use_remoteexec = true\"
                 ],
                 \"out\": \"Testing\"
             },
@@ -59,13 +58,13 @@ if [ ! -f $buildtools/configs/evm.testing.json ]; then
             },
             \"\$schema\": \"file:///home/builduser/.electron_build_tools/evm-config.schema.json\",
             \"configValidationLevel\": \"strict\",
-            \"remoteBuild\": \"siso\",
-            \"preserveSDK\": 5
+            \"reclient\": \"$1\",
+            \"preserveXcode\": 5
         }
     " >$buildtools/configs/evm.testing.json
   }
 
-  write_config
+  write_config remote_exec
 
   e use testing 
 else

.eslintrc.json

@@ -0,0 +1,79 @@
+{
+  "root": true,
+  "extends": "standard",
+  "parser": "@typescript-eslint/parser",
+  "plugins": ["@typescript-eslint"],
+  "env": {
+    "browser": true
+  },
+  "rules": {
+    "semi": ["error", "always"],
+    "no-var": "error",
+    "no-unused-vars": "off",
+    "guard-for-in": "error",
+    "@typescript-eslint/no-unused-vars": ["error", {
+      "vars": "all",
+      "args": "after-used",
+      "ignoreRestSiblings": true
+    }],
+    "prefer-const": ["error", {
+      "destructuring": "all"
+    }],
+    "n/no-callback-literal": "off",
+    "import/newline-after-import": "error",
+    "import/order": ["error", {
+      "alphabetize": {
+        "order": "asc"
+      },
+      "newlines-between": "always",
+      "pathGroups": [
+        {
+          "pattern": "@electron/internal/**",
+          "group": "external",
+          "position": "before"
+        },
+        {
+          "pattern": "@electron/**",
+          "group": "external",
+          "position": "before"
+        },
+        {
+          "pattern": "{electron,electron/**}",
+          "group": "external",
+          "position": "before"
+        }
+      ],
+      "pathGroupsExcludedImportTypes": [],
+      "distinctGroup": true,
+      "groups": [
+        "external",
+        "builtin",
+        ["sibling", "parent"],
+        "index",
+        "type"
+      ]
+    }]
+  },
+  "parserOptions": {
+    "ecmaVersion": 6,
+    "sourceType": "module"
+  },
+  "overrides": [
+    {
+      "files": "*.ts",
+      "rules": {
+        "no-undef": "off",
+        "no-redeclare": "off",
+        "@typescript-eslint/no-redeclare": ["error"],
+        "no-use-before-define": "off"
+      }
+    },
+    {
+      "files": "*.d.ts",
+      "rules": {
+        "no-useless-constructor": "off",
+        "@typescript-eslint/no-unused-vars": "off"
+      }
+    }
+  ]
+}

.github/CODEOWNERS

@@ -19,7 +19,6 @@ DEPS                                    @electron/wg-upgrades
 /lib/renderer/security-warnings.ts      @electron/wg-security
 
 # Infra WG
-/.claude/                               @electron/wg-infra
 /.github/actions/                       @electron/wg-infra
 /.github/workflows/*-publish.yml        @electron/wg-infra
 /.github/workflows/build.yml            @electron/wg-infra

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -58,16 +58,6 @@ body:
     label: Last Known Working Electron version
     description: What is the last version of Electron this worked in, if applicable?
     placeholder: 16.0.0
-- type: dropdown
-  attributes:
-    label: Does the issue also appear in Chromium / Google Chrome?
-    description: If it does, please report the issue in the [Chromium issue tracker](https://issues.chromium.org/issues), not against Electron. Electron will inherit the fix once Chromium resolves the issue.
-    options:
-      - I don't know how to test
-      - "Yes"
-      - "No"
-  validations:
-    required: true
 - type: textarea
   attributes:
     label: Expected Behavior
@@ -83,7 +73,7 @@ body:
 - type: input
   attributes:
     label: Testcase Gist URL
-    description: Electron maintainers need a standalone test case to reproduce and fix your issue. Please use [Electron Fiddle](https://github.com/electron/fiddle) to create one and to publish it as a [GitHub gist](https://gist.github.com). Then put the gist URL here. Issues without testcase gists receive less attention and might be closed without a maintainer taking a closer look. To maximize how much attention your issue receives, please include a testcase gist right from the start.
+    description: If you can reproduce the issue in a standalone test case, please use [Electron Fiddle](https://github.com/electron/fiddle) to create one and to publish it as a [GitHub gist](https://gist.github.com) and put the gist URL here. This is **the best way** to ensure this issue is triaged quickly.
     placeholder: https://gist.github.com/...
 - type: textarea
   attributes:

.github/ISSUE_TEMPLATE/maintainer_issue.yml

@@ -0,0 +1,14 @@
+name: Maintainer Issue (not for public use)
+description: Only to be created by Electron maintainers
+body:
+- type: checkboxes
+  attributes:
+    label: Confirmation
+    options:
+      - label: I am a [maintainer](https://github.com/orgs/electron/people) of the Electron project. (If not, please create a [different issue type](https://github.com/electron/electron/issues/new/).)
+        required: true
+- type: textarea
+  attributes:
+    label: Description
+  validations:
+    required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -5,18 +5,12 @@ Thank you for your Pull Request. Please provide a description above and review
 the requirements below.
 
 Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.md
-
-Using a coding agent / AI? Read the policy: https://github.com/electron/governance/blob/main/policy/ai.md
-
-NOTE: PRs submitted that do not follow this template will be automatically closed.
 -->
 
 #### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] I have built and tested this change
-- [ ] I have filled out the PR description
-- [ ] [I have reviewed and verified the changes](https://github.com/electron/governance/blob/main/policy/ai.md)
+- [ ] PR description included and stakeholders cc'd
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)

.github/actions/build-electron/action.yml

@@ -17,6 +17,9 @@ inputs:
   is-release:
     description: 'Is release build'
     required: true
+  strip-binaries:
+    description: 'Strip binaries (Linux only)'
+    required: false
   generate-symbols:
     description: 'Generate symbols'
     required: true
@@ -26,9 +29,6 @@ inputs:
   is-asan:
     description: 'The ASan Linux build'
     required: false
-  upload-out-gen-artifacts:
-    description: 'Whether to upload the out/${dir}/gen artifacts'
-    required: false
 runs:
   using: "composite"
   steps:
@@ -38,33 +38,7 @@ runs:
       run: |
         GN_APPENDED_ARGS="$GN_EXTRA_ARGS target_cpu=\"x64\" v8_snapshot_toolchain=\"//build/toolchain/mac:clang_x64\""
         echo "GN_EXTRA_ARGS=$GN_APPENDED_ARGS" >> $GITHUB_ENV
-    - name: Set GN_EXTRA_ARGS for Windows
-      shell: bash
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        # Resolve .obj paths to absolute in linker response files to work
-        # around BindFlt concurrency bug in Windows containers.
-        # https://github.com/microsoft/Windows-Containers/issues/635
-        GN_APPENDED_ARGS="$GN_EXTRA_ARGS win_abs_link_wrapper=\"//electron/build/win/abs_link_wrapper.py\""
-        if [ "${{ inputs.target-arch }}" != "x64" ]; then
-          GN_APPENDED_ARGS="$GN_APPENDED_ARGS target_cpu=\"${{ inputs.target-arch }}\""
-        fi
-        echo "GN_EXTRA_ARGS=$GN_APPENDED_ARGS" >> $GITHUB_ENV
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
-    - name: Download previous object checksums
-      shell: bash
-      if: ${{ (github.event_name == 'push' || github.event_name == 'pull_request') && inputs.is-asan != 'true' }}
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-        ARTIFACT_NAME: object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json
-        SEARCH_BRANCH: ${{ case(github.event_name == 'push', github.ref_name, github.event.pull_request.base.ref) }}
-        REPO: ${{ github.repository }}
-        OUTPUT_PATH: src/previous-object-checksums.json
-      run: node src/electron/.github/actions/build-electron/download-previous-object-checksums.mjs
     - name: Build Electron ${{ inputs.step-suffix }}
-      if: ${{ inputs.target-platform != 'win' }}
       shell: bash
       run: |
         rm -rf "src/out/Default/Electron Framework.framework"
@@ -80,65 +54,22 @@ runs:
           sudo launchctl limit maxfiles 65536 200000
         fi
 
-        if [ "${{ inputs.is-release }}" = "true" ]; then
-          NINJA_SUMMARIZE_BUILD=1 e build --target electron:release_build
-        else
-          NINJA_SUMMARIZE_BUILD=1 e build --target electron:testing_build
-        fi
+        NINJA_SUMMARIZE_BUILD=1 e build -j $NUMBER_OF_NINJA_PROCESSES
         cp out/Default/.ninja_log out/electron_ninja_log
         node electron/script/check-symlinks.js
-
-        # Build stats and object checksums
-        BUILD_STATS_ARGS="out/Default/siso.INFO --out-dir out/Default --output-object-checksums object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json"
-        if [ -f previous-object-checksums.json ]; then
-          BUILD_STATS_ARGS="$BUILD_STATS_ARGS --input-object-checksums previous-object-checksums.json"
-        fi
-        if ! [ -z "$DD_API_KEY" ]; then
-          BUILD_STATS_ARGS="$BUILD_STATS_ARGS --upload-stats"
-        else
-          echo "Skipping build-stats.mjs upload because DD_API_KEY is not set"
-        fi
-        node electron/script/build-stats.mjs $BUILD_STATS_ARGS || true
-    - name: Build Electron (Windows) ${{ inputs.step-suffix }}
-      if: ${{ inputs.target-platform == 'win' }}
-      shell: powershell
+    - name: Strip Electron Binaries ${{ inputs.step-suffix }}
+      shell: bash
+      if: ${{ inputs.strip-binaries == 'true' }}
       run: |
-        cd src\electron
-        git pack-refs
-        cd ..
-
-        $env:NINJA_SUMMARIZE_BUILD = 1
-        if ("${{ inputs.is-release }}" -eq "true") {          
-          e build --target electron:release_build
-        } else {
-          e build --target electron:testing_build
-        }
-        if ($LASTEXITCODE -ne 0) {
-          Write-Host "e build failed with exit code $LASTEXITCODE"
-          exit $LASTEXITCODE
-        }
-        Copy-Item out\Default\.ninja_log out\electron_ninja_log
-        node electron\script\check-symlinks.js
-
-        # Build stats and object checksums
-        $statsArgs = @("out\Default\siso.exe.INFO", "--out-dir", "out\Default", "--output-object-checksums", "object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json")
-        if (Test-Path previous-object-checksums.json) {
-          $statsArgs += @("--input-object-checksums", "previous-object-checksums.json")
-        }
-        if ($env:DD_API_KEY) {
-          $statsArgs += "--upload-stats"
-        } else {
-          Write-Host "Skipping build-stats.mjs upload because DD_API_KEY is not set"
-        }
-        try {
-          & node electron\script\build-stats.mjs @statsArgs ; $LASTEXITCODE = 0
-        } catch {
-          Write-Host "Build stats failed, continuing..."
-        }
-    - name: Verify dist.zip ${{ inputs.step-suffix }}
+        cd src
+        electron/script/copy-debug-symbols.py --target-cpu="${{ inputs.target-arch }}" --out-dir=out/Default/debug --compress
+        electron/script/strip-binaries.py --target-cpu="${{ inputs.target-arch }}" --verbose
+        electron/script/add-debug-link.py --target-cpu="${{ inputs.target-arch }}" --debug-dir=out/Default/debug
+    - name: Build Electron dist.zip ${{ inputs.step-suffix }}
       shell: bash
       run: |
-        cd src        
+        cd src
+        e build --target electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES -d explain
         if [ "${{ inputs.is-asan }}" != "true" ]; then
           target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
           if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
@@ -146,10 +77,11 @@ runs:
           fi
           electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ inputs.target-arch }}.manifest
         fi
-    - name: Fixup Mksnapshot ${{ inputs.step-suffix }}
+    - name: Build Mksnapshot ${{ inputs.step-suffix }}
       shell: bash
       run: |
         cd src
+        e build --target electron:electron_mksnapshot -j $NUMBER_OF_NINJA_PROCESSES
         ELECTRON_DEPOT_TOOLS_DISABLE_LOG=1 e d gn desc out/Default v8:run_mksnapshot_default args > out/Default/mksnapshot_args
         # Remove unused args from mksnapshot_args
         SEDOPTION="-i"
@@ -158,10 +90,21 @@ runs:
         fi
         sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
         sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--reorder-builtins/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--warn-about-builtin-profile-data/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--abort-on-bad-builtin-profile-data/d' out/Default/mksnapshot_args
 
+        if [ "${{ inputs.target-platform }}" = "linux" ]; then
+          if [ "${{ inputs.target-arch }}" = "arm" ]; then
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/v8_context_snapshot_generator
+          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/v8_context_snapshot_generator
+          else
+            electron/script/strip-binaries.py --file $PWD/out/Default/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/v8_context_snapshot_generator
+          fi
+        fi
+
+        e build --target electron:electron_mksnapshot_zip -j $NUMBER_OF_NINJA_PROCESSES
         if [ "${{ inputs.target-platform }}" = "win" ]; then
           cd out/Default
           powershell Compress-Archive -update mksnapshot_args mksnapshot.zip
@@ -195,15 +138,13 @@ runs:
       shell: bash
       run: |
         cd src
+        e build --target electron:electron_chromedriver -j $NUMBER_OF_NINJA_PROCESSES
         e build --target electron:electron_chromedriver_zip
-
-        if [ "${{ inputs.is-asan }}" != "true" ]; then
-          target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
-          if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
-            target_os="${target_os}_mas"
-          fi
-          electron/script/zip_manifests/check-zip-manifest.py out/Default/chromedriver.zip electron/script/zip_manifests/chromedriver_zip.$target_os.${{ inputs.target-arch }}.manifest
-        fi
+    - name: Build Node.js headers ${{ inputs.step-suffix }}
+      shell: bash
+      run: |
+        cd src
+        e build --target electron:node_headers
     - name: Create installed_software.json ${{ inputs.step-suffix }}
       shell: powershell
       if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'win' }}
@@ -223,11 +164,17 @@ runs:
         # Needed for msdia140.dll on 64-bit windows
         cd src
         export PATH="$PATH:$(pwd)/third_party/llvm-build/Release+Asserts/bin"
-    - name: Zip Symbols ${{ inputs.step-suffix }}
+    - name: Generate & Zip Symbols ${{ inputs.step-suffix }}
       shell: bash
       run: |
+        # Generate breakpad symbols on release builds
+        if [ "${{ inputs.generate-symbols }}" = "true" ]; then
+          e build --target electron:electron_symbols
+        fi
         cd src
         export BUILD_PATH="$(pwd)/out/Default"
+        e build --target electron:licenses
+        e build --target electron:electron_version_file
         if [ "${{ inputs.is-release }}" = "true" ]; then
           DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
         else
@@ -238,31 +185,29 @@ runs:
       if: ${{ inputs.is-release == 'true' }}
       run: |
         cd src
-        # Reuse the hermetic mac_sdk_path that `e build` wrote for out/Default so
-        # out/ffmpeg builds against the same SDK instead of the runner's system Xcode.
-        # The path has to live under root_build_dir, so copy the symlink tree and
-        # rewrite Default -> ffmpeg.
-        MAC_SDK_ARG=""
-        if [ "$(uname)" = "Darwin" ]; then
-          mkdir -p out/ffmpeg
-          cp -a out/Default/xcode_links out/ffmpeg/
-          MAC_SDK_ARG=$(sed -n 's|^\(mac_sdk_path = "//out/\)Default/|\1ffmpeg/|p' out/Default/args.gn)
-        fi
-        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $MAC_SDK_ARG $GN_EXTRA_ARGS"
-        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg
-    - name: Remove Clang problem matcher
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
+        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Hunspell Dictionaries ${{ inputs.step-suffix }}
       shell: bash
-      run: echo "::remove-matcher owner=clang::"
+      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
+      run: |
+        e build --target electron:hunspell_dictionaries_zip -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Libcxx ${{ inputs.step-suffix }}
+      shell: bash
+      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
+      run: |
+        e build --target electron:libcxx_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        e build --target electron:libcxxabi_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        e build --target electron:libcxx_objects_zip -j $NUMBER_OF_NINJA_PROCESSES
     - name: Generate TypeScript Definitions ${{ inputs.step-suffix }}
       if: ${{ inputs.is-release == 'true' }}
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js create-typescript-definitions
+        node script/yarn create-typescript-definitions
     - name: Publish Electron Dist ${{ inputs.step-suffix }}
       if: ${{ inputs.is-release == 'true' }}
       shell: bash
-      id: github-upload
       run: |
         rm -rf src/out/Default/obj
         cd src/electron
@@ -273,34 +218,7 @@ runs:
           echo 'Uploading Electron release distribution to GitHub releases'
           script/release/uploaders/upload.py --verbose
         fi
-    - name: Generate artifact attestation
-      if: ${{ inputs.is-release == 'true' }}
-      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-      with:
-        subject-path: ${{ steps.github-upload.outputs.UPLOADED_PATHS }}
-    - name: Generate siso report
-      if: ${{ inputs.target-platform != 'win' && !cancelled() }}
-      shell: bash
-      run: |
-        cd src
-        e d siso report -C out/Default > siso_report.txt
-        SISO_REPORT_PATH=$(grep -o '/.*siso-report-[^ ]*' siso_report.txt)
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $GITHUB_ENV
-        cat siso_report.txt
-        echo "SISO REPORT AT $SISO_REPORT_PATH"
-    - name: Generate siso report (Windows)
-      if: ${{ inputs.target-platform == 'win' && !cancelled() }}
-      shell: powershell
-      run: |
-        cd src
-        e d siso report -C out\Default > siso_report.txt
-        $SISO_REPORT_PATH = Get-Content "siso_report.txt" | Select-String "report file:\s*(.+)" | ForEach-Object { 
-          $_.Matches.Groups[1].Value.Trim() 
-        }
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH"
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $env:GITHUB_ENV
     - name: Generate Artifact Key
-      if: always() && !cancelled()
       shell: bash
       run: |
         if [ "${{ inputs.is-asan }}" = "true" ]; then 
@@ -312,30 +230,15 @@ runs:
     # The current generated_artifacts_<< artifact.key >> name was taken from CircleCI
     # to ensure we don't break anything, but we may be able to improve that.
     - name: Move all Generated Artifacts to Upload Folder ${{ inputs.step-suffix }}
-      if: always() && !cancelled()
       shell: bash
       run: ./src/electron/script/actions/move-artifacts.sh
     - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
-      if: always() && !cancelled()
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
     - name: Upload Src Artifacts ${{ inputs.step-suffix }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
-    - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
-      if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/Default/gen
-    - name: Upload Object Checksums ${{ inputs.step-suffix }}
-      if: ${{ always() && !cancelled() && inputs.is-asan != 'true' }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-      with:
-        name: object_checksums_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
-        path: ./src/object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json
-        archive: false

.github/actions/build-electron/download-previous-object-checksums.mjs

@@ -1,82 +0,0 @@
-import { Octokit } from '@octokit/rest';
-
-import { writeFileSync } from 'node:fs';
-
-const token = process.env.GITHUB_TOKEN;
-const repo = process.env.REPO;
-const artifactName = process.env.ARTIFACT_NAME;
-const branch = process.env.SEARCH_BRANCH;
-const outputPath = process.env.OUTPUT_PATH;
-
-const required = { GITHUB_TOKEN: token, REPO: repo, ARTIFACT_NAME: artifactName, SEARCH_BRANCH: branch, OUTPUT_PATH: outputPath };
-const missing = Object.entries(required).filter(([, v]) => !v).map(([k]) => k);
-if (missing.length > 0) {
-  console.error(`Missing required environment variables: ${missing.join(', ')}`);
-  process.exit(1);
-}
-
-const [owner, repoName] = repo.split('/');
-const octokit = new Octokit({ auth: token });
-
-async function main () {
-  console.log(`Searching for artifact '${artifactName}' on branch '${branch}'...`);
-
-  // Resolve the "Build" workflow name to an ID, mirroring how `gh run list --workflow` works
-  // under the hood (it uses /repos/{owner}/{repo}/actions/workflows/{id}/runs).
-  const { data: workflows } = await octokit.actions.listRepoWorkflows({ owner, repo: repoName });
-  const buildWorkflow = workflows.workflows.find((w) => w.name === 'Build');
-  if (!buildWorkflow) {
-    console.log('Could not find "Build" workflow, continuing without previous checksums');
-    return;
-  }
-
-  const { data: runs } = await octokit.actions.listWorkflowRuns({
-    owner,
-    repo: repoName,
-    workflow_id: buildWorkflow.id,
-    branch,
-    status: 'completed',
-    event: 'push',
-    per_page: 20,
-    exclude_pull_requests: true
-  });
-
-  for (const run of runs.workflow_runs) {
-    const { data: artifacts } = await octokit.actions.listWorkflowRunArtifacts({
-      owner,
-      repo: repoName,
-      run_id: run.id,
-      name: artifactName
-    });
-
-    if (artifacts.artifacts.length > 0) {
-      const artifact = artifacts.artifacts[0];
-      console.log(`Found artifact in run ${run.id} (artifact ID: ${artifact.id}), downloading...`);
-
-      // Non-archived artifacts are still downloaded from the /zip endpoint
-      const response = await octokit.actions.downloadArtifact({
-        owner,
-        repo: repoName,
-        artifact_id: artifact.id,
-        archive_format: 'zip'
-      });
-
-      if (response.headers['content-type'] !== 'application/json') {
-        console.error(`Unexpected content type for artifact download: ${response.headers['content-type']}`);
-        console.error('Expected application/json, continuing without previous checksums');
-        return;
-      }
-
-      writeFileSync(outputPath, JSON.stringify(response.data));
-      console.log('Downloaded previous object checksums successfully');
-      return;
-    }
-  }
-
-  console.log(`No previous object checksums found in last ${runs.workflow_runs.length} runs, continuing without them`);
-}
-
-main().catch((err) => {
-  console.error('Failed to download previous object checksums, continuing without them:', err.message);
-  process.exit(0);
-});

.github/actions/build-git-cache/action.yml

@@ -1,83 +0,0 @@
-name: 'Build Git Cache'
-description: 'Runs a gclient sync to build the git cache for Electron'
-inputs:
-  target-platform:
-    description: 'Target platform, should be linux, win, macos'    
-runs:
-  using: "composite"
-  steps:
-  - name: Set GIT_CACHE_PATH to make gclient to use the cache
-    shell: bash
-    run: |
-      echo "GIT_CACHE_PATH=$(pwd)/git-cache" >> $GITHUB_ENV
-  - name: Set Chromium Git Cookie
-    uses: ./src/electron/.github/actions/set-chromium-cookie
-  - name: Install Build Tools
-    uses: ./src/electron/.github/actions/install-build-tools
-  - name: Set up cache drive
-    shell: bash
-    run: |
-      if [ "${{ inputs.target-platform }}" = "win" ]; then
-        echo "CACHE_DRIVE=/mnt/win-cache" >> $GITHUB_ENV
-      else
-        echo "CACHE_DRIVE=/mnt/cross-instance-cache" >> $GITHUB_ENV
-      fi
-  - name: Check cross instance cache disk space
-    shell: bash
-    run: |    
-      # if there is less than 35 GB free space then creating the cache might fail so exit early
-      freespace=`df -m $CACHE_DRIVE | grep -w $CACHE_DRIVE | awk '{print $4}'`
-      freespace_human=`df -h $CACHE_DRIVE | grep -w $CACHE_DRIVE | awk '{print $4}'`
-      if [ $freespace -le 35000 ]; then
-        echo "The cross mount cache has $freespace_human free space which is not enough - exiting"
-        exit 1
-      else
-        echo "The cross mount cache has $freespace_human free space - continuing"
-      fi
-  - name: Restore gitcache
-    shell: bash
-    run: |
-      GIT_CACHE_TAR="$CACHE_DRIVE/gitcache.tar"
-      if [ ! -f "$GIT_CACHE_TAR" ]; then
-        echo "Git cache tar file does not exist, skipping restore"
-        exit 0
-      fi
-      echo "Restoring git cache from $GIT_CACHE_TAR to $GIT_CACHE_PATH"
-      mkdir -p $GIT_CACHE_PATH
-      tar -xf $GIT_CACHE_TAR -C $GIT_CACHE_PATH
-  - name: Gclient Sync
-    shell: bash
-    run: |
-      e d gclient config \
-        --name "src/electron" \
-        --unmanaged \
-        ${GCLIENT_EXTRA_ARGS} \
-        "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
-
-      if [ "$TARGET_OS" != "" ]; then
-        echo "target_os=['$TARGET_OS']" >> ./.gclient
-      fi
-
-      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags --nohooks -vv 
-  - name: Compress Git Cache Directory
-    shell: bash
-    run: |
-      echo "Uncompressed gitcache size: $(du -sh $GIT_CACHE_PATH | cut -f1 -d' ')"
-      cd $GIT_CACHE_PATH
-      tar -cf ../gitcache.tar .
-      cd ..
-      echo "Compressed gitcache to $(du -sh gitcache.tar | cut -f1 -d' ')"
-      # remove the old cache file if it exists 
-      if [ -f $CACHE_DRIVE/gitcache.tar ]; then
-        echo "Removing old gitcache.tar from $CACHE_DRIVE"
-        rm $CACHE_DRIVE/gitcache.tar
-      fi      
-      cp ./gitcache.tar $CACHE_DRIVE/
-  - name: Wait for active SSH sessions
-    shell: bash
-    if: always() && !cancelled()
-    run: |
-      while [ -f /var/.ssh-lock ]
-      do
-        sleep 60
-      done

.github/actions/build-image-sha/action.yml

@@ -1,24 +0,0 @@
-name: 'Build Image SHA'
-description: 'Single source of truth for the ghcr.io/electron/build image SHA'
-inputs:
-  override:
-    description: 'Optional override SHA (e.g. from a workflow_dispatch input)'
-    required: false
-    default: ''
-outputs:
-  build-image-sha:
-    description: 'The electron/build image SHA to use'
-    value: ${{ steps.set.outputs.build-image-sha }}
-runs:
-  using: 'composite'
-  steps:
-    - id: set
-      shell: bash
-      env:
-        OVERRIDE: ${{ inputs.override }}
-      run: |
-        if [ -n "$OVERRIDE" ]; then
-          echo "build-image-sha=$OVERRIDE" >> "$GITHUB_OUTPUT"
-        else
-          echo "build-image-sha=daad061f4b99a0ae1c841be4aa09188280a9c8a4" >> "$GITHUB_OUTPUT"
-        fi

.github/actions/checkout/action.yml

@@ -28,7 +28,7 @@ runs:
     shell: bash
     run: |
       node src/electron/script/generate-deps-hash.js
-      DEPSHASH="v2-src-cache-$(cat src/electron/.depshash)"
+      DEPSHASH="v1-src-cache-$(cat src/electron/.depshash)"
       echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
       echo "CACHE_FILE=$DEPSHASH.tar" >> $GITHUB_ENV
       if [ "${{ inputs.target-platform }}" = "win" ]; then
@@ -40,10 +40,10 @@ runs:
     if: ${{ inputs.generate-sas-token == 'true' }}
     shell: bash
     run: |
-      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}&getAccountName=true" > sas-token
+      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}" > sas-token
   - name: Save SAS Key
     if: ${{ inputs.generate-sas-token == 'true' }}
-    uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -80,21 +80,6 @@ runs:
       else
         echo "The cross mount cache has $freespace_human free space - continuing"
       fi
-  - name: Add patch conflict problem matcher
-    shell: bash
-    run: echo "::add-matcher::src/electron/.github/problem-matchers/patch-conflict.json"
-  - name: Restore gitcache
-    if: steps.check-cache.outputs.cache_exists == 'false'
-    shell: bash
-    run: |
-      GIT_CACHE_TAR="$CACHE_DRIVE/gitcache.tar"
-      if [ ! -f "$GIT_CACHE_TAR" ]; then
-        echo "Git cache tar file does not exist, skipping restore"
-        exit 0
-      fi
-      echo "Restoring git cache from $GIT_CACHE_TAR to $GIT_CACHE_PATH"
-      mkdir -p $GIT_CACHE_PATH
-      tar -xf $GIT_CACHE_TAR -C $GIT_CACHE_PATH
   - name: Gclient Sync
     if: steps.check-cache.outputs.cache_exists == 'false'
     shell: bash
@@ -109,7 +94,7 @@ runs:
         echo "target_os=['$TARGET_OS']" >> ./.gclient
       fi
 
-      ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=0 DEPOT_TOOLS_WIN_TOOLCHAIN=0 ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags
+      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags -vv
       if [[ "${{ inputs.is-release }}" != "true" ]]; then
         # Re-export all the patches to check if there were changes.
         python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
@@ -117,7 +102,12 @@ runs:
         git update-index --refresh || true
         if ! git diff-index --quiet HEAD --; then
           # There are changes to the patches. Make a git commit with the updated patches
-          if node ./script/patch-up.js; then
+          git add patches
+          GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
+          # Export it
+          mkdir -p ../../patches
+          git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
+          if node ./script/push-patch.js; then
             echo
             echo "======================================================================"
             echo "Changes to the patches when applying, we have auto-pushed the diff to the current branch"
@@ -125,11 +115,6 @@ runs:
             echo "======================================================================"
             exit 1
           else
-            git add patches
-            GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
-            # Export it
-            mkdir -p ../../patches
-            git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
             echo
             echo "======================================================================"
             echo "There were changes to the patches when applying."
@@ -143,17 +128,7 @@ runs:
           echo "No changes to patches detected"
         fi
       fi
-  - name: Remove patch conflict problem matchers
-    shell: bash
-    run: |
-      echo "::remove-matcher owner=merge-conflict::"
-      echo "::remove-matcher owner=patch-conflict::"
-      echo "::remove-matcher owner=patch-needs-update::"
-  - name: Upload patches stats
-    if: ${{ inputs.target-platform == 'linux' && github.ref == 'refs/heads/main' }}
-    shell: bash
-    run: |
-      node src/electron/script/patches-stats.mjs --upload-stats || true
+
   # delete all .git directories under src/ except for
   # third_party/angle/ and third_party/dawn/ because of build time generation of files
   # gen/angle/commit.h depends on third_party/angle/.git/HEAD
@@ -173,6 +148,7 @@ runs:
     run: |
       rm -rf src/android_webview
       rm -rf src/ios/chrome
+      rm -rf src/third_party/blink/web_tests
       rm -rf src/third_party/blink/perf_tests
       rm -rf src/chrome/test/data/xr/webvr_info
       rm -rf src/third_party/angle/third_party/VK-GL-CTS/src
@@ -187,41 +163,19 @@ runs:
     shell: bash
     run: |
       echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-      # Named .tar but zstd-compressed; the sas-sidecar's filename allowlist
-      # only permits .tar/.tgz so we keep the extension and decode on restore.
-      tar -cf - src | zstd -T0 --long=30 -f -o $CACHE_FILE
+      tar -cf $CACHE_FILE src
       echo "Compressed src to $(du -sh $CACHE_FILE | cut -f1 -d' ')"
+      cp ./$CACHE_FILE $CACHE_DRIVE/
   - name: Persist Src Cache
     if: ${{ steps.check-cache.outputs.cache_exists == 'false' && inputs.use-cache == 'true' }}
     shell: bash
     run: |
       final_cache_path=$CACHE_DRIVE/$CACHE_FILE
-      # Upload to a run-unique temp name first so concurrent readers never
-      # observe a partially-written file, and an interrupted copy can't leave
-      # a truncated file at the final path. Orphaned temp files get swept by
-      # the clean-orphaned-cache-uploads workflow.
-      tmp_cache_path=$final_cache_path.upload-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}
-      echo "Uploading to temp path: $tmp_cache_path"
-      cp ./$CACHE_FILE $tmp_cache_path
-
       echo "Using cache key: $DEPSHASH"
-      if [ -f "$final_cache_path" ]; then
-        echo "Cache already persisted at $final_cache_path by a concurrent run; discarding ours"
-        rm -f $tmp_cache_path
-      else
-        mv -f $tmp_cache_path $final_cache_path
-        echo "Cache key persisted in $final_cache_path"
-      fi
-
+      echo "Checking path: $final_cache_path"
       if [ ! -f "$final_cache_path" ]; then
         echo "Cache key not found"
         exit 1
+      else
+        echo "Cache key persisted in $final_cache_path"
       fi
-  - name: Wait for active SSH sessions
-    shell: bash
-    if: always() && !cancelled()
-    run: |
-      while [ -f /var/.ssh-lock ]
-      do
-        sleep 60
-      done

.github/actions/cipd-install/action.yml

@@ -14,58 +14,27 @@ inputs:
     description: 'Target platform, should be linux, win, macos'
   package:
     description: 'Package to install'
-  dependency-version:
-    description: 'Version of the dependency to install'
-    default: ''
 runs:
   using: "composite"
   steps:
     - name: Delete wrong ${{ inputs.dependency }}
       shell: bash
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
       run : |
-        rm -rf "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}"
+        rm -rf ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }}
     - name: Create ensure file for ${{ inputs.dependency }}
-      if: ${{ inputs.dependency-version == '' }}
       shell: bash
-      env:
-        PACKAGE: ${{ inputs.package }}
-        DEPS_FILE: ${{ inputs.deps-file }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo "$PACKAGE" $(e d gclient getdep --deps-file="$DEPS_FILE" -r "${INSTALLATION_DIR}:${PACKAGE}") > "${DEPENDENCY}_ensure_file"
-        cat "${DEPENDENCY}_ensure_file"
-
-    - name: Create ensure file for ${{ inputs.dependency }} from dependency-version
-      if: ${{ inputs.dependency-version != '' }}
-      shell: bash
-      env:
-        PACKAGE: ${{ inputs.package }}
-        DEPENDENCY_VERSION: ${{ inputs.dependency-version }}
-        DEPENDENCY: ${{ inputs.dependency }}
-      run: |
-        echo "$PACKAGE $DEPENDENCY_VERSION" > "${DEPENDENCY}_ensure_file"
-        cat "${DEPENDENCY}_ensure_file"
+        echo '${{ inputs.package }}' `e d gclient getdep --deps-file=${{ inputs.deps-file }} -r '${{ inputs.installation-dir }}:${{ inputs.package }}'` > ${{ inputs.dependency }}_ensure_file
+        cat ${{ inputs.dependency }}_ensure_file
     - name: CIPD installation of ${{ inputs.dependency }} (macOS)
-      if: ${{ inputs.target-platform != 'win' }}
+      if: ${{ inputs.target-platform == 'macos' }}
       shell: bash
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo "ensuring $DEPENDENCY"
-        e d cipd ensure --root "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}" -ensure-file "${DEPENDENCY}_ensure_file"
+        echo "ensuring ${{ inputs.dependency }} on macOS"
+        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
     - name: CIPD installation of ${{ inputs.dependency }} (Windows)
       if: ${{ inputs.target-platform == 'win' }}
       shell: powershell
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo "ensuring $env:DEPENDENCY on Windows"
-        e d cipd ensure --root "$env:CIPD_ROOT_PREFIX$env:INSTALLATION_DIR" -ensure-file "$($env:DEPENDENCY)_ensure_file"
+        echo "ensuring ${{ inputs.dependency }} on Windows"
+        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file

.github/actions/fix-sync/action.yml

@@ -19,17 +19,12 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Fix llvm toolchain
-      if: ${{ inputs.target-platform != 'linux' }}
+    - name: Fix clang
       shell: bash
       run : |
         rm -rf src/third_party/llvm-build
         python3 src/tools/clang/scripts/update.py
-        # Refs https://chromium-review.googlesource.com/c/chromium/src/+/6667681
-        python3 src/tools/clang/scripts/update.py --package objdump
-        python3 src/tools/clang/scripts/update.py --package clang-tidy
     - name: Fix esbuild
-      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         cipd-root-prefix-path: src/third_party/devtools-frontend/src/
@@ -38,24 +33,7 @@ runs:
         installation-dir: third_party/esbuild
         target-platform: ${{ inputs.target-platform }}
         package: infra/3pp/tools/esbuild/${platform}
-    - name: Fix rollup
-      if: ${{ inputs.target-platform != 'linux' }}
-      uses: ./src/electron/.github/actions/cipd-install
-      with:
-        cipd-root-prefix-path: src/third_party/devtools-frontend/src/
-        dependency: rollup_libs
-        deps-file: src/third_party/devtools-frontend/src/DEPS
-        installation-dir: third_party/rollup_libs
-        target-platform: ${{ inputs.target-platform }}
-        package: infra/3pp/tools/rollup_libs/${platform}
-    - name: Sync native rollup libs
-      if: ${{ inputs.target-platform != 'linux' }}
-      shell: bash
-      run : |
-        cd src/third_party/devtools-frontend/src
-        python3 scripts/deps/sync_rollup_libs.py
     - name: Fix rustc
-      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         rm -rf src/third_party/rust-toolchain
@@ -79,7 +57,6 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: gn/gn/windows-amd64
     - name: Fix reclient
-      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         dependency: reclient
@@ -88,7 +65,6 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: infra/rbe/client/${platform}
     - name: Configure reclient configs
-      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         python3 src/buildtools/reclient_cfgs/configure_reclient_cfgs.py --rbe_instance "projects/rbe-chrome-untrusted/instances/default_instance" --reproxy_cfg_template reproxy.cfg.template --rewrapper_cfg_project "" --skip_remoteexec_cfg_fetch
@@ -106,7 +82,6 @@ runs:
           python3 src/third_party/depot_tools/download_from_google_storage.py --no_resume --no_auth --bucket chromium-browser-clang -s $DSYM_SHA_FILE -o src/tools/clang/dsymutil/bin/dsymutil
         fi
     - name: Fix ninja
-      if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install
       with:
         dependency: ninja
@@ -115,25 +90,15 @@ runs:
         target-platform: ${{ inputs.target-platform }}
         package: infra/3pp/tools/ninja/${platform}
     - name: Set ninja in path
-      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         echo "$(pwd)/src/third_party/ninja" >> $GITHUB_PATH
-    - name: Fix siso
-      uses: ./src/electron/.github/actions/cipd-install
-      with:
-        dependency: siso
-        deps-file: src/DEPS
-        installation-dir: src/third_party/siso/cipd
-        target-platform: ${{ inputs.target-platform }}
-        package: build/siso/${platform}
     - name: Fixup angle git
-      if: ${{ inputs.target-platform != 'linux' }}
       shell: bash
       run : |
         cd src/third_party/angle
         rm -f .git/objects/info/alternates
-        git remote set-url origin https://github.com/google/angle.git
+        git remote set-url origin https://chromium.googlesource.com/angle/angle.git
         cp .git/config .git/config.backup
         git remote remove origin
         mv .git/config.backup .git/config

.github/actions/free-space-macos/action.yml

@@ -6,8 +6,6 @@ runs:
     - name: Free Space on MacOS
       shell: bash
       run: |
-        echo "Disk usage before cleanup:"
-        df -h
         sudo mkdir -p $TMPDIR/del-target
 
         tmpify() {
@@ -17,30 +15,28 @@ runs:
         }
 
         strip_universal_deep() {
-          if [ -d "$1" ]; then
-            opwd=$(pwd)
-            cd $1
-            f=$(find . -perm +111 -type f)
-            for fp in $f
-            do
-              if [[ $(file "$fp") == *"universal binary"* ]]; then
-                if [ "`arch`" == "arm64" ]; then
-                  if [[ $(file "$fp") == *"x86_64"* ]]; then
-                    sudo lipo -remove x86_64 "$fp" -o "$fp" || true
-                  fi
-                else
-                  if [[ $(file "$fp") == *"arm64e)"* ]]; then
-                    sudo lipo -remove arm64e "$fp" -o "$fp" || true
-                  fi
-                  if [[ $(file "$fp") == *"arm64)"* ]]; then
-                    sudo lipo -remove arm64 "$fp" -o "$fp" || true
-                  fi
+          opwd=$(pwd)
+          cd $1
+          f=$(find . -perm +111 -type f)
+          for fp in $f
+          do
+            if [[ $(file "$fp") == *"universal binary"* ]]; then
+              if [ "`arch`" == "arm64" ]; then
+                if [[ $(file "$fp") == *"x86_64"* ]]; then
+                  sudo lipo -remove x86_64 "$fp" -o "$fp" || true
+                fi
+              else
+                if [[ $(file "$fp") == *"arm64e)"* ]]; then
+                  sudo lipo -remove arm64e "$fp" -o "$fp" || true
+                fi
+                if [[ $(file "$fp") == *"arm64)"* ]]; then
+                  sudo lipo -remove arm64 "$fp" -o "$fp" || true
                 fi
               fi
-            done
+            fi
+          done
 
-            cd $opwd
-          fi
+          cd $opwd
         }
 
         tmpify /Library/Developer/CoreSimulator
@@ -61,31 +57,9 @@ runs:
         sudo rm -rf $TMPDIR/del-target
 
         sudo rm -rf /Applications/Safari.app
-        sudo rm -rf /Applications/Xcode_16.1.app
-        sudo rm -rf /Applications/Xcode_16.2.app
-        sudo rm -rf /Applications/Xcode_16.3.app
-        sudo rm -rf /Applications/Xcode_26*
-        sudo rm -rf /Applications/Google Chrome.app
-        sudo rm -rf /Applications/Google Chrome for Testing.app
-        sudo rm -rf /Applications/Firefox.app
-        sudo rm -rf /Applications/Microsoft Edge.app
         sudo rm -rf ~/project/src/third_party/catapult/tracing/test_data
         sudo rm -rf ~/project/src/third_party/angle/third_party/VK-GL-CTS
-        sudo rm -rf /Users/runner/Library/Android
-        sudo rm -rf $JAVA_HOME_11_arm64
-        sudo rm -rf $JAVA_HOME_17_arm64
-        sudo rm -rf $JAVA_HOME_21_arm64
-        sudo rm -rf $JAVA_HOME_25_arm64
-        sudo rm -rf /Users/runner/.dotnet/
-        sudo rm -rf /Users/runner/.rustup
-
-        # remove homebrew packages we don't need
-        if command -v brew &> /dev/null; then
-          brew uninstall -f --zap aws-sam-cli session-manager-plugin gcc gcc@13 gcc@14 llvm@18 gradle maven ant azure-cli
-          brew autoremove
-        fi
 
         # lipo off some huge binaries arm64 versions to save space
         strip_universal_deep $(xcode-select -p)/../SharedFrameworks
-        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
-        sudo mdutil -a -i off
+        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr

.github/actions/generate-types/action.yml

@@ -13,16 +13,12 @@ runs:
   - name: Generating Types for SHA in ${{ inputs.sha-file }}
     shell: bash
     run: |
-      export ELECTRON_DIR=$(pwd)
-      if [ "${{ inputs.sha-file }}" == ".dig-old" ]; then
-        cd /tmp
-        git clone https://github.com/electron/electron.git
-        cd electron
-      fi
-      git checkout $(cat $ELECTRON_DIR/${{ inputs.sha-file }})
-      node script/yarn.js install --immutable
+      git checkout $(cat ${{ inputs.sha-file }})
+      rm -rf node_modules
+      yarn install --frozen-lockfile --ignore-scripts
       echo "#!/usr/bin/env node\nglobal.x=1" > node_modules/typescript/bin/tsc
       node node_modules/.bin/electron-docs-parser --dir=./ --outDir=./ --moduleVersion=0.0.0-development
       node node_modules/.bin/electron-typescript-definitions --api=electron-api.json --outDir=artifacts
-      mv artifacts/electron.d.ts $ELECTRON_DIR/artifacts/${{ inputs.filename }}
+      mv artifacts/electron.d.ts artifacts/${{ inputs.filename }}
+      git checkout .
     working-directory: ./electron

.github/actions/install-build-tools/action.yml

@@ -10,23 +10,14 @@ runs:
         git config --global core.filemode false
         git config --global core.autocrlf false
         git config --global branch.autosetuprebase always
-        git config --global core.fscache true
-        git config --global core.longpaths true
-        git config --global core.preloadindex true
-        git config --global core.longpaths true
       fi
-      export BUILD_TOOLS_SHA=1b7bd25dae4a780bb3170fff56c9327b53aaf7eb
+      export BUILD_TOOLS_SHA=8246e57791b0af4ae5975eb96f09855f9269b1cd
       npm i -g @electron/build-tools
-      # Update depot_tools to ensure python
-      e d update_depot_tools
       e auto-update disable
-      # Disable further updates of depot_tools
       e d auto-update disable
       if [ "$(expr substr $(uname -s) 1 10)" == "MSYS_NT-10" ]; then
         e d cipd.bat --version
         cp "C:\Python311\python.exe" "C:\Python311\python3.exe"
-        echo "C:\Users\ContainerAdministrator\.electron_build_tools\third_party\depot_tools" >> $GITHUB_PATH
-      else
-        echo "$HOME/.electron_build_tools/third_party/depot_tools" >> $GITHUB_PATH
-        echo "$HOME/.electron_build_tools/third_party/depot_tools/python-bin" >> $GITHUB_PATH
       fi
+      echo "$HOME/.electron_build_tools/third_party/depot_tools" >> $GITHUB_PATH
+      echo "$HOME/.electron_build_tools/third_party/depot_tools/python-bin" >> $GITHUB_PATH

.github/actions/install-dependencies/action.yml

@@ -6,8 +6,8 @@ runs:
   - name: Get yarn cache directory path
     shell: bash
     id: yarn-cache-dir-path
-    run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
-  - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    run: echo "dir=$(node src/electron/script/yarn cache dir)" >> $GITHUB_OUTPUT
+  - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
     id: yarn-cache
     with:
       path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
@@ -18,31 +18,4 @@ runs:
     shell: bash
     run: |
       cd src/electron
-      if [ "$TARGET_ARCH" = "x86" ]; then
-        export npm_config_arch="ia32"
-      fi
-      ARCH=$(uname -m)
-      node script/yarn.js install --immutable --mode=skip-build
-      # if running on linux arm skip yarn Builds
-      if [ "$ARCH" = "armv7l" ]; then
-        echo "Skipping yarn build on linux arm"
-      else
-        # Pre-seed the node-gyp header cache so the parallel native-addon
-        # builds below don't race on a cold cache. Linux build containers
-        # already ship a warm cache (electron/build-images#68), so only do
-        # this on macOS / Windows runners.
-        if [ "$(uname -s)" != "Linux" ]; then
-          for i in 1 2 3; do
-            if node node_modules/node-gyp/bin/node-gyp.js install; then
-              break
-            fi
-            if [ "$i" = "3" ]; then
-              echo "node-gyp header pre-seed failed after 3 attempts" >&2
-              exit 1
-            fi
-            echo "node-gyp header pre-seed failed (attempt $i), retrying in 5s..." >&2
-            sleep 5
-          done
-        fi
-        node script/yarn.js install --immutable
-      fi
+      node script/yarn install --frozen-lockfile --prefer-offline

.github/actions/restore-cache-aks/action.yml

@@ -31,7 +31,7 @@ runs:
       fi
 
       mkdir temp-cache
-      zstd -d --long=30 -c $cache_path | tar -xf - -C temp-cache
+      tar -xf $cache_path -C temp-cache
       echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
 
       if [ -d "temp-cache/src" ]; then

.github/actions/restore-cache-azcopy/action.yml

@@ -8,14 +8,14 @@ runs:
   steps:
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-1
       enableCrossOsArchive: true
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -24,7 +24,7 @@ runs:
     # The cache will always exist here as a result of the checkout job
     # Either it was uploaded to Azure in the checkout job for this commit
     # or it was uploaded in the checkout job for a previous commit.
-    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3
@@ -32,23 +32,22 @@ runs:
       shell: bash
       command: |
         sas_token=$(cat sas-token)
-        if [ -z "$sas_token" ]; then
+        if [ -z $sas-token ]; then
           echo "SAS Token not found; exiting src cache download early..."
           exit 1
         else
-          sas_token=$(jq -r '.sasToken' sas-token)
-          account_name=$(jq -r '.accountName' sas-token)
           if [ "${{ inputs.target-platform }}" = "win" ]; then
             azcopy copy --log-level=ERROR \
-            "https://$account_name.file.core.windows.net/${{ env.AZURE_AKS_WIN_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
+            "https://${{ env.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}.file.core.windows.net/${{ env.AZURE_AKS_WIN_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
           else
             azcopy copy --log-level=ERROR \
-            "https://$account_name.file.core.windows.net/${{ env.AZURE_AKS_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
+            "https://${{ env.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}.file.core.windows.net/${{ env.AZURE_AKS_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
           fi            
         fi
     env:
-      AZURE_AKS_CACHE_SHARE_NAME: linux-cache
-      AZURE_AKS_WIN_CACHE_SHARE_NAME: windows-cache
+      AZURE_AKS_CACHE_STORAGE_ACCOUNT: f723719aa87a34622b5f7f3
+      AZURE_AKS_CACHE_SHARE_NAME: pvc-f6a4089f-b082-4bee-a3f9-c3e1c0c02d8f
+      AZURE_AKS_WIN_CACHE_SHARE_NAME: pvc-71dec4f2-0d44-4fd1-a2c3-add049d70bdf
   - name: Clean SAS Key
     shell: bash
     run: rm -f sas-token
@@ -61,9 +60,9 @@ runs:
         echo "Cache is empty - exiting"
         exit 1
       fi
-
+      
       mkdir temp-cache
-      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
+      tar -xf $DEPSHASH.tar -C temp-cache
       echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
 
       if [ -d "temp-cache/src" ]; then
@@ -85,21 +84,23 @@ runs:
 
   - name: Unzip and Ensure Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}
-    shell: bash
+    shell: powershell
     run: |
-      echo "Downloaded cache is $(du -sh $DEPSHASH.tar | cut -f1)"
-      if [ `du $DEPSHASH.tar | cut -f1` = "0" ]; then
-        echo "Cache is empty - exiting"
+      $src_cache = "$env:DEPSHASH.tar"
+      $cache_size = $(Get-Item $src_cache).length
+      Write-Host "Downloaded cache is $cache_size"
+      if ($cache_size -eq 0) {
+        Write-Host "Cache is empty - exiting"
         exit 1
-      fi
+      }
 
-      mkdir temp-cache
-      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
-      rm -f $DEPSHASH.tar
+      $TEMP_DIR=New-Item -ItemType Directory -Path temp-cache
+      $TEMP_DIR_PATH = $TEMP_DIR.FullName
+      C:\ProgramData\Chocolatey\bin\7z.exe -y x $src_cache -o"$TEMP_DIR_PATH"
 
   - name: Move Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}
-    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3
@@ -110,6 +111,9 @@ runs:
           Write-Host "Relocating Cache"
           Remove-Item -Recurse -Force src
           Move-Item temp-cache\src src
+
+          Write-Host "Deleting zip file"
+          Remove-Item -Force $src_cache
         }
         if (-Not (Test-Path "src\third_party\blink")) {
           Write-Host "Cache was not correctly restored - exiting"

.github/actions/set-chromium-cookie/action.yml

@@ -7,7 +7,7 @@ runs:
     if: ${{ runner.os != 'Windows' }}
     shell: bash
     run: |
-      if [[ -z "$CHROMIUM_GIT_COOKIE" ]]; then
+      if [[ -z "${{ env.CHROMIUM_GIT_COOKIE }}" ]]; then
         echo "CHROMIUM_GIT_COOKIE is not set - cannot authenticate."
         exit 0
       fi
@@ -18,7 +18,9 @@ runs:
 
       git config --global http.cookiefile ~/.gitcookies
 
-      echo "$CHROMIUM_GIT_COOKIE" | tr , \\t >>~/.gitcookies
+      tr , \\t <<\__END__ >>~/.gitcookies
+      ${{ env.CHROMIUM_GIT_COOKIE }}
+      __END__
       eval 'set -o history' 2>/dev/null || unsetopt HIST_IGNORE_SPACE 2>/dev/null
 
       RESPONSE=$(curl -s -b ~/.gitcookies https://chromium-review.googlesource.com/a/accounts/self)
@@ -40,7 +42,7 @@ runs:
       )
 
       git config --global http.cookiefile "%USERPROFILE%\.gitcookies"
-      powershell -noprofile -nologo -command Write-Output $env:CHROMIUM_GIT_COOKIE_WINDOWS_STRING >>"%USERPROFILE%\.gitcookies"
+      powershell -noprofile -nologo -command Write-Output "${{ env.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}" >>"%USERPROFILE%\.gitcookies"
 
       curl -s -b "%USERPROFILE%\.gitcookies" https://chromium-review.googlesource.com/a/accounts/self > response.txt
 

.github/actions/ssh-debug/action.yml

@@ -1,20 +0,0 @@
-name: Debug via SSH
-description: Setup a SSH server with a tunnel to access it to debug via SSH.
-inputs:
-  tunnel:
-    description: 'Enable SSH tunneling via cloudflared'
-    required: true
-    default: 'false'
-  timeout:
-    description: 'SSH session timeout in seconds'
-    required: false
-    type: number
-    default: 3600
-runs:
-  using: composite
-  steps:
-    - run: $GITHUB_ACTION_PATH/setup-ssh.sh
-      shell: bash
-      env:
-        TUNNEL: ${{ inputs.tunnel }}
-        TIMEOUT: ${{ inputs.timeout }}

.github/actions/ssh-debug/bashrc

@@ -1,4 +0,0 @@
-# If we're in an interactive SSH session and we're not already in tmux and there's no explicit SSH command, auto attach tmux
-if [ -n "$SSH_TTY" ] && [ -z "$TMUX" ] && [ -z "$SSH_ORIGINAL_COMMAND" ]; then
-    exec tmux attach || exec tmux
-fi

.github/actions/ssh-debug/setup-ssh.sh

@@ -1,146 +0,0 @@
-#!/bin/bash -e
-
-if [ "${TUNNEL}" != "true" ]; then
-    echo "SSH tunneling is disabled. Set enable-tunnel: true to enable remote access."
-    echo "Local SSH server would be available on localhost:2222 if this were a local environment."
-    exit 0
-fi
-
-echo ::group::Configuring Tunnel
-
-echo "SSH tunneling enabled. Setting up remote access..."
-
-EXTERNAL_DEPS="curl jq ssh-keygen"
-
-for dep in $EXTERNAL_DEPS; do
-    if ! command -v "${dep}" > /dev/null 2>&1; then
-       echo "Command ${dep} not installed on the system!" >&2
-       exit 1
-    fi
-done
-
-cd "$GITHUB_ACTION_PATH"
-
-bashrc_path=$(pwd)/bashrc
-
-# Source `bashrc` to auto start tmux on SSH login.
-if ! grep -q "${bashrc_path}" ~/.bash_profile; then
-    echo >> ~/.bash_profile # On macOS runner there's no newline at the end of the file
-    echo "source \"${bashrc_path}\"" >> ~/.bash_profile
-fi
-
-OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-ARCH=$(uname -m)
-
-if [ "${ARCH}" = "x86_64" ]; then
-    ARCH="amd64"
-elif [ "${ARCH}" = "aarch64" ]; then
-    ARCH="arm64"
-fi
-
-if [ "${OS}" = "darwin" ] && ! command -v tmux > /dev/null 2>&1; then
-    echo "Installing tmux..."
-    brew install tmux
-fi
-
-if [ "$OS" = "darwin" ]; then
-    cloudflared_url="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${OS}-${ARCH}.tgz"
-    echo "Downloading \`cloudflared\` from <$cloudflared_url>..."
-    curl --location --silent --output cloudflared.tgz "${cloudflared_url}"
-    tar xf cloudflared.tgz
-    rm cloudflared.tgz
-fi
-
-chmod +x cloudflared
-
-echo 'Creating SSH server key...'
-ssh-keygen -q -f ssh_host_rsa_key -N ''
-
-echo 'Creating SSH server config...'
-sed "s,\$PWD,${PWD},;s,\$USER,${USER}," sshd_config.template > sshd_config
-
-echo 'Starting SSH server...'
-sudo /usr/sbin/sshd -f sshd_config -D &
-sshd_pid=$!
-
-echo "SSH server started successfully (PID: ${sshd_pid})"
-
-echo 'Starting tmux session...'
-(cd "${GITHUB_WORKSPACE}" && tmux new-session -d -s debug)
-
-mkdir ~/.cloudflared
-CLEAN_TUNNEL_CERT=$(printf '%s\n' "${CLOUDFLARE_TUNNEL_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
-
-echo "${CLEAN_TUNNEL_CERT}" > ~/.cloudflared/cert.pem
-
-CLEAN_USER_CA_CERT=$(printf '%s\n' "${CLOUDFLARE_USER_CA_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
-
-echo "${CLEAN_USER_CA_CERT}" | sudo tee /etc/ssh/ca.pub > /dev/null
-sudo chmod 644 /etc/ssh/ca.pub
-
-random_suffix=$(openssl rand -hex 5 | cut -c1-10)
-tunnel_name="${GITHUB_SHA}-${GITHUB_RUN_ID}-${random_suffix}"
-tunnel_url="${tunnel_name}.${CLOUDFLARE_TUNNEL_HOSTNAME}"
-
-if ./cloudflared tunnel list | grep -q "${tunnel_name}"; then
-    echo "Deleting existing tunnel: ${tunnel_name}"
-    ./cloudflared tunnel delete ${tunnel_name}
-fi
-
-echo "Creating new cloudflare tunnel: ${tunnel_name}"
-./cloudflared tunnel create ${tunnel_name}
-
-credentials_file=$(find ~/.cloudflared -name "*.json" | head -n 1)
-if [ -z "${credentials_file}" ]; then
-    echo "Error: Could not find tunnel credentials file"
-    exit 1
-fi
-
-echo "Found credentials file: ${credentials_file}"
-
-echo 'Creating tunnel configuration...'
-cat > tunnel_config.yml << EOF
-tunnel: ${tunnel_name}
-credentials-file: ${credentials_file}
-
-ingress:
-  - hostname: ${tunnel_url}
-    service: ssh://localhost:2222
-  - service: http_status:404
-EOF
-
-echo 'Setting up DNS routing for tunnel...'
-./cloudflared tunnel route dns ${tunnel_name} ${tunnel_url}
-
-echo 'Running cloudflare tunnel...'
-./cloudflared tunnel --no-autoupdate --config tunnel_config.yml run 2>&1 | tee cloudflared.log | sed -u 's/^/cloudflared: /' &
-cloudflared_pid=$!
-
-echo ::endgroup::
-
-echo ::notice title=SSH Debug Session Ready::ssh ${tunnel_url}
-
-
-(
-    echo '    '
-    echo '    '
-    echo '🔗 SSH Debug Session Ready!'
-    echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
-    echo '    '
-    echo '📋 Infra WG can copy and run this command to connect:'
-    echo '    '
-    echo "ssh ${tunnel_url}"
-    echo '    '
-    echo "⏰ Session expires automatically in ${TIMEOUT} seconds"
-    echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
-    echo '    '
-    echo '    '
-) | cat
-
-echo ::group::Starting Background Session
-echo 'Starting SSH session in background...'
-./ssh-session.sh "${sshd_pid}" "${cloudflared_pid}" "${TIMEOUT}" "${tunnel_name}" &
-
-echo 'SSH session is running in background. GitHub Action will continue.'
-echo 'Session will auto-cleanup after timeout or when processes end.'
-echo ::endgroup::

.github/actions/ssh-debug/ssh-session.sh

@@ -1,52 +0,0 @@
-#!/bin/bash
-
-SSHD_PID=$1
-CLOUDFLARED_PID=$2
-SESSION_TIMEOUT=${3:-10000}
-TUNNEL_NAME=$4
-
-cleanup() {
-    # Kill processes.
-    for pid in "$SLEEP_PID" "$SSHD_PID" "$CLOUDFLARED_PID"; do
-        if [ -n "$pid" ] && kill -0 "$pid" 2>/dev/null; then
-            kill "$pid" 2>/dev/null || true
-        fi
-    done
-
-    # Clean up tunnel.
-    if [ -n "$TUNNEL_NAME" ]; then
-        cd "$GITHUB_ACTION_PATH"
-        ./cloudflared tunnel delete "$TUNNEL_NAME" 2>/dev/null || {
-            echo "Failed to delete tunnel"
-        }
-    fi
-
-    echo "Session ended at $(date)"
-    exit 0
-}
-
-# Trap signals to ensure cleanup.
-trap cleanup SIGTERM SIGINT SIGQUIT SIGHUP EXIT
-
-# Wait for timeout or until processes die.
-sleep "$SESSION_TIMEOUT" &
-SLEEP_PID=$!
-
-# Monitor processes
-while kill -0 "$SLEEP_PID" 2>/dev/null; do
-    # Check SSH daemon.
-    if ! kill -0 "$SSHD_PID" 2>/dev/null; then
-        echo "SSH daemon died at $(date)"
-        break
-    fi
-
-    # Check cloudflared,
-    if ! kill -0 "$CLOUDFLARED_PID" 2>/dev/null; then
-        echo "Cloudflared died at $(date)"
-        break
-    fi
-
-    sleep 10
-done
-
-cleanup

.github/actions/ssh-debug/sshd_config.template

@@ -1,25 +0,0 @@
-Port 2222
-HostKey $PWD/ssh_host_rsa_key
-PidFile $PWD/sshd.pid
-
-# Connection settings
-ClientAliveInterval 30
-ClientAliveCountMax 10
-MaxStartups 10
-LoginGraceTime 120
-
-# Allow TCP forwarding for tunneling
-AllowTcpForwarding yes
-
-# Try to prevent timeouts
-TCPKeepAlive yes
-
-# Security
-TrustedUserCAKeys /etc/ssh/ca.pub
-PubkeyAuthentication yes
-PasswordAuthentication no
-
-AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
-AuthorizedPrincipalsCommandUser nobody
-
-PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com

.github/copilot-instructions.md

@@ -1,122 +0,0 @@
-# Copilot Instructions for Electron
-
-## Build System
-
-Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
-
-```bash
-e sync              # Fetch sources and apply patches
-e build             # Build Electron (GN + Ninja)
-e build -k 999      # Build, continuing through errors
-e start             # Run built Electron
-e start --version   # Verify Electron launches
-e test              # Run full test suite
-e debug             # Run in debugger (lldb on macOS, gdb on Linux)
-```
-
-### Linting
-
-```bash
-npm run lint              # Run all linters (JS, C++, Python, GN, docs)
-npm run lint:js           # JavaScript/TypeScript only
-npm run lint:clang-format # C++ formatting only
-npm run lint:cpp          # C++ linting only
-npm run lint:docs         # Documentation only
-```
-
-### Running a Single Test
-
-```bash
-npm run test -- -g "pattern"   # Run tests matching a regex pattern
-# Example: npm run test -- -g "ipc"
-```
-
-### Running a Single Node.js Test
-
-```bash
-node script/node-spec-runner.js parallel/test-crypto-keygen
-```
-
-## Architecture
-
-Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
-
-### Process Model
-
-Electron has two primary process types, mirroring Chromium:
-
-- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
-- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
-
-### Native ↔ JavaScript Bridge
-
-Each API is implemented as a C++/JS pair:
-
-- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
-- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
-- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
-- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
-
-### Patches System
-
-Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
-
-```text
-patches/{target}/*.patch  →  [e sync]   →  target repo commits
-                          ←  [e patches] ←
-```
-
-Key rules:
-
-- Fix existing patches rather than creating new ones
-- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
-- Each patch commit message must explain why the patch exists
-- After modifying patches, run `e patches {target}` to export
-
-When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
-
-## Conventions
-
-### File Naming
-
-- JS/TS files: kebab-case (`file-name.ts`)
-- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
-- Test files: `api-{module-name}-spec.ts` in `spec/`
-- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
-
-### JavaScript/TypeScript
-
-- Semicolons required (`"semi": ["error", "always"]`)
-- `const` and `let` only (no `var`)
-- Arrow functions preferred
-- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
-- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
-- Prefer getters/setters over jQuery-style `.text([text])` patterns
-
-### C++
-
-- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
-- Uses Chromium abstractions (`base::`, `content::`, etc.)
-- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
-- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
-
-### Testing
-
-- Framework: Mocha + Chai + Sinon
-- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
-- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
-- Tests import from `electron/main` or `electron/renderer`
-
-### Documentation
-
-- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
-- API history tracked via YAML blocks in HTML comments within doc files
-- Docs must pass `npm run lint:docs`
-
-### Build Configuration
-
-- `BUILD.gn`: Main GN build config
-- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
-- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
-- `DEPS`: Dependency versions and checkout paths
-- `chromium_src/`: Chromium source file overrides (compiled instead of originals)

.github/problem-matchers/clang.json

@@ -1,18 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "clang",
-      "fromPath": "src/out/Default/args.gn",
-      "pattern": [
-        {
-          "regexp": "^(.+)[(:](\\d+)[:,](\\d+)\\)?:\\s+(warning|fatal error|error):\\s+(.*)$",
-          "file": 1,
-          "line": 2,
-          "column": 3,
-          "severity": 4,
-          "message": 5
-        }
-      ]
-    }
-  ]
-}

.github/problem-matchers/markdownlint.json

@@ -1,16 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "markdownlint",
-      "pattern": [
-        {
-          "regexp": "^(.+):(\\d+):(\\d+)\\s+(.*)$",
-          "file": 1,
-          "line": 2,
-          "column": 3,
-          "message": 4
-        }
-      ]
-    }
-  ]
-}

.github/problem-matchers/patch-conflict.json

@@ -1,34 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "merge-conflict",
-      "pattern": [
-        {
-          "regexp": "^CONFLICT\\s\\(\\S+\\): (Merge conflict in \\S+)$",
-          "message": 1
-        }
-      ]
-    },
-    {
-      "owner": "patch-conflict",
-      "pattern": [
-        {
-          "regexp": "^error: (patch failed: (\\S+):(\\d+))$",
-          "message": 1,
-          "file": 2,
-          "line": 3
-        }
-      ]
-    },
-    {
-      "owner": "patch-needs-update",
-      "pattern": [
-        {
-          "regexp": "^((patches\/.*): needs update)$",
-          "message": 1,
-          "file": 2
-        }
-      ]
-    }
-  ]
-}

.github/siso-patches/0001-siso-reuse-the-outer-os.File-for-chunked-ReadAt-in-f.patch

@@ -1,47 +0,0 @@
-From aab86e682d6f40e110700f36c9c37f6655fb14f1 Mon Sep 17 00:00:00 2001
-From: Samuel Attard <sam@electronjs.org>
-Date: Wed, 8 Apr 2026 23:24:15 -0700
-Subject: [PATCH] siso: reuse the outer *os.File for chunked ReadAt in
- fileParser.readFile
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The per-chunk goroutine currently re-opens fname to get its own handle
-for ReadAt. (*os.File).ReadAt is documented as safe for concurrent
-calls on the same File (on Windows it is ReadFile with an OVERLAPPED
-offset, so there is no shared seek state), so the extra open is
-redundant — the goroutines can share the outer f.
-
-Besides halving the CreateFileW calls per subninja, this avoids an
-intermittent 'The parameter is incorrect.' (ERROR_INVALID_PARAMETER)
-from bindflt.sys when out/ is a mapped directory inside a Windows
-container: bindflt's handle-relative NtCreateFile path races when a
-second relative open arrives while the first handle to the same target
-is still being set up. Absolute paths and single opens do not trigger
-it; see microsoft/Windows-Containers#<tbd>.
----
- siso/toolsupport/ninjautil/file_parser.go | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/siso/toolsupport/ninjautil/file_parser.go b/siso/toolsupport/ninjautil/file_parser.go
-index f8c7eff..75b1d6e 100644
---- a/siso/toolsupport/ninjautil/file_parser.go
-+++ b/siso/toolsupport/ninjautil/file_parser.go
-@@ -128,13 +128,6 @@ func (p *fileParser) readFile(ctx context.Context, fname string) ([]byte, error)
- 		eg.Go(func() error {
- 			p.sema <- struct{}{}
- 			defer func() { <-p.sema }()
--			f, err := os.Open(fname)
--			if err != nil {
--				return err
--			}
--			defer func() {
--				_ = f.Close()
--			}()
- 			for len(chunkBuf) > 0 {
- 				n, err := f.ReadAt(chunkBuf, pos)
- 				if err != nil {
--- 
-2.52.0
-

.github/siso-patches/0002-siso-retry-transient-ERROR_INVALID_PARAMETER-when-op.patch

@@ -1,132 +0,0 @@
-From 1786f2266cba6a66343e5af2b724214930c8292f Mon Sep 17 00:00:00 2001
-From: Samuel Attard <sam@electronjs.org>
-Date: Wed, 22 Apr 2026 16:27:51 -0700
-Subject: [PATCH] siso: retry transient ERROR_INVALID_PARAMETER when opening
- ninja files on Windows
-
-ManifestParser.Load fans out across all subninja files (~90k in a
-Chromium build) at NumCPU parallelism. On Windows builders where out/
-is served through a filesystem filter driver (e.g. bindflt/wcifs for
-container bind mounts), CreateFileW can intermittently return
-ERROR_INVALID_PARAMETER under this concurrent open burst. The previous
-patch removes the redundant per-chunk re-open, but the single remaining
-open per file can still hit the race; without a retry a single transient
-failure aborts the entire manifest load.
-
-Wrap the remaining os.Open call in readFile in a small Windows-only
-retry for ERROR_INVALID_PARAMETER (5 attempts, 5-80ms backoff). Each
-retry is logged via clog.Warningf and also written to stderr so it is
-visible in CI step output where glog warnings are file-only by default.
-Other platforms keep the direct os.Open path.
----
- siso/toolsupport/ninjautil/file_parser.go     |  3 +-
- siso/toolsupport/ninjautil/openfile_other.go  | 18 +++++++
- .../toolsupport/ninjautil/openfile_windows.go | 50 +++++++++++++++++++
- 3 files changed, 69 insertions(+), 2 deletions(-)
- create mode 100644 siso/toolsupport/ninjautil/openfile_other.go
- create mode 100644 siso/toolsupport/ninjautil/openfile_windows.go
-
-diff --git a/siso/toolsupport/ninjautil/file_parser.go b/siso/toolsupport/ninjautil/file_parser.go
-index 75b1d6e..4a3e639 100644
---- a/siso/toolsupport/ninjautil/file_parser.go
-+++ b/siso/toolsupport/ninjautil/file_parser.go
-@@ -7,7 +7,6 @@ package ninjautil
- import (
- 	"context"
- 	"fmt"
--	"os"
- 	"path/filepath"
- 	"runtime/trace"
- 	"sync"
-@@ -108,7 +107,7 @@ func (p *fileParser) parseFile(ctx context.Context, fname string) error {
- // readFile reads a file of fname in parallel.
- func (p *fileParser) readFile(ctx context.Context, fname string) ([]byte, error) {
- 	defer trace.StartRegion(ctx, "ninja.read").End()
--	f, err := os.Open(fname)
-+	f, err := openFile(ctx, fname)
- 	if err != nil {
- 		return nil, err
- 	}
-diff --git a/siso/toolsupport/ninjautil/openfile_other.go b/siso/toolsupport/ninjautil/openfile_other.go
-new file mode 100644
-index 0000000..9fca690
---- /dev/null
-+++ b/siso/toolsupport/ninjautil/openfile_other.go
-@@ -0,0 +1,18 @@
-+// Copyright 2026 The Chromium Authors
-+// Use of this source code is governed by a BSD-style license that can be
-+// found in the LICENSE file.
-+
-+//go:build !windows
-+
-+package ninjautil
-+
-+import (
-+	"context"
-+	"os"
-+)
-+
-+// openFile opens fname for reading.
-+// See openfile_windows.go for the Windows variant with transient-error retry.
-+func openFile(ctx context.Context, fname string) (*os.File, error) {
-+	return os.Open(fname)
-+}
-diff --git a/siso/toolsupport/ninjautil/openfile_windows.go b/siso/toolsupport/ninjautil/openfile_windows.go
-new file mode 100644
-index 0000000..f9d8e9d
---- /dev/null
-+++ b/siso/toolsupport/ninjautil/openfile_windows.go
-@@ -0,0 +1,50 @@
-+// Copyright 2026 The Chromium Authors
-+// Use of this source code is governed by a BSD-style license that can be
-+// found in the LICENSE file.
-+
-+//go:build windows
-+
-+package ninjautil
-+
-+import (
-+	"context"
-+	"errors"
-+	"fmt"
-+	"os"
-+	"time"
-+
-+	"golang.org/x/sys/windows"
-+
-+	"go.chromium.org/build/siso/o11y/clog"
-+)
-+
-+// openFile opens fname for reading, retrying transient
-+// ERROR_INVALID_PARAMETER failures.
-+//
-+// On Windows, CreateFileW can intermittently return
-+// ERROR_INVALID_PARAMETER when the target lives behind a filesystem
-+// filter driver (e.g. bindflt/wcifs for container bind mounts) under
-+// highly concurrent opens. loadFile fans out across ~90k subninja
-+// files at NumCPU parallelism, so a single transient failure would
-+// otherwise abort the whole manifest load.
-+func openFile(ctx context.Context, fname string) (*os.File, error) {
-+	const maxAttempts = 5
-+	delay := 5 * time.Millisecond
-+	for i := 0; ; i++ {
-+		f, err := os.Open(fname)
-+		if err == nil {
-+			return f, nil
-+		}
-+		if i+1 >= maxAttempts || !errors.Is(err, windows.ERROR_INVALID_PARAMETER) {
-+			return nil, err
-+		}
-+		clog.Warningf(ctx, "open %s: %v; retrying (%d/%d) after %s", fname, err, i+1, maxAttempts, delay)
-+		fmt.Fprintf(os.Stderr, "siso: open %s: %v; retrying (%d/%d) after %s\n", fname, err, i+1, maxAttempts, delay)
-+		select {
-+		case <-time.After(delay):
-+		case <-ctx.Done():
-+			return nil, context.Cause(ctx)
-+		}
-+		delay *= 2
-+	}
-+}
--- 
-2.52.0
-

.github/workflows/apply-patches.yml

@@ -1,96 +0,0 @@
-name: Apply Patches
-
-on:
-  pull_request:
-
-permissions: {}
-
-concurrency:
-  group: apply-patches-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: read
-    outputs:
-      has-patches: ${{ steps.filter.outputs.patches }}
-      has-siso-patches: ${{ steps.filter.outputs.siso-patches }}
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        persist-credentials: false
-        ref: ${{ github.event.pull_request.head.sha }}
-    # Use dorny/paths-filter instead of the path filter under the on: pull_request: block
-    # so that the output can be used to conditionally run the apply-patches job, which lets
-    # the job be marked as a required status check (conditional skip counts as a success).
-    - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-      id: filter
-      with:
-        filters: |
-          patches:
-            - DEPS
-            - 'patches/**'
-          siso-patches:
-            - DEPS
-            - '.github/siso-patches/**'
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-
-  apply-patches:
-    needs: setup
-    if: ${{ needs.setup.outputs.has-patches == 'true' }}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-        - /var/run/sas:/var/run/sas
-    env:
-      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        persist-credentials: false
-        ref: ${{ github.event.pull_request.base.ref }}
-    - name: Merge PR HEAD
-      working-directory: src/electron
-      env:
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      run: |
-        git config user.email "electron@github.com"
-        git config user.name "Electron Bot"
-        git fetch origin refs/pull/${PR_NUMBER}/head
-        git merge --squash FETCH_HEAD
-        git commit -n -m "Squashed commits"
-    - name: Checkout & Sync & Save
-      uses: ./src/electron/.github/actions/checkout
-      with:
-        target-platform: linux
-    - name: Upload Patch Conflict Fix
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-      with:
-        name: update-patches
-        path: patches/update-patches.patch
-        if-no-files-found: ignore
-        archive: false
-
-  build-siso:
-    needs: setup
-    if: ${{ needs.setup.outputs.has-siso-patches == 'true' }}
-    uses: ./.github/workflows/pipeline-segment-build-siso-windows.yml
-    permissions:
-      contents: read

.github/workflows/archaeologist-dig.yml

@@ -3,39 +3,31 @@ name: Archaeologist
 on:
   pull_request:
 
-permissions: {}
-
 jobs:
    archaeologist-dig:
     name: Archaeologist Dig
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
         with:
           fetch-depth: 0
       - name: Setup Node.js/npm
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
         with:
-          node-version: 24.12.x
+          node-version: 20.11.x
       - name: Setting Up Dig Site
-        env:
-          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          echo "remote: $CLONE_URL"
-          echo "sha $HEAD_SHA"
-          echo "base ref $BASE_REF"
-          git clone https://github.com/electron/electron.git electron
+          echo "remote: ${{ github.event.pull_request.head.repo.clone_url }}"
+          echo "sha ${{ github.event.pull_request.head.sha }}"
+          echo "base ref ${{ github.event.pull_request.base.ref }}"
+          git clone https://github.com/electron/electron.git electron          
           cd electron
           mkdir -p artifacts
-          git remote add fork "$CLONE_URL" && git fetch fork
-          git checkout "$HEAD_SHA"
-          git merge-base "origin/$BASE_REF" HEAD > .dig-old
-          echo "$HEAD_SHA" > .dig-new
+          git remote add fork ${{ github.event.pull_request.head.repo.clone_url }} && git fetch fork
+          git checkout  ${{ github.event.pull_request.head.sha }}
+          git merge-base origin/${{ github.event.pull_request.base.ref }} HEAD > .dig-old
+          echo  ${{ github.event.pull_request.head.sha }} > .dig-new
           cp .dig-old artifacts
 
       - name: Generating Types for SHA in .dig-new
@@ -49,7 +41,7 @@ jobs:
           sha-file: .dig-old
           filename: electron.old.d.ts
       - name: Upload artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 #v4.6.1
         with:
           name: artifacts
           path: electron/artifacts

.github/workflows/audit-branch-ci.yml

@@ -1,165 +0,0 @@
-name: Audit CI on Branches
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Run every 2 hours
-    - cron: '0 */2 * * *'
-
-permissions: {}
-
-jobs:
-  audit_branch_ci:
-    name: Audit CI on Branches
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 22.17.x
-      - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: |
-            .
-            .github
-            .yarn
-      - run: yarn workspaces focus @electron/gha-workflows
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        id: audit-errors
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { chdir } = require('node:process');
-            chdir('${{ github.workspace }}/.github/workflows');
-
-            const cache = require('@actions/cache');
-            const { ElectronVersions } = require('@electron/fiddle-core');
-
-            const runsWithErrors = [];
-
-            // Only want the most recent workflow run that wasn't skipped or cancelled
-            const isValidWorkflowRun = (run) => !['skipped', 'cancelled'].includes(run.conclusion);
-
-            const versions = await ElectronVersions.create({ ignoreCache: true });
-            const branches = versions.supportedMajors.map((branch) => `${branch}-x-y`);
-
-            for (const branch of ["main", ...branches]) {
-              const latestCheckRuns = new Map();
-              const allCheckRuns = await github.paginate(github.rest.checks.listForRef, {
-                owner: "electron",
-                repo: "electron",
-                ref: branch,
-                status: 'completed',
-              });
-
-              // Sort the check runs by completed_at so that multiple check runs on the
-              // same ref (like a scheduled workflow) only looks at the most recent one
-              for (const checkRun of allCheckRuns.filter(
-                (run) => !['skipped', 'cancelled'].includes(run.conclusion),
-              ).sort((a, b) => new Date(b.completed_at) - new Date(a.completed_at))) {
-                if (!latestCheckRuns.has(checkRun.name)) {
-                  latestCheckRuns.set(checkRun.name, checkRun);
-                }
-              }
-
-              // Check for runs which had error annotations
-              for (const checkRun of Array.from(latestCheckRuns.values())) {
-                if (checkRun.name === "Audit CI on Branches") {
-                  continue; // Skip the audit workflow itself
-                }
-
-                const annotations = (await github.rest.checks.listAnnotations({
-                  owner: "electron",
-                  repo: "electron",
-                  check_run_id: checkRun.id,
-                })).data ?? [];
-
-                if (
-                  annotations.find(
-                    ({ annotation_level, message }) =>
-                      annotation_level === "failure" &&
-                      !message.startsWith("Process completed with exit code") &&
-                      !message.startsWith("Response status code does not indicate success") &&
-                      !message.startsWith("The hosted runner lost communication with the server") &&
-                      !message.startsWith("Dependabot encountered an error performing the update") &&
-                      !message.startsWith("The action 'Run Electron Tests' has timed out") &&
-                      !message.startsWith("The operation was canceled") &&
-                      !message.startsWith("Canceling since") &&
-                      !/Unable to make request/.test(message) &&
-                      !/The requested URL returned error/.test(message),
-                  )
-                ) {
-                  checkRun.hasErrorAnnotations = true;
-                } else {
-                  continue;
-                }
-
-                // Check if this is a known failure from a previous audit run
-                const cacheKey = `check-run-error-annotations-${checkRun.id}`;
-                const cacheHit =
-                  (await cache.restoreCache(['/dev/null'], cacheKey, undefined, {
-                    lookupOnly: true,
-                  })) !== undefined;
-
-                if (cacheHit) {
-                  checkRun.isStale = true;
-                }
-
-                checkRun.branch = branch;
-                runsWithErrors.push(checkRun);
-  
-                // Create a cache entry (only the name matters) to keep track of
-                // failures we've seen from previous runs to mark them as stale
-                if (!cacheHit) {
-                  await cache.saveCache(['/dev/null'], cacheKey);
-                }
-              }
-            }
-
-            if (runsWithErrors.length > 0) {
-              core.summary.addHeading('⚠️ Runs with Errors');
-              core.summary.addTable([
-                [
-                  { data: 'Branch', header: true },
-                  { data: 'Workflow Run', header: true },
-                  { data: 'Status', header: true },
-                ],
-                ...runsWithErrors
-                  .sort(
-                    (a, b) =>
-                      a.branch.localeCompare(b.branch) ||
-                      a.name.localeCompare(b.name),
-                  )
-                  .map((run) => [
-                    run.branch,
-                    `<a href="${run.html_url}">${run.name}</a>`,
-                    run.isStale
-                      ? '📅 Stale'
-                      : run.hasErrorAnnotations
-                      ? '⚠️ Errors'
-                      : '✅ Succeeded',
-                  ]),
-              ]);
-
-              // Set this as failed so it's easy to scan runs to find failures
-              if (runsWithErrors.find((run) => !run.isStale)) {
-                core.setOutput('errorsFound', true);
-                process.exitCode = 1;
-              }
-            } else {
-              core.summary.addRaw('🎉 No runs with errors');
-            }
-
-            await core.summary.write();
-      - name: Send Slack message if errors
-        if: ${{ always() && steps.audit-errors.outputs.errorsFound && github.ref == 'refs/heads/main' }}
-        uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
-        with:
-          payload: |
-            link: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          webhook: ${{ secrets.CI_ERRORS_SLACK_WEBHOOK_URL }}
-          webhook-type: webhook-trigger

.github/workflows/branch-created.yml

@@ -14,7 +14,7 @@ permissions: {}
 jobs:
   release-branch-created:
     name: Release Branch Created
-    if: ${{ github.repository == 'electron/electron' && (github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller'))) }}
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller')) }}
     permissions:
       contents: read
       pull-requests: write
@@ -31,46 +31,16 @@ jobs:
           else
             echo "Not a release branch: $BRANCH_NAME"
           fi
-      - name: Determine Next Unsupported Major Version
-        id: determine-next-unsupported-major
-        if: ${{ steps.check-major-version.outputs.MAJOR }}
-        env:
-          MAJOR: ${{ steps.check-major-version.outputs.MAJOR }}
-        run: |
-          # Fetch the release schedule
-          SCHEDULE=$(curl -s https://releases.electronjs.org/schedule.json)
-
-          # Get the stableDate for the current major version
-          STABLE_DATE=$(echo "$SCHEDULE" | jq -r --arg major "${MAJOR}.0.0" '.[] | select(.version == $major) | .stableDate')
-
-          if [[ -z "$STABLE_DATE" || "$STABLE_DATE" == "null" ]]; then
-            echo "Could not find stableDate for version $MAJOR"
-            exit 1
-          fi
-
-          # Find the oldest version where eolDate >= stableDate of the new major
-          # This gives us the oldest supported version when the new major goes stable
-          NEXT_UNSUPPORTED_MAJOR=$(echo "$SCHEDULE" | jq -r --arg stableDate "$STABLE_DATE" '
-            [.[] | select(.eolDate != null and .eolDate >= $stableDate)] | sort_by(.version | split(".")[0] | tonumber) | first | .version | split(".")[0]
-          ')
-
-          if [[ -z "$NEXT_UNSUPPORTED_MAJOR" || "$NEXT_UNSUPPORTED_MAJOR" == "null" ]]; then
-            echo "Could not determine oldest supported version"
-            exit 1
-          fi
-
-          echo "SCHEDULE=$SCHEDULE" >> "$GITHUB_OUTPUT"
-          echo "NEXT_UNSUPPORTED_MAJOR=$NEXT_UNSUPPORTED_MAJOR" >> "$GITHUB_OUTPUT"
       - name: New Release Branch Tasks
         if: ${{ steps.check-major-version.outputs.MAJOR }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: electron/electron
           MAJOR: ${{ steps.check-major-version.outputs.MAJOR }}
-          NEXT_UNSUPPORTED_MAJOR: ${{ steps.determine-next-unsupported-major.outputs.NEXT_UNSUPPORTED_MAJOR }}
+          NUM_SUPPORTED_VERSIONS: 3
         run: |
           PREVIOUS_MAJOR=$((MAJOR - 1))
-          UNSUPPORTED_MAJOR=$((NEXT_UNSUPPORTED_MAJOR - 1))
+          UNSUPPORTED_MAJOR=$((MAJOR - NUM_SUPPORTED_VERSIONS - 1))
 
           # Create new labels
           gh label create $MAJOR-x-y --color 8d9ee8 || true
@@ -98,45 +68,21 @@ jobs:
           done
       - name: Generate GitHub App token
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
           org: electron
       - name: Generate Release Project Board Metadata
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: generate-project-metadata
-        env:
-          MAJOR: ${{ steps.check-major-version.outputs.MAJOR }}
-          NEXT_UNSUPPORTED_MAJOR: ${{ steps.determine-next-unsupported-major.outputs.NEXT_UNSUPPORTED_MAJOR }}
-          SCHEDULE: ${{ steps.determine-next-unsupported-major.outputs.SCHEDULE }}
         with:
           script: |
-            const schedule = JSON.parse(process.env.SCHEDULE)
-
-            const major = parseInt(process.env.MAJOR)
+            const major = ${{ steps.check-major-version.outputs.MAJOR }}
             const nextMajor = major + 1
             const prevMajor = major - 1
 
-            const { betaDate, stableDate } = schedule.find(v => v.version === `${major}.0.0`)
-
-            const betaPrepWeek = new Date(betaDate)
-            betaPrepWeek.setDate(betaPrepWeek.getDate() - 8)
-            const betaPrepWeekEnd = new Date(betaPrepWeek)
-            betaPrepWeekEnd.setDate(betaPrepWeekEnd.getDate() + 4)
-
-            const stablePrepWeek = new Date(stableDate)
-            stablePrepWeek.setDate(stablePrepWeek.getDate() - 8)
-            const stablePrepWeekEnd = new Date(stablePrepWeek)
-            stablePrepWeekEnd.setDate(stablePrepWeekEnd.getDate() + 4)
-
-            const stableWeek = new Date(stableDate)
-            stableWeek.setDate(stableWeek.getDate() - 1)
-
-            const nextAlphaDate = new Date(stableDate)
-            nextAlphaDate.setDate(nextAlphaDate.getDate() + 2)
-
             core.setOutput("major", major)
             core.setOutput("next-major", nextMajor)
             core.setOutput("prev-major", prevMajor)
@@ -145,19 +91,10 @@ jobs:
                 major,
                 "next-major": nextMajor,
                 "prev-major": prevMajor,
-                "ending-support-major": parseInt(process.env.NEXT_UNSUPPORTED_MAJOR),
-                "beta-date": betaDate,
-                "beta-prep-week": betaPrepWeek.toISOString().split('T')[0],
-                "beta-prep-week-end": betaPrepWeekEnd.toISOString().split('T')[0],
-                "stable-week": stableWeek.toISOString().split('T')[0],
-                "stable-prep-week": stablePrepWeek.toISOString().split('T')[0],
-                "stable-prep-week-end": stablePrepWeekEnd.toISOString().split('T')[0],
-                "stable-date": stableDate,
-                "next-alpha-date": nextAlphaDate.toISOString().split('T')[0],
             }))
       - name: Create Release Project Board
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: dsanders11/project-actions/copy-project@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/copy-project@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         id: create-release-board
         with:
           drafts: true
@@ -170,60 +107,6 @@ jobs:
           template-view: ${{ steps.generate-project-metadata.outputs.template-view }}
           title: ${{ steps.generate-project-metadata.outputs.major }}-x-y
           token: ${{ steps.generate-token.outputs.token }}
-      - name: Randomly Assign Draft Issues to Release WG Members
-        if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: dsanders11/project-actions/github-script@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
-        env:
-          PROJECT_ID: ${{ steps.create-release-board.outputs.id }}
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          script: |
-            const { data: members } = await github.rest.teams.listMembersInOrg({
-              org: 'electron',
-              team_slug: 'wg-releases',
-            });
-
-            const excludedLogins = ['nikwen'];
-            const memberLogins = new Set(members.map(m => m.login));
-            for (const login of excludedLogins) {
-              if (!memberLogins.has(login)) {
-                core.warning(`Excluded member "${login}" is not in @electron/wg-releases`);
-              }
-            }
-
-            const eligible = members.filter(m => !excludedLogins.includes(m.login));
-
-            if (eligible.length === 0) {
-              core.warning('No eligible members found in @electron/wg-releases team');
-              return;
-            }
-
-            const projectId = process.env.PROJECT_ID;
-            const draftIssues = await actions.getDraftIssues(projectId);
-
-            if (draftIssues.length === 0) {
-              core.info('No draft issues found in the project');
-              return;
-            }
-
-            // Fisher-Yates shuffle for uniform random assignment
-            const shuffled = [...eligible];
-            for (let i = shuffled.length - 1; i > 0; i--) {
-              const j = Math.floor(Math.random() * (i + 1));
-              [shuffled[i], shuffled[j]] = [shuffled[j], shuffled[i]];
-            }
-
-            // Assign draft issues round-robin across team members
-            for (let i = 0; i < draftIssues.length; i++) {
-              const member = shuffled[i % shuffled.length];
-              const draftIssue = draftIssues[i];
-              core.info(`Assigning "${draftIssue.content.title}" to ${member.login}`);
-              await actions.editItem(projectId, draftIssue.content.id, {
-                assignees: [member.login],
-              });
-            }
-
-            core.info(`Assigned ${draftIssues.length} draft issues to ${eligible.length} team members`);
       - name: Dump Release Project Board Contents
         if: ${{ steps.check-major-version.outputs.MAJOR }}
         run: gh project item-list ${{ steps.create-release-board.outputs.number }} --owner electron --format json | jq
@@ -231,15 +114,14 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
       - name: Find Previous Release Project Board
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: dsanders11/project-actions/find-project@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/find-project@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         id: find-prev-release-board
         with:
-          fail-if-project-not-found: false
           title: ${{ steps.generate-project-metadata.outputs.prev-prev-major }}-x-y
           token: ${{ steps.generate-token.outputs.token }}
       - name: Close Previous Release Project Board
-        if: ${{ steps.find-prev-release-board.outputs.number }}
-        uses: dsanders11/project-actions/close-project@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        if: ${{ steps.check-major-version.outputs.MAJOR }}
+        uses: dsanders11/project-actions/close-project@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           project-number: ${{ steps.find-prev-release-board.outputs.number }}
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/build-git-cache.yml

@@ -1,97 +0,0 @@
-name: Build Git Cache
-# This workflow updates git cache on the cross-instance cache volumes
-# It runs daily at midnight.
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-
-permissions: {}
-
-jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-
-  build-git-cache-linux:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-    env:
-      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-    - name: Build Git Cache
-      uses: ./src/electron/.github/actions/build-git-cache
-      with:
-        target-platform: linux
-
-  build-git-cache-windows:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
-      options: --user root --device /dev/fuse --cap-add SYS_ADMIN
-      volumes:
-        - /mnt/win-cache:/mnt/win-cache
-    env:
-      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_win=True'
-      TARGET_OS: 'win'
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-    - name: Build Git Cache
-      uses: ./src/electron/.github/actions/build-git-cache
-      with:
-        target-platform: win
-
-  build-git-cache-macos:
-    # This job updates the same git cache as linux, so it needs to run after the linux one.
-    needs: [setup, build-git-cache-linux]
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-    env:
-      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-    - name: Build Git Cache
-      uses: ./src/electron/.github/actions/build-git-cache
-      with:
-        target-platform: macos

.github/workflows/build.yml

@@ -6,8 +6,8 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: ''
-        required: false
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
+        required: true
       skip-macos:
         type: boolean
         description: 'Skip macOS builds'
@@ -28,11 +28,6 @@ on:
         description: 'Skip lint check'
         default: false
         required: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
   push:
     branches:
       - main
@@ -43,45 +38,36 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
-
 jobs:
   setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
-      contents: read
       pull-requests: read
     outputs:
         docs: ${{ steps.filter.outputs.docs }}
         src: ${{ steps.filter.outputs.src }}
-        build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
+        build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
         docs-only: ${{ steps.set-output.outputs.docs-only }}
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
-    - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
       id: filter
       with:
         filters: |
           docs:
             - 'docs/**'
-            - '.claude/**'
-            - README.md
-            - SECURITY.md
-            - CONTRIBUTING.md
-            - CODE_OF_CONDUCT.md
           src:
-            - '!{docs,.claude}/**'
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-      with:
-        override: ${{ inputs.build-image-sha }}
-    - name: Set Docs Only
+            - '!docs/**'
+    - name: Set Outputs for Build Image SHA & Docs Only
       id: set-output
       run: |
+        if [ -z "${{ inputs.build-image-sha }}" ]; then
+          echo "build-image-sha=424eedbf277ad9749ffa9219068aa72ed4a5e373" >> "$GITHUB_OUTPUT"
+        else
+          echo "build-image-sha=${{ inputs.build-image-sha }}" >> "$GITHUB_OUTPUT"
+        fi
         echo "docs-only=${{ steps.filter.outputs.docs == 'true' && steps.filter.outputs.src == 'false' }}" >> "$GITHUB_OUTPUT"
 
   # Lint Jobs
@@ -89,30 +75,24 @@ jobs:
     needs: setup
     if: ${{ !inputs.skip-lint }}
     uses: ./.github/workflows/pipeline-electron-lint.yml
-    permissions:
-      contents: read
     with:
       container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
     secrets: inherit
 
   # Docs Only Jobs
   docs-only:
-    needs: [setup, checkout-linux]
+    needs: setup
     if: ${{ needs.setup.outputs.docs-only == 'true' }}
     uses: ./.github/workflows/pipeline-electron-docs-only.yml
-    permissions:
-      contents: read
     with:
-      container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
     secrets: inherit
 
   # Checkout Jobs
   checkout-macos:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -126,7 +106,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -139,10 +119,8 @@ jobs:
 
   checkout-linux:
     needs: setup
-    if: ${{ !inputs.skip-linux}}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-linux}}
+    runs-on: electron-arc-linux-amd64-32core
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -151,29 +129,24 @@ jobs:
         - /var/run/sas:/var/run/sas
     env:
       CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      DD_API_KEY: ${{ secrets.DD_API_KEY }}
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
       PATCH_UP_APP_CREDS: ${{ secrets.PATCH_UP_APP_CREDS }}
     outputs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
     - name: Checkout & Sync & Save
       uses: ./src/electron/.github/actions/checkout
-      with:
-        target-platform: linux
 
   checkout-windows:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -190,7 +163,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -201,51 +174,35 @@ jobs:
         generate-sas-token: 'true'
         target-platform: win
 
-  # Build a patched siso binary for Windows CI in parallel with checkout-windows.
-  # The Windows build jobs download the resulting artifact and use it via SISO_PATH.
-  build-siso-windows:
-    needs: setup
-    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
-    uses: ./.github/workflows/pipeline-segment-build-siso-windows.yml
-    permissions:
-      contents: read
-
   # GN Check Jobs
   macos-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-macos
     with:
       target-platform: macos
       target-archs: x64 arm64
-      check-runs-on: macos-15
+      check-runs-on: macos-14
       gn-build-type: testing
     secrets: inherit
 
   linux-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       target-platform: linux
       target-archs: x64 arm arm64
-      check-runs-on: electron-arc-centralus-linux-amd64-8core
+      check-runs-on: electron-arc-linux-amd64-8core
       check-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       gn-build-type: testing
     secrets: inherit
 
   windows-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-windows
     with:
       target-platform: win
       target-archs: x64 x86 arm64
-      check-runs-on: electron-arc-centralus-linux-amd64-8core
+      check-runs-on: electron-arc-linux-amd64-8core
       check-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-windows.outputs.build-image-sha }}","options":"--user root --device /dev/fuse --cap-add SYS_ADMIN","volumes":["/mnt/win-cache:/mnt/win-cache"]}'
       gn-build-type: testing
     secrets: inherit
@@ -259,15 +216,14 @@ jobs:
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-15-xlarge
-      test-runs-on: macos-15-large
+      build-runs-on: macos-14-xlarge
+      test-runs-on: macos-13
       target-platform: macos
       target-arch: x64
       is-release: false
       gn-build-type: testing
       generate-symbols: false
       upload-to-storage: '0'
-      enable-ssh: ${{ inputs.enable-ssh || false }}
     secrets: inherit
   
   macos-arm64:
@@ -275,19 +231,17 @@ jobs:
       contents: read
       issues: read
       pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-15-xlarge
-      clang-tidy-runs-on: macos-15-large
-      test-runs-on: macos-15
+      build-runs-on: macos-14-xlarge
+      test-runs-on: macos-14
       target-platform: macos
       target-arch: arm64
       is-release: false
       gn-build-type: testing
       generate-symbols: false
       upload-to-storage: '0'
-      enable-ssh: ${{ inputs.enable-ssh || false }}
     secrets: inherit
 
   linux-x64:
@@ -295,15 +249,12 @@ jobs:
       contents: read
       issues: read
       pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
     needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-amd64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
       target-arch: x64
@@ -320,10 +271,9 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-amd64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
@@ -342,12 +292,11 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-arm64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-arm64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init --memory=12g","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
+      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
       target-platform: linux
       target-arch: arm
       is-release: false
@@ -363,10 +312,9 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
     with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: ubuntu-22.04-arm
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-arm64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/test:arm64v8-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
@@ -376,32 +324,18 @@ jobs:
       generate-symbols: false
       upload-to-storage: '0'
     secrets: inherit
-    
-  test-linux-arm64-64k:
-    uses: ./.github/workflows/pipeline-segment-electron-test-64k.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: [checkout-linux, linux-arm64]
-    with:
-      test-runs-on: ubuntu-22.04-arm
-      test-container: '{"image":"ghcr.io/electron/test:arm64v8-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
-    secrets: inherit
 
   windows-x64:
     permissions:
       contents: read
       issues: read
       pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
+    needs: checkout-windows
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
-      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
+      build-runs-on: electron-arc-windows-amd64-16core
       test-runs-on: windows-latest
-      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-windows.outputs.build-image-sha }}","options":"--user root --device /dev/fuse --cap-add SYS_ADMIN","volumes":["/mnt/win-cache:/mnt/win-cache"]}'
       target-platform: win
       target-arch: x64
       is-release: false
@@ -416,10 +350,10 @@ jobs:
       issues: read
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    needs: checkout-windows
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
       test-runs-on: windows-latest
       target-platform: win
       target-arch: x86
@@ -435,11 +369,11 @@ jobs:
       issues: read
       pull-requests: read
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    needs: checkout-windows
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
-      test-runs-on: windows-11-arm
+      build-runs-on: electron-arc-windows-amd64-16core
+      test-runs-on: electron-hosted-windows-arm64-4core
       target-platform: win
       target-arch: arm64
       is-release: false
@@ -451,14 +385,9 @@ jobs:
   gha-done:
     name: GitHub Actions Completed
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, build-siso-windows, windows-x64, windows-x86, windows-arm64]
-    if: always() && github.repository == 'electron/electron'
-    steps:
-    - name: Fail if any needed job failed or was cancelled
-      if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
-      run: exit 1
+    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
+    if: always() && !contains(needs.*.result, 'failure')
+    steps: 
     - name: GitHub Actions Jobs Done
       run: |
         echo "All GitHub Actions Jobs are done"

.github/workflows/clean-orphaned-cache-uploads.yml

@@ -1,45 +0,0 @@
-name: Clean Orphaned Cache Uploads
-
-# Description:
-# Sweeps orphaned in-flight upload temp files left on the src-cache volumes
-# by checkout/action.yml when its cp-to-share step dies before the rename.
-# A successful upload finishes in minutes, so anything older than 4h is dead.
-
-on:
-  schedule:
-    - cron: "0 */4 * * *"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-
-  clean-orphaned-uploads:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-        - /mnt/win-cache:/mnt/win-cache
-    steps:
-    - name: Remove Orphaned Upload Temp Files
-      shell: bash
-      run: |
-        find /mnt/cross-instance-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
-        find /mnt/win-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete

.github/workflows/clean-src-cache.yml

@@ -1,168 +1,29 @@
 name: Clean Source Cache
 
-# Description:
-# This workflow cleans up the source cache on the cross-instance cache volume
-# to free up space. It runs daily at midnight and clears files older than 15 days.
+description: |
+  This workflow cleans up the source cache on the cross-instance cache volume
+  to free up space. It runs daily at midnight and clears files older than 15 days.
 
 on:
   schedule:
     - cron: "0 0 * * *"
-  workflow_dispatch:
-
-permissions: {}
 
 jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-
   clean-src-cache:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    env:
-      DD_API_KEY: ${{ secrets.DD_API_KEY }}
+    runs-on: electron-arc-linux-amd64-32core
     container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
         - /mnt/win-cache:/mnt/win-cache
     steps:
-    - name: Get Disk Space Before Cleanup
-      id: disk-before
-      shell: bash
-      run: |
-        echo "Disk space before cleanup:"
-        df -h /mnt/cross-instance-cache
-        df -h /mnt/win-cache
-        CROSS_FREE_BEFORE=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $4}')
-        CROSS_TOTAL=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $2}')
-        WIN_FREE_BEFORE=$(df -k /mnt/win-cache | tail -1 | awk '{print $4}')
-        WIN_TOTAL=$(df -k /mnt/win-cache | tail -1 | awk '{print $2}')
-        echo "cross_free_kb=$CROSS_FREE_BEFORE" >> $GITHUB_OUTPUT
-        echo "cross_total_kb=$CROSS_TOTAL" >> $GITHUB_OUTPUT
-        echo "win_free_kb=$WIN_FREE_BEFORE" >> $GITHUB_OUTPUT
-        echo "win_total_kb=$WIN_TOTAL" >> $GITHUB_OUTPUT
-
     - name: Cleanup Source Cache
       shell: bash
       run: |
+        df -h /mnt/cross-instance-cache
         find /mnt/cross-instance-cache -type f -mtime +15 -delete
-        find /mnt/win-cache -type f -mtime +15 -delete
-
-    - name: Get Disk Space After Cleanup
-      id: disk-after
-      shell: bash
-      run: |
-        echo "Disk space after cleanup:"
         df -h /mnt/cross-instance-cache
         df -h /mnt/win-cache
-        CROSS_FREE_AFTER=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $4}')
-        WIN_FREE_AFTER=$(df -k /mnt/win-cache | tail -1 | awk '{print $4}')
-        echo "cross_free_kb=$CROSS_FREE_AFTER" >> $GITHUB_OUTPUT
-        echo "win_free_kb=$WIN_FREE_AFTER" >> $GITHUB_OUTPUT
-
-    - name: Log Disk Space to Datadog
-      if: ${{ env.DD_API_KEY != '' }}
-      shell: bash
-      env:
-        CROSS_FREE_BEFORE: ${{ steps.disk-before.outputs.cross_free_kb }}
-        CROSS_FREE_AFTER: ${{ steps.disk-after.outputs.cross_free_kb }}
-        CROSS_TOTAL: ${{ steps.disk-before.outputs.cross_total_kb }}
-        WIN_FREE_BEFORE: ${{ steps.disk-before.outputs.win_free_kb }}
-        WIN_FREE_AFTER: ${{ steps.disk-after.outputs.win_free_kb }}
-        WIN_TOTAL: ${{ steps.disk-before.outputs.win_total_kb }}
-      run: |
-        TIMESTAMP=$(date +%s)
-
-        CROSS_FREE_BEFORE_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_FREE_BEFORE / 1024 / 1024}")
-        CROSS_FREE_AFTER_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_FREE_AFTER / 1024 / 1024}")
-        CROSS_FREED_GB=$(awk "BEGIN {printf \"%.2f\", ($CROSS_FREE_AFTER - $CROSS_FREE_BEFORE) / 1024 / 1024}")
-        CROSS_TOTAL_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_TOTAL / 1024 / 1024}")
-
-        WIN_FREE_BEFORE_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_FREE_BEFORE / 1024 / 1024}")
-        WIN_FREE_AFTER_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_FREE_AFTER / 1024 / 1024}")
-        WIN_FREED_GB=$(awk "BEGIN {printf \"%.2f\", ($WIN_FREE_AFTER - $WIN_FREE_BEFORE) / 1024 / 1024}")
-        WIN_TOTAL_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_TOTAL / 1024 / 1024}")
-
-        echo "cross-instance-cache: free before=${CROSS_FREE_BEFORE_GB}GB, after=${CROSS_FREE_AFTER_GB}GB, freed=${CROSS_FREED_GB}GB, total=${CROSS_TOTAL_GB}GB"
-        echo "win-cache: free before=${WIN_FREE_BEFORE_GB}GB, after=${WIN_FREE_AFTER_GB}GB, freed=${WIN_FREED_GB}GB, total=${WIN_TOTAL_GB}GB"
-
-        curl -s -X POST "https://api.datadoghq.com/api/v2/series" \
-          -H "Content-Type: application/json" \
-          -H "DD-API-KEY: ${DD_API_KEY}" \
-          -d @- << EOF
-        {
-          "series": [
-            {
-              "metric": "electron.src_cache.disk.free_space_before_cleanup_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREE_BEFORE_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:cross-instance-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.free_space_after_cleanup_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREE_AFTER_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:cross-instance-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.space_freed_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREED_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:cross-instance-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.total_space_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_TOTAL_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:cross-instance-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.free_space_before_cleanup_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREE_BEFORE_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:win-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.free_space_after_cleanup_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREE_AFTER_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:win-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.space_freed_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREED_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:win-cache", "platform:linux"]
-            },
-            {
-              "metric": "electron.src_cache.disk.total_space_gb",
-              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_TOTAL_GB}}],
-              "type": 3,
-              "unit": "gigabyte",
-              "tags": ["volume:win-cache", "platform:linux"]
-            }
-          ]
-        }
-        EOF
-
-        echo "Disk space metrics logged to Datadog"
+        find /mnt/win-cache -type f -mtime +15 -delete
+        df -h /mnt/win-cache

.github/workflows/issue-commented.yml

@@ -1,4 +1,4 @@
-name: Issue / Pull Request Commented
+name: Issue Commented
 
 on:
   issue_comment:
@@ -8,81 +8,19 @@ on:
 permissions: {}
 
 jobs:
-  blocked-issue-commented:
+  issue-commented:
     name: Remove blocked/{need-info,need-repro} on comment
-    if: ${{ !github.event.issue.pull_request && (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && github.event.comment.user.type != 'Bot' }}
-    runs-on: ubuntu-slim
+    if: ${{ (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && github.event.comment.user.type != 'Bot' }}
+    runs-on: ubuntu-latest
     steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: &get-author-association |
-          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
-          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Remove label
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           ISSUE_URL: ${{ github.event.issue.html_url }}
         run: |
           gh issue edit $ISSUE_URL --remove-label 'blocked/need-repro','blocked/need-info ❌'
-  
-  pr-reviewer-requested:
-    name: Maintainer requested reviewer on PR
-    if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/request-review') && github.event.comment.user.type != 'Bot' }}
-    runs-on: ubuntu-slim
-    steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: *get-author-association
-      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
-        if: ${{ contains(fromJSON('["MEMBER", "OWNER"]'), steps.get-author-association.outputs.author_association) }}
-        id: generate-token
-        with:
-          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - name: Request reviewer
-        if: ${{ contains(fromJSON('["MEMBER", "OWNER"]'), steps.get-author-association.outputs.author_association) }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          PR_URL: ${{ github.event.issue.html_url }}
-          COMMENT_BODY: ${{ github.event.comment.body }}
-        run: |
-          RAW=$(echo "$COMMENT_BODY" | head -n 1 | sed 's|/request-review\s*||' | xargs)
-
-          if [ -z "$RAW" ]; then
-            echo "::warning::No username provided. Usage: /request-review <username>[,<username>,...]"
-            exit 0
-          fi
-
-          IFS=',' read -ra USERS <<< "$RAW"
-          for USER in "${USERS[@]}"; do
-            NAME=$(echo "$USER" | sed 's/@//g' | xargs)
-            if [ -z "$NAME" ]; then
-              continue
-            fi
-
-            # Strip "electron/" prefix if present to get the bare name
-            BARE_NAME=$(echo "$NAME" | sed 's|^electron/||')
-
-            # If the original name contained "electron/" or looks like a team slug, treat as team
-            if [ "$NAME" != "$BARE_NAME" ]; then
-              gh pr edit $PR_URL --add-reviewer "electron/$BARE_NAME"
-            else
-              if ! gh api /orgs/electron/public_members/$BARE_NAME --silent > /dev/null 2>&1; then
-                echo "::warning::$BARE_NAME is not a public member of the electron organization."
-                continue
-              fi
-
-              gh pr edit $PR_URL --add-reviewer "$BARE_NAME"
-            fi
-          done

.github/workflows/issue-labeled.yml

@@ -4,24 +4,23 @@ on:
   issues:
     types: [labeled]
 
-permissions: {}
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
 
 jobs:
   issue-labeled-with-status:
     name: status/{confirmed,reviewed} label added
     if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/edit-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90
@@ -32,17 +31,15 @@ jobs:
     name: blocked/* label added
     if: startsWith(github.event.label.name, 'blocked/')
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/edit-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90
@@ -61,22 +58,21 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: electron/electron
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
           set -eo pipefail
-          COMMENT_COUNT=$(gh issue view "$ISSUE_NUMBER" --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
+          COMMENT_COUNT=$(gh issue view ${{ github.event.issue.number }} --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
           if [[ $COMMENT_COUNT -eq 0 ]]; then
             echo "SHOULD_COMMENT=1" >> "$GITHUB_OUTPUT"
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Create comment
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-opened.yml

@@ -11,16 +11,15 @@ jobs:
   add-to-issue-triage:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Add to Issue Triage
-        uses: dsanders11/project-actions/add-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/add-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           field: Reporter
           field-value: ${{ github.event.issue.user.login }}
@@ -29,37 +28,25 @@ jobs:
   set-labels:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
-      - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: |
-            .
-            .github
-            .yarn
-      - run: yarn workspaces focus @electron/gha-workflows
+      - run: npm install @electron/fiddle-core@1.3.3 mdast-util-from-markdown@2.0.0 unist-util-select@5.1.0 semver@7.6.0
       - name: Add labels
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: add-labels
         env:
           ISSUE_BODY: ${{ github.event.issue.body }}
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           script: |
-            const { chdir } = require('node:process');
-            chdir('${{ github.workspace }}/.github/workflows');
-
-            const { ElectronVersions } = require('@electron/fiddle-core');
-            const { fromMarkdown } = require('mdast-util-from-markdown');
-            const { select } = require('unist-util-select');
-            const semver = require('semver');
+            const { fromMarkdown } = await import('${{ github.workspace }}/node_modules/mdast-util-from-markdown/index.js');
+            const { select } = await import('${{ github.workspace }}/node_modules/unist-util-select/index.js');
+            const semver = await import('${{ github.workspace }}/node_modules/semver/index.js');
 
             const [ owner, repo ] = '${{ github.repository }}'.split('/');
             const issue_number = ${{ github.event.issue.number }};
@@ -73,8 +60,6 @@ jobs:
               // It's possible for multiple versions to be listed -
               // for now check for comma or space separated version.
               const versions = electronVersion.split(/, | /);
-              let hasSupportedVersion = false;
-
               for (const version of versions) {
                 const major = semver.coerce(version, { loose: true })?.major;
                 if (major) {
@@ -90,19 +75,19 @@ jobs:
                     labelExists = true;
                   } catch {}
 
-                  const electronVersions = await ElectronVersions.create(undefined, { ignoreCache: true });
-                  const validVersions = [...electronVersions.supportedMajors, ...electronVersions.prereleaseMajors];
+                  if (labelExists) {
+                    // Check if it's an unsupported major
+                    const { ElectronVersions } = await import('${{ github.workspace }}/node_modules/@electron/fiddle-core/dist/index.js');
+                    const versions = await ElectronVersions.create(undefined, { ignoreCache: true });
 
-                  if (validVersions.includes(major)) {
-                    hasSupportedVersion = true;
-                    if (labelExists) {
+                    const validVersions = [...versions.supportedMajors, ...versions.prereleaseMajors];
+                    if (validVersions.includes(major)) {
                       labels.push(versionLabel);
                     }
                   }
                 }
               }
-
-              if (!hasSupportedVersion) {
+              if (labels.length === 0) {
                 core.setOutput('unsupportedMajor', true);
                 labels.push('blocked/need-info ❌');
               }
@@ -146,7 +131,7 @@ jobs:
             }
       - name: Create unsupported major comment
         if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-transferred.yml

@@ -10,17 +10,16 @@ jobs:
   issue-transferred:
     name: Issue Transferred
     runs-on: ubuntu-latest
-    permissions: {}
     if: ${{ !github.event.changes.new_repository.private }}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Remove from issue triage
-        uses: dsanders11/project-actions/delete-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/delete-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90

.github/workflows/issue-unlabeled.yml

@@ -4,36 +4,33 @@ on:
   issues:
     types: [unlabeled]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   issue-unlabeled-blocked:
     name: All blocked/* labels removed
     if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Check for any blocked labels
         id: check-for-blocked-labels
-        env:
-          LABELS_JSON: ${{ toJSON(github.event.issue.labels.*.name) }}
         run: |
           set -eo pipefail
-          BLOCKED_LABEL_COUNT=$(echo "$LABELS_JSON" | jq '[ .[] | select(startswith("blocked/")) ] | length')
+          BLOCKED_LABEL_COUNT=$(echo '${{ toJSON(github.event.issue.labels.*.name) }}' | jq '[ .[] | select(startswith("blocked/")) ] | length')
           if [[ $BLOCKED_LABEL_COUNT -eq 0 ]]; then
             echo "NOT_BLOCKED=1" >> "$GITHUB_OUTPUT"
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status
         if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: dsanders11/project-actions/edit-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/edit-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90

.github/workflows/linux-publish.yml

@@ -6,8 +6,7 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: ''
-        required: false
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -18,31 +17,11 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-      with:
-        override: ${{ inputs.build-image-sha }}
-
   checkout-linux:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
     container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -52,7 +31,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -60,61 +39,49 @@ jobs:
       uses: ./src/electron/.github/actions/checkout
 
   publish-x64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [setup, checkout-linux]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-linux
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      build-container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-runs-on: electron-arc-linux-amd64-32core
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: x64
       is-release: true
       gn-build-type: release
       generate-symbols: true
+      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit
 
   publish-arm:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [setup, checkout-linux]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-linux
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      build-container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-runs-on: electron-arc-linux-amd64-32core
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm
       is-release: true
       gn-build-type: release
       generate-symbols: true
+      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit
 
   publish-arm64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [setup, checkout-linux]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-linux
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      build-container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-runs-on: electron-arc-linux-amd64-32core
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm64
       is-release: true
       gn-build-type: release
       generate-symbols: true
+      strip-binaries: true
       upload-to-storage: ${{ inputs.upload-to-storage }}
     secrets: inherit

.github/workflows/macos-disk-cleanup.yml

@@ -1,105 +0,0 @@
-name: macOS Disk Space Cleanup
-
-# Description:
-# This workflow runs the disk space reclaimer on macOS runners every night
-# and logs disk space metrics to Datadog for monitoring.
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  macos-disk-cleanup:
-    if: github.repository == 'electron/electron'
-    strategy:
-      fail-fast: false
-      matrix:
-        runner:
-          - macos-15
-          - macos-15-large
-          - macos-15-xlarge
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: |
-            .github/actions/free-space-macos
-          sparse-checkout-cone-mode: false
-
-      - name: Get Disk Space Before Cleanup
-        id: disk-before
-        shell: bash
-        run: |
-          echo "Disk space before cleanup:"
-          df -h /
-          FREE_SPACE_BEFORE=$(df -k / | tail -1 | awk '{print $4}')
-          echo "free_kb=$FREE_SPACE_BEFORE" >> $GITHUB_OUTPUT
-
-      - name: Free Space on macOS
-        uses: ./.github/actions/free-space-macos
-
-      - name: Get Disk Space After Cleanup
-        id: disk-after
-        shell: bash
-        run: |
-          echo "Disk space after cleanup:"
-          df -h /
-          FREE_SPACE_AFTER=$(df -k / | tail -1 | awk '{print $4}')
-          echo "free_kb=$FREE_SPACE_AFTER" >> $GITHUB_OUTPUT
-
-      - name: Log Disk Space to Datadog
-        if: ${{ env.DD_API_KEY != '' }}
-        shell: bash
-        env:
-          DD_API_KEY: ${{ secrets.DD_API_KEY }}
-          FREE_BEFORE: ${{ steps.disk-before.outputs.free_kb }}
-          FREE_AFTER: ${{ steps.disk-after.outputs.free_kb }}
-          MATRIX_RUNNER: ${{ matrix.runner }}
-        run: |
-          TIMESTAMP=$(date +%s)
-          FREE_BEFORE_GB=$(echo "scale=2; $FREE_BEFORE / 1024 / 1024" | bc)
-          FREE_AFTER_GB=$(echo "scale=2; $FREE_AFTER / 1024 / 1024" | bc)
-          SPACE_FREED_GB=$(echo "scale=2; ($FREE_AFTER - $FREE_BEFORE) / 1024 / 1024" | bc)
-
-          echo "Free space before: ${FREE_BEFORE_GB}GB"
-          echo "Free space after: ${FREE_AFTER_GB}GB"
-          echo "Space freed: ${SPACE_FREED_GB}GB"
-
-          curl -s -X POST "https://api.datadoghq.com/api/v2/series" \
-            -H "Content-Type: application/json" \
-            -H "DD-API-KEY: ${DD_API_KEY}" \
-            -d @- << EOF
-          {
-            "series": [
-              {
-                "metric": "electron.macos.disk.free_space_before_cleanup_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_BEFORE_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              },
-              {
-                "metric": "electron.macos.disk.free_space_after_cleanup_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_AFTER_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              },
-              {
-                "metric": "electron.macos.disk.space_freed_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${SPACE_FREED_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              }
-            ]
-          }
-          EOF
-
-          echo "Disk space metrics logged to Datadog"

.github/workflows/macos-publish.yml

@@ -6,8 +6,8 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: ''
-        required: false
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
+        required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -18,31 +18,11 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-      with:
-        override: ${{ inputs.build-image-sha }}
-
   checkout-macos:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
     container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -52,7 +32,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -63,16 +43,11 @@ jobs:
         target-platform: macos
 
   publish-x64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: darwin
@@ -83,16 +58,11 @@ jobs:
     secrets: inherit
 
   publish-x64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: mas
@@ -103,16 +73,11 @@ jobs:
     secrets: inherit
 
   publish-arm64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: darwin
@@ -123,16 +88,11 @@ jobs:
     secrets: inherit
 
   publish-arm64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: mas

.github/workflows/non-maintainer-dependency-change.yml

@@ -1,46 +1,30 @@
-name: Check for Disallowed Non-Maintainer Change
+name: Check for Non-Maintainer Dependency Change
 
 on:
   pull_request_target:
     paths:
       - 'yarn.lock'
       - 'spec/yarn.lock'
-      - '.github/workflows/**'
-      - '.github/actions/**'
-      - '.yarn/**'
-      - '.yarnrc.yml'
 
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
 permissions: {}
 
 jobs:
   check-for-non-maintainer-dependency-change:
-    name: Check for disallowed non-maintainer change
-    if: ${{ github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
+    name: Check for non-maintainer dependency change
+    if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association) && github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/pulls/${{ github.event.pull_request.number }} --jq '.author_association')
-          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Check for existing review
         id: check-for-review
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), steps.get-author-association.outputs.author_association) }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
           set -eo pipefail
-          REVIEW_COUNT=$(gh pr view $PR_URL --json reviews | jq '[ .reviews[] | select(.author.login == "github-actions") | select(.body | startswith("<!-- disallowed-non-maintainer-change -->")) ] | length')
+          REVIEW_COUNT=$(gh pr view $PR_URL --json reviews | jq '[ .reviews[] | select(.author.login == "github-actions") | select(.body | startswith("<!-- no-dependency-change -->")) ] | length')
           if [[ $REVIEW_COUNT -eq 0 ]]; then
             echo "SHOULD_REVIEW=1" >> "$GITHUB_OUTPUT"
           fi
@@ -49,23 +33,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
-          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
         run: |
-          cat <<'REVIEW_EOF' | sed "s/%AUTHOR%/$PR_AUTHOR/g" | gh pr review $PR_URL -r --body-file=-
-          <!-- disallowed-non-maintainer-change -->
-
-          Hello @%AUTHOR%! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs.
-
-          To move this PR forward, please:
-
-          1. Revert the dependency/CI file changes from your branch. (e.g. `yarn.lock`, `.yarn/`, `.yarnrc.yml`, `.github/workflows/`, `.github/actions/`)
-          2. Ensure your branch [allows maintainer commits](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) so a maintainer can push the necessary dependency changes on your behalf.
-          3. Leave a comment letting reviewers know the dependency change is still needed.
-
-          <details>
-          <summary>For maintainers</summary>
-
-          To land this PR, push a verified commit to the contributor's branch with the required dependency/CI changes, then dismiss this review.
-
-          </details>
-          REVIEW_EOF
+          printf "<!-- no-dependency-change -->\n\nHello @${{ github.event.pull_request.user.login }}! It looks like this pull request touches one of our dependency files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-

.github/workflows/package.json

@@ -1,13 +0,0 @@
-{
-  "name": "@electron/gha-workflows",
-  "version": "0.0.0-development",
-  "private": true,
-  "type": "module",
-  "dependencies": {
-    "@actions/cache": "^4.0.3",
-    "@electron/fiddle-core": "^2.0.1",
-    "mdast-util-from-markdown": "^2.0.0",
-    "semver": "^7.7.2",
-    "unist-util-select": "^5.1.0"
-  }
-}

.github/workflows/pipeline-electron-build-and-test-and-nan.yml

@@ -55,8 +55,6 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 concurrency:
   group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -64,8 +62,6 @@ concurrency:
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -78,10 +74,6 @@ jobs:
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}
@@ -91,8 +83,6 @@ jobs:
     secrets: inherit
   nn-test:
     uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}

.github/workflows/pipeline-electron-build-and-test.yml

@@ -54,23 +54,19 @@ on:
         required: false
         type: boolean
         default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
 
 concurrency:
   group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read  
 
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -80,21 +76,15 @@ jobs:
       gn-build-type: ${{ inputs.gn-build-type }}
       generate-symbols: ${{ inputs.generate-symbols }}
       upload-to-storage: ${{ inputs.upload-to-storage }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
+      is-asan: ${{ inputs.is-asan}}
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}
       target-platform: ${{ inputs.target-platform }}
       test-runs-on: ${{ inputs.test-runs-on }}
       test-container: ${{ inputs.test-container }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
+      is-asan: ${{ inputs.is-asan}}
     secrets: inherit

.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml

@@ -1,139 +0,0 @@
-name: Electron Build & Clang Tidy & Test (+ Node + NaN) Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux.'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-
-permissions: {}
-
-concurrency:
-  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-    secrets: inherit
-  test-wayland:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    if: ${{ inputs.target-platform == 'linux' && inputs.target-arch == 'x64' && !inputs.is-asan }}
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      display-server: wayland
-    secrets: inherit
-  nn-test:
-    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-    secrets: inherit

.github/workflows/pipeline-electron-build-and-tidy-and-test.yml

@@ -1,121 +0,0 @@
-name: Electron Build & Clang Tidy & Test Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
-
-concurrency:
-  group: electron-build-and-tidy-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-permissions: {}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-    secrets: inherit

.github/workflows/pipeline-electron-docs-only.yml

@@ -8,42 +8,19 @@ on:
         description: 'Container to run the docs-only ts compile in'
         type: string
 
-permissions: {}
-
 concurrency:
   group: electron-docs-only-${{ github.ref }}
   cancel-in-progress: true
 
-env:  
-  GCLIENT_EXTRA_ARGS: --custom-var=checkout_arm=True --custom-var=checkout_arm64=True
-
 jobs:
   docs-only:
     name: Docs Only Compile
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
-        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-    - name: Restore src cache via AKS
-      uses: ./src/electron/.github/actions/restore-cache-aks
-      with:
-        target-platform: linux
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -54,12 +31,12 @@ jobs:
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js create-typescript-definitions
-        node script/yarn.js tsc -p tsconfig.default_app.json --noEmit
+        node script/yarn create-typescript-definitions
+        node script/yarn tsc -p tsconfig.default_app.json --noEmit
         for f in build/webpack/*.js
         do
             out="${f:29}"
             if [ "$out" != "base.js" ]; then
-            node script/yarn.js webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
+            node script/yarn webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
             fi
         done

.github/workflows/pipeline-electron-lint.yml

@@ -8,8 +8,6 @@ on:
         description: 'Container to run lint in'
         type: string
 
-permissions: {}
-
 concurrency:
   group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -20,14 +18,12 @@ env:
 jobs:
   lint:
     name: Lint
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -46,11 +42,7 @@ jobs:
       shell: bash
       run: |
         chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid chromium_revision: $chromium_revision"
-          exit 1
-        fi
-        gn_version="$(curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/DEPS" | grep gn_version | head -n1 | cut -d\' -f4)"
+        gn_version="$(curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/DEPS?format=TEXT" | base64 -d | grep gn_version | head -n1 | cut -d\' -f4)"
 
         cipd ensure -ensure-file - -root . <<-CIPD
         \$ServiceURL https://chrome-infra-packages.appspot.com/
@@ -64,19 +56,11 @@ jobs:
       shell: bash
       run: |
         chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid chromium_revision: $chromium_revision"
-          exit 1
-        fi
 
         mkdir -p src/buildtools
-        curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/buildtools/DEPS" > src/buildtools/DEPS
+        curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS
 
         gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
-    - name: Add problem matchers
-      shell: bash
-      run: |
-        echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
     - name: Run Lint
       shell: bash
       run: |
@@ -87,15 +71,11 @@ jobs:
         # but then we would lint its contents (at least gn format), and it doesn't pass it.
 
         cd src/electron
-        node script/yarn.js install --immutable
-        node script/yarn.js lint
+        node script/yarn install --frozen-lockfile
+        node script/yarn lint
     - name: Run Script Typechecker
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js tsc -p tsconfig.script.json
-    - name: Check GHA Workflows
-      shell: bash
-      run: |
-        cd src/electron
-        node script/copy-pipeline-segment-publish.js --check
+        node script/yarn tsc -p tsconfig.script.json
+    

.github/workflows/pipeline-segment-build-siso-windows.yml

@@ -1,98 +0,0 @@
-name: Pipeline Segment - Build Siso (Windows)
-
-# Builds a patched siso binary for Windows CI. Reads the siso revision from
-# the Chromium DEPS file at the pinned chromium_version, shallow-clones
-# chromium.googlesource.com/build at that revision, applies the patches under
-# .github/siso-patches/, cross-compiles siso.exe for windows/amd64, and
-# publishes it as the `siso-windows-amd64` artifact. The Windows build jobs
-# download it and use it via SISO_PATH. The built binary is cached keyed on
-# the siso revision + sha256 of the patch contents, so subsequent runs just
-# restore it.
-
-on:
-  workflow_call: {}
-
-permissions: {}
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        fetch-depth: 1
-        ref: ${{ github.event.pull_request.head.sha }}
-        sparse-checkout: |
-          DEPS
-          .github/siso-patches
-    - name: Resolve siso revision from Chromium DEPS
-      id: resolve
-      run: |
-        set -euo pipefail
-        CHROMIUM_VERSION=$(python3 -c "import re; print(re.search(r\"'chromium_version':\s*\n\s*'([^']+)'\", open('DEPS').read()).group(1))")
-        if ! [[ "$CHROMIUM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,3}$ ]]; then
-          echo "error: unexpected chromium_version format: $CHROMIUM_VERSION" >&2
-          exit 1
-        fi
-        curl -sfL "https://raw.githubusercontent.com/chromium/chromium/${CHROMIUM_VERSION}/DEPS" -o /tmp/chromium-DEPS
-        SISO_SHA=$(python3 -c "import re; print(re.search(r\"'siso_version':\s*'git_revision:([0-9a-f]+)'\", open('/tmp/chromium-DEPS').read()).group(1))")
-        if ! [[ "$SISO_SHA" =~ ^[0-9a-f]{40}$ ]]; then
-          echo "error: unexpected siso_version SHA: $SISO_SHA" >&2
-          exit 1
-        fi
-        PATCHES_HASH=$(find .github/siso-patches -type f -name '*.patch' | sort | xargs sha256sum | sha256sum | awk '{print $1}')
-        echo "siso-sha=${SISO_SHA}" >> "$GITHUB_OUTPUT"
-        echo "patches-hash=${PATCHES_HASH}" >> "$GITHUB_OUTPUT"
-        echo "Chromium ${CHROMIUM_VERSION} pins siso at ${SISO_SHA}"
-        echo "Patches hash: ${PATCHES_HASH}"
-    - name: Restore cached siso binary
-      id: cache-siso
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: siso-out/siso.exe
-        key: siso-windows-amd64-${{ steps.resolve.outputs.siso-sha }}-${{ steps.resolve.outputs.patches-hash }}
-    - name: Shallow clone chromium build repo at pinned revision
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      env:
-        SISO_SHA: ${{ steps.resolve.outputs.siso-sha }}
-      run: |
-        set -euo pipefail
-        mkdir chromium-build
-        cd chromium-build
-        git init -q
-        git remote add origin https://chromium.googlesource.com/build
-        git -c protocol.version=2 fetch --depth=1 origin "$SISO_SHA"
-        git checkout --detach FETCH_HEAD
-    - name: Apply in-tree siso patches
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      run: |
-        set -euo pipefail
-        cd chromium-build
-        git -c user.name=electron-ci -c user.email=ci@electronjs.org \
-          am --3way "${GITHUB_WORKSPACE}/.github/siso-patches"/*.patch
-    - name: Set up Go
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-      with:
-        go-version-file: chromium-build/siso/go.mod
-        cache: false
-    - name: Build siso (windows/amd64)
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      working-directory: chromium-build/siso
-      env:
-        CGO_ENABLED: '0'
-        GOOS: windows
-        GOARCH: amd64
-      run: |
-        mkdir -p "${GITHUB_WORKSPACE}/siso-out"
-        go build -trimpath -o "${GITHUB_WORKSPACE}/siso-out/siso.exe" .
-    - name: Upload siso artifact
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-      with:
-        name: siso-windows-amd64
-        path: siso-out/siso.exe
-        if-no-files-found: error
-        retention-days: 1

.github/workflows/pipeline-segment-electron-build.yml

@@ -48,23 +48,17 @@ on:
         required: true
         type: string
         default: '0'
+      strip-binaries: 
+        description: 'Strip the binaries before release (Linux only)'
+        required: false
+        type: boolean
+        default: false
       is-asan: 
         description: 'Building the Address Sanitizer (ASan) Linux build'
         required: false
         type: boolean
         default: false
-      upload-out-gen-artifacts:
-        description: 'Whether to upload the src/gen artifacts'
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
 
-permissions: {}
 
 concurrency:
   group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
@@ -73,13 +67,12 @@ concurrency:
 env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
   CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
-  DD_API_KEY: ${{ secrets.DD_API_KEY }}
   ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
   SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
+  SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
   GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || inputs.target-platform == 'win' && '--custom-var=checkout_win=True' || '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
   ELECTRON_OUT_DIR: Default
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
 
 jobs:
   build:
@@ -87,34 +80,20 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      contents: read
     container: ${{ fromJSON(inputs.build-container) }}
     environment: ${{ inputs.environment }}
     env:
       TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
     steps:
     - name: Create src dir
       run: |
         mkdir src
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
-    - name: Setup SSH Debugging
-      if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
-      uses: ./src/electron/.github/actions/ssh-debug
-      with:
-        tunnel: 'true'
-      env:
-        CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-        CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-        CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-        AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Free up space (macOS)
       if: ${{ inputs.target-platform == 'macos' }}
       uses: ./src/electron/.github/actions/free-space-macos
@@ -123,9 +102,9 @@ jobs:
       run: df -h
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
+      uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
       with:
-        node-version: 22.21.x
+        node-version: 20.11.x
         cache: yarn
         cache-dependency-path: src/electron/yarn.lock
     - name: Install Dependencies
@@ -155,7 +134,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AZCopy
@@ -167,7 +146,7 @@ jobs:
       if: ${{ inputs.target-platform == 'linux' }}
       uses: ./src/electron/.github/actions/restore-cache-aks
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -181,7 +160,7 @@ jobs:
         ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
     - name: Init Build Tools
       run: |
-        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }} --remote-build siso
+        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }}
     - name: Run Electron Only Hooks
       run: |
         e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
@@ -191,25 +170,12 @@ jobs:
         echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+    - name: Setup Number of Ninja Processes
+      run: |
+        echo "NUMBER_OF_NINJA_PROCESSES=${{ inputs.target-platform != 'macos' && '300' || '200' }}" >> $GITHUB_ENV
     - name: Free up space (macOS)
       if: ${{ inputs.target-platform == 'macos' }}
       uses: ./src/electron/.github/actions/free-space-macos
-    - name: Download custom siso binary (Windows)
-      if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-      with:
-        name: siso-windows-amd64
-        path: ${{ runner.temp }}/siso
-    - name: Set SISO_PATH (Windows)
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        SISO_BIN="${RUNNER_TEMP}/siso/siso.exe"
-        if [ ! -f "$SISO_BIN" ]; then
-          echo "error: expected siso binary at $SISO_BIN" >&2
-          exit 1
-        fi
-        echo "SISO_PATH=$SISO_BIN" >> "$GITHUB_ENV"
-        echo "Using custom siso binary at $SISO_BIN"
     - name: Build Electron
       if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' || inputs.target-variant == 'darwin') }}
       uses: ./src/electron/.github/actions/build-electron
@@ -219,9 +185,9 @@ jobs:
         artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
         is-release: '${{ inputs.is-release }}'
         generate-symbols: '${{ inputs.generate-symbols }}'
+        strip-binaries: '${{ inputs.strip-binaries }}'
         upload-to-storage: '${{ inputs.upload-to-storage }}'
         is-asan: '${{ inputs.is-asan }}'
-        upload-out-gen-artifacts: '${{ inputs.upload-out-gen-artifacts }}'
     - name: Set GN_EXTRA_ARGS for MAS Build
       if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' || inputs.target-variant == 'mas') }}
       run: |

.github/workflows/pipeline-segment-electron-clang-tidy.yml

@@ -1,178 +0,0 @@
-name: Pipeline Segment - Electron Clang-Tidy
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-
-permissions: {}
-
-concurrency:
-  group: electron-clang-tidy-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || (inputs.target-platform == 'linux' && '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' || '--custom-var=checkout_win=True') }}
-  ELECTRON_OUT_DIR: Default
-
-jobs:
-  clang-tidy:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.clang-tidy-runs-on }}
-    permissions:
-      contents: read
-    container: ${{ fromJSON(inputs.clang-tidy-container) }}
-    env:
-      BUILD_TYPE: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-      ARTIFACT_KEY: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}_${{ inputs.target-arch }}
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Cleanup disk space on macOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      shell: bash
-      run: |   
-        sudo mkdir -p $TMPDIR/del-target
-
-        tmpify() {
-          if [ -d "$1" ]; then
-            sudo mv "$1" $TMPDIR/del-target/$(echo $1|shasum -a 256|head -n1|cut -d " " -f1)
-          fi
-        }   
-        tmpify /Library/Developer/CoreSimulator
-        tmpify ~/Library/Developer/CoreSimulator
-        sudo rm -rf $TMPDIR/del-target
-    - name: Check disk space after freeing up space
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: df -h
-    - name: Set Chromium Git Cookie
-      uses: ./src/electron/.github/actions/set-chromium-cookie
-    - name: Install Build Tools
-      uses: ./src/electron/.github/actions/install-build-tools
-    - name: Enable windows toolchain
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        echo "ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=1" >> $GITHUB_ENV
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
-        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-    - name: Restore src cache via AZCopy
-      if: ${{ inputs.target-platform == 'macos' }}
-      uses: ./src/electron/.github/actions/restore-cache-azcopy
-      with:
-        target-platform: ${{ inputs.target-platform }}      
-    - name: Restore src cache via AKS
-      if: ${{ inputs.target-platform == 'linux' || inputs.target-platform == 'win' }}
-      uses: ./src/electron/.github/actions/restore-cache-aks
-      with:
-        target-platform: ${{ inputs.target-platform }}
-    - name: Run Electron Only Hooks
-      run: |
-        echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]" > tmpgclient
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False,'install_sysroot':False,'checkout_win':True},'managed':False}]" > tmpgclient
-          echo "target_os=['win']" >> tmpgclient
-        fi
-        e d gclient runhooks --gclientfile=tmpgclient
-
-        # Fix VS Toolchain
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          rm -rf src/third_party/depot_tools/win_toolchain/vs_files
-          e d python3 src/build/vs_toolchain.py update --force
-        fi
-    - name: Regenerate DEPS Hash
-      run: |
-        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js
-        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Install Dependencies
-      uses: ./src/electron/.github/actions/install-dependencies
-    - name: Default GN gen
-      run: |
-        cd src/electron
-        git pack-refs
-    - name: Download Out Gen Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
-    - name: Run Clang-Tidy
-      run: |
-        e init -f --root=$(pwd) --out=${ELECTRON_OUT_DIR} testing --target-cpu ${TARGET_ARCH} --remote-build none
-
-        # For macOS use_remoteexec=false will cause GN errors, so even though we're doing no remote build, set it
-        export GN_EXTRA_ARGS="use_remoteexec=true target_cpu=\"${TARGET_ARCH}\""
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          export GN_EXTRA_ARGS="$GN_EXTRA_ARGS use_v8_context_snapshot=true target_os=\"win\""
-        fi
-
-        e build --only-gen
-
-        # Copy macOS framework headers so clang-tidy can find them via -F.
-        # This must happen after e build --only-gen since e init -f may
-        # recreate the output directory.
-        if [ "${{ inputs.target-platform }}" = "macos" ]; then
-          OUT=src/out/${ELECTRON_OUT_DIR}
-          SQRL=src/third_party/squirrel.mac
-
-          mkdir -p ${OUT}/{ReactiveObjC,Squirrel,Mantle}.framework/Headers
-
-          cp ${SQRL}/vendor/ReactiveObjC/ReactiveObjC/*.h ${OUT}/ReactiveObjC.framework/Headers/
-          cp ${SQRL}/vendor/ReactiveObjC/ReactiveObjC/extobjc/*.h ${OUT}/ReactiveObjC.framework/Headers/
-
-          cp ${SQRL}/Squirrel/*.h ${OUT}/Squirrel.framework/Headers/
-
-          cp ${SQRL}/vendor/Mantle/Mantle/include/*.h ${OUT}/Mantle.framework/Headers/
-          cp ${SQRL}/vendor/Mantle/Mantle/extobjc/include/*.h ${OUT}/Mantle.framework/Headers/
-        fi
-
-        cd src/electron
-        node script/yarn.js lint:clang-tidy --jobs 8 --out-dir ../out/${ELECTRON_OUT_DIR}
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
-    - name: Wait for active SSH sessions
-      if: always() && !cancelled()
-      shell: bash
-      run: |
-        while [ -f /var/.ssh-lock ]
-        do
-          sleep 60
-        done

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -26,8 +26,6 @@ on:
         type: string
         default: testing
 
-permissions: {}
-
 concurrency:
   group: electron-gn-check-${{ inputs.target-platform }}-${{ github.ref }}
   cancel-in-progress: true
@@ -43,12 +41,10 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.check-runs-on }}
-    permissions:
-      contents: read
     container: ${{ fromJSON(inputs.check-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -81,7 +77,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AZCopy
@@ -115,7 +111,7 @@ jobs:
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -130,7 +126,7 @@ jobs:
       run: |
         for target_cpu in ${{ inputs.target-archs }}
         do
-          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu $target_cpu --remote-build none
+          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu $target_cpu
           cd src
           export GN_EXTRA_ARGS="target_cpu=\"$target_cpu\""
           if [ "${{ inputs.target-platform }}" = "linux" ]; then

.github/workflows/pipeline-segment-electron-publish.yml

@@ -1,258 +0,0 @@
-# AUTOGENERATED FILE - DO NOT EDIT MANUALLY
-# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml
-
-name: Pipeline Segment - Electron Build
-on:
-  workflow_call:
-    inputs:
-      environment:
-        description: using the production or testing environment
-        required: false
-        type: string
-      target-platform:
-        type: string
-        description: Platform to run on, can be macos, win or linux
-        required: true
-      target-arch:
-        type: string
-        description: Arch to build for, can be x64, arm64, ia32 or arm
-        required: true
-      target-variant:
-        type: string
-        description: Variant to build for, no effect on non-macOS target platforms. Can
-          be darwin, mas or all.
-        default: all
-      build-runs-on:
-        type: string
-        description: What host to run the build
-        required: true
-      build-container:
-        type: string
-        description: JSON container information for aks runs-on
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: Whether this build job is a release job
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: The gn build type - testing or release
-        required: true
-        type: string
-        default: testing
-      generate-symbols:
-        description: Whether or not to generate symbols
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage:
-        description: Whether or not to upload build artifacts to external storage
-        required: true
-        type: string
-        default: "0"
-      is-asan:
-        description: Building the Address Sanitizer (ASan) Linux build
-        required: false
-        type: boolean
-        default: false
-      upload-out-gen-artifacts:
-        description: Whether to upload the src/gen artifacts
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: Enable SSH debugging
-        required: false
-        type: boolean
-        default: false
-permissions: {}
-concurrency:
-  group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch
-    }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{
-    github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-env:
-  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
-  DD_API_KEY: ${{ secrets.DD_API_KEY }}
-  ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
-  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' &&
-    '--custom-var=checkout_mac=True --custom-var=host_os=mac' ||
-    inputs.target-platform == 'win' && '--custom-var=checkout_win=True' ||
-    '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
-  ELECTRON_OUT_DIR: Default
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
-jobs:
-  build:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    container: ${{ fromJSON(inputs.build-container) }}
-    environment: ${{ inputs.environment }}
-    env:
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-    steps:
-      - name: Create src dir
-        run: |
-          mkdir src
-      - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Setup SSH Debugging
-        if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh ||
-          env.ACTIONS_STEP_DEBUG == 'true') }}
-        uses: ./src/electron/.github/actions/ssh-debug
-        with:
-          tunnel: "true"
-        env:
-          CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-          CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-          CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-          AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Check disk space after freeing up space
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: df -h
-      - name: Setup Node.js/npm
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
-        with:
-          node-version: 22.21.x
-          cache: yarn
-          cache-dependency-path: src/electron/yarn.lock
-      - name: Install Dependencies
-        uses: ./src/electron/.github/actions/install-dependencies
-      - name: Install AZCopy
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: brew install azcopy
-      - name: Set GN_EXTRA_ARGS for Linux
-        if: ${{ inputs.target-platform == 'linux' }}
-        run: >
-          if [ "${{ inputs.target-arch  }}" = "arm" ]; then
-            if [ "${{ inputs.is-release  }}" = true ]; then
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false symbol_level=1'
-            else
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false'
-            fi
-          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
-            GN_EXTRA_ARGS='target_cpu="arm64" fatal_linker_warnings=false enable_linux_installer=false'
-          elif [ "${{ inputs.is-asan }}" = true ]; then
-            GN_EXTRA_ARGS='is_asan=true'
-          fi
-
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Set Chromium Git Cookie
-        uses: ./src/electron/.github/actions/set-chromium-cookie
-      - name: Install Build Tools
-        uses: ./src/electron/.github/actions/install-build-tools
-      - name: Generate DEPS Hash
-        run: |
-          node src/electron/script/generate-deps-hash.js
-          DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
-          echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-          echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-      - name: Restore src cache via AZCopy
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-azcopy
-        with:
-          target-platform: ${{ inputs.target-platform }}
-      - name: Restore src cache via AKS
-        if: ${{ inputs.target-platform == 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-aks
-      - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Fix Sync
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/fix-sync
-        with:
-          target-platform: ${{ inputs.target-platform }}
-        env:
-          ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
-      - name: Init Build Tools
-        run: >
-          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
-          --import ${{ inputs.gn-build-type }} --target-cpu ${{
-          inputs.target-arch }} --remote-build siso
-      - name: Run Electron Only Hooks
-        run: |
-          e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
-      - name: Regenerate DEPS Hash
-        run: >
-          (cd src/electron && git checkout .) && node
-          src/electron/script/generate-deps-hash.js
-
-          echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-      - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-        run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Download custom siso binary (Windows)
-        if: ${{ inputs.target-platform == 'win' }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
-        with:
-          name: siso-windows-amd64
-          path: ${{ runner.temp }}/siso
-      - name: Set SISO_PATH (Windows)
-        if: ${{ inputs.target-platform == 'win' }}
-        run: |
-          SISO_BIN="${RUNNER_TEMP}/siso/siso.exe"
-          if [ ! -f "$SISO_BIN" ]; then
-            echo "error: expected siso binary at $SISO_BIN" >&2
-            exit 1
-          fi
-          echo "SISO_PATH=$SISO_BIN" >> "$GITHUB_ENV"
-          echo "Using custom siso binary at $SISO_BIN"
-      - name: Build Electron
-        if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'darwin') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' ||
-            inputs.target-platform }}
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          is-asan: ${{ inputs.is-asan }}
-          upload-out-gen-artifacts: ${{ inputs.upload-out-gen-artifacts }}
-      - name: Set GN_EXTRA_ARGS for MAS Build
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        run: |
-          echo "MAS_BUILD=true" >> $GITHUB_ENV
-          GN_EXTRA_ARGS='is_mas_build=true'
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Build Electron (MAS)
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: mas
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          step-suffix: (mas)

.github/workflows/pipeline-segment-electron-test-64k.yml

@@ -1,67 +0,0 @@
-name: Pipeline Segment - Electron Test on Linux ARM64 64k
-
-on:
-  workflow_call:
-    inputs:
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      test-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-
-concurrency:
-  group: electron-test-linux-64k-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-permissions: {}
-
-env:
-  ELECTRON_OUT_DIR: Default
-
-jobs:
-  test-linux-arm64-64k:
-    env:
-      BUILD_TYPE: linux
-      TARGET_ARCH: arm64      
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.test-runs-on }}
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Download Generated Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
-      with:
-        name: generated_artifacts_linux_arm64
-        path: ./generated_artifacts_linux_arm64
-    - name: Restore Generated Artifacts
-      run: ./src/electron/script/actions/restore-artifacts.sh
-    - name: Unzip Dist
-      run: |
-        cd src/out/Default
-        unzip -:o dist.zip
-
-    - name: Run Electron Tests in QEMU 64k Container
-      shell: bash
-      env:
-        MOCHA_REPORTER: mocha-multi-reporters
-        MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
-        ELECTRON_DISABLE_SECURITY_WARNINGS: 1
-        DISPLAY: ':99.0'
-      run: |
-        container=$(echo '${{ inputs.test-container }}' | jq -r '.image')
-        src/electron/script/run-qemu-64k.sh --container $container --testfiles "`pwd`/src"
-        

.github/workflows/pipeline-segment-electron-test.yml

@@ -25,31 +25,21 @@ on:
         required: false
         type: boolean
         default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
-      display-server:
-        description: 'Display backend for Linux tests: x11 or wayland'
-        required: false
-        type: string
-        default: x11
 
 concurrency:
-  group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ inputs.display-server }}-${{ github.ref_protected == true && github.run_id || github.ref }}
+  group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
 
 env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
   CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
   ELECTRON_OUT_DIR: Default
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
-  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
-  SENTRYCLI_SKIP_DOWNLOAD: 1
 
 jobs:
   test:
@@ -57,16 +47,12 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.test-runs-on }}
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     container: ${{ fromJSON(inputs.test-container) }}
     strategy:
       fail-fast: false
       matrix:
         build-type: ${{ inputs.target-platform == 'macos' && fromJSON('["darwin","mas"]') || (inputs.target-platform == 'win' && fromJSON('["win"]') || fromJSON('["linux"]')) }}
-        shard: ${{ case(inputs.display-server == 'wayland', fromJSON('[1]'), inputs.target-platform == 'linux', fromJSON('[1, 2, 3]'), inputs.target-platform == 'macos' && inputs.target-arch == 'x64', fromJSON('[1, 2, 3]'), fromJSON('[1, 2]')) }}
+        shard: ${{ inputs.target-platform == 'linux' && fromJSON('[1, 2, 3]') || fromJSON('[1, 2]') }}
     env:
       BUILD_TYPE: ${{ matrix.build-type }}
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -76,16 +62,29 @@ jobs:
       if: ${{ inputs.target-arch == 'arm' && inputs.target-platform == 'linux' }}
       run: |
         cp $(which node) /mnt/runner-externals/node20/bin/
-        cp $(which node) /mnt/runner-externals/node24/bin/
+    - name: Install Git on Windows arm64 runners
+      if: ${{ inputs.target-arch == 'arm64' && inputs.target-platform == 'win' }}
+      shell: powershell
+      run: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force
+        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
+        iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+        choco install -y --no-progress git.install --params "'/GitAndUnixToolsOnPath'"
+        choco install -y --no-progress git
+        choco install -y --no-progress python --version 3.11.9
+        choco install -y --no-progress visualstudio2022-workload-vctools --package-parameters "--add Microsoft.VisualStudio.Component.VC.Tools.ARM64"
+        echo "C:\Program Files\Git\cmd" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        echo "C:\Program Files\Git\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        echo "C:\Python311" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        cp "C:\Python311\python.exe" "C:\Python311\python3.exe"
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
+      uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
       with:
-        node-version: 22.21.x
+        node-version: 20.11.x
     - name: Add TCC permissions on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: |
-        epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
         configure_user_tccdb () {
           local values=$1
           local dbPath="$HOME/Library/Application Support/com.apple.TCC/TCC.db"
@@ -101,17 +100,14 @@ jobs:
         }
 
         userValuesArray=(
+            "'kTCCServiceMicrophone','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceCamera','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceBluetoothAlways','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceAppleEvents','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceCamera','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceBluetoothAlways','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceScreenCapture','/bin/bash',1,2,3,1,NULL,NULL,NULL,'UNUSED',NULL,0,$epochdate"
         )
         for values in "${userValuesArray[@]}"; do
           # Sonoma and higher have a few extra values
           # Ref: https://github.com/actions/runner-images/blob/main/images/macos/scripts/build/configure-tccdb-macos.sh
-          if [ "$OSTYPE" = "darwin23" ] || [ "$OSTYPE" = "darwin24" ]; then
+          if [ "$OSTYPE" = "darwin23" ]; then
             configure_user_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
             configure_sys_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
           else
@@ -122,32 +118,12 @@ jobs:
     - name: Turn off the unexpectedly quit dialog on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: defaults write com.apple.CrashReporter DialogType server
-    - name: Set xcode to 16.4
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
-    - name: Turn off screenshot nag on macOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: |
-        defaults write ~/Library/Group\ Containers/group.com.apple.replayd/ScreenCaptureApprovals.plist "/bin/bash" -date "3024-09-23 12:00:00 +0000"
-        src/electron/script/actions/screencapture-nag-remover.sh -a $(which bash)
-        src/electron/script/actions/screencapture-nag-remover.sh -a /opt/hca/hosted-compute-agent
-    - name: Setup SSH Debugging
-      if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
-      uses: ./src/electron/.github/actions/ssh-debug
-      with:
-        tunnel: 'true'
-      env:
-        CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-        CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-        CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-        AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Set Chromium Git Cookie
@@ -158,10 +134,6 @@ jobs:
         git config --global core.filemode false
         git config --global core.autocrlf false
         git config --global branch.autosetuprebase always
-        git config --global core.fscache true
-        git config --global core.longpaths true
-        git config --global core.preloadindex true
-        git config --global core.longpaths true
         git clone --filter=tree:0 https://chromium.googlesource.com/chromium/tools/depot_tools.git
         # Ensure depot_tools does not update.
         test -d depot_tools && cd depot_tools
@@ -175,74 +147,57 @@ jobs:
         echo "DISABLE_CRASH_REPORTER_TESTS=true" >> $GITHUB_ENV
         echo "IS_ASAN=true" >> $GITHUB_ENV
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Restore Generated Artifacts
       run: ./src/electron/script/actions/restore-artifacts.sh
-    - name: Unzip Dist (win)
+    - name: Unzip Dist, Mksnapshot & Chromedriver (win)
       if: ${{ inputs.target-platform == 'win' }}
       shell: powershell
       run: |
         Set-ExecutionPolicy Bypass -Scope Process -Force
         cd src/out/Default
         Expand-Archive -Force dist.zip -DestinationPath ./
-    - name: Unzip Dist (unix)
+        Expand-Archive -Force chromedriver.zip -DestinationPath ./
+        Expand-Archive -Force mksnapshot.zip -DestinationPath ./
+    - name: Unzip Dist, Mksnapshot & Chromedriver (unix)
       if: ${{ inputs.target-platform != 'win' }}
       run: |
         cd src/out/Default
         unzip -:o dist.zip
+        unzip -:o chromedriver.zip
+        unzip -:o mksnapshot.zip
     - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      if: ${{ inputs.target-platform == 'macos' }}
+      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
       run: |
+        sudo security authorizationdb write com.apple.trust-settings.admin allow
         cd src/electron
         ./script/codesign/generate-identity.sh
-    # Sign with our self-signed cert so that macOS system integrations
-    # (UNNotifications, dock bounce, etc.) work in tests on both architectures.
-    # Autoupdater tests sign their own fixture copies via signApp().
-    - name: Sign Electron.app for macOS tests
-      if: ${{ inputs.target-platform == 'macos' }}
+    - name: Install Datadog CLI
       run: |
-        identity=$(src/electron/script/codesign/get-trusted-identity.sh)
-        if [ -n "$identity" ]; then
-          codesign -s "$identity" --deep --force src/out/Default/Electron.app
-        fi
-
+        cd src/electron
+        node script/yarn global add @datadog/datadog-ci
     - name: Run Electron Tests
       shell: bash
-      timeout-minutes: 60
       env:
         MOCHA_REPORTER: mocha-multi-reporters
         MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
         ELECTRON_DISABLE_SECURITY_WARNINGS: 1
+        ELECTRON_SKIP_NATIVE_MODULE_TESTS: true
         DISPLAY: ':99.0'
         NPM_CONFIG_MSVS_VERSION: '2022'
       run: |
         cd src/electron
         export ELECTRON_TEST_RESULTS_DIR=`pwd`/junit
         # Get which tests are on this shard
-        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ case(inputs.display-server == 'wayland', 1, inputs.target-platform == 'linux', 3, inputs.target-platform == 'macos' && inputs.target-arch == 'x64', 3, 2) }})
-        if [ "${{ inputs.display-server }}" = "wayland" ]; then
-          allowlist_file=script/wayland-test-allowlist.txt
-          filtered_tests=""
-          for test_file in $tests_files; do
-            if grep -Fxq "$test_file" "$allowlist_file"; then
-              filtered_tests="$filtered_tests $test_file"
-            fi
-          done
-          tests_files="${filtered_tests# }"
-
-          if [ -z "$tests_files" ]; then
-            echo "No tests matched Wayland filter, skipping."
-            exit 0
-          fi
-        fi
+        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ inputs.target-platform == 'linux' && 3 || 2 }})
 
         # Run tests
         if [ "${{ inputs.target-platform }}" != "linux" ]; then
@@ -255,7 +210,7 @@ jobs:
               export ELECTRON_FORCE_TEST_SUITE_EXIT="true"
             fi
           fi
-          node script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+          node script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
         else
           chown :builduser .. && chmod g+w ..
           chown -R :builduser . && chmod -R g+w .
@@ -272,33 +227,11 @@ jobs:
             export MOCHA_TIMEOUT=180000
             echo "Piping output to ASAN_SYMBOLIZE ($ASAN_SYMBOLIZE)"
             cd electron
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
           else
-            if [ "${{ inputs.target-arch }}" = "arm" ]; then
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            else 
-              if [ "${{ inputs.display-server }}" = "wayland" ]; then
-                runuser -u builduser -- script/actions/run-tests-wayland.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-              else
-                runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-              fi
-            fi
-            
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
           fi
         fi
-    - name: Take screenshot on timeout or cancellation
-      if: ${{ inputs.target-platform != 'linux' && (cancelled() || failure()) }}
-      shell: bash
-      run: |
-        screenshot_dir="src/electron/spec/artifacts"
-        mkdir -p "$screenshot_dir"
-        screenshot_file="$screenshot_dir/screenshot-timeout-$(date +%Y%m%d%H%M%S).png"
-        if [ "${{ inputs.target-platform }}" = "macos" ]; then
-          screencapture -x "$screenshot_file" || true
-        elif [ "${{ inputs.target-platform }}" = "win" ]; then
-          powershell -command "Add-Type -AssemblyName System.Windows.Forms; \$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; \$bitmap = New-Object System.Drawing.Bitmap(\$screen.Width, \$screen.Height); \$graphics = [System.Drawing.Graphics]::FromImage(\$bitmap); \$graphics.CopyFromScreen(\$screen.Location, [System.Drawing.Point]::Empty, \$screen.Size); \$bitmap.Save('$screenshot_file')" || true
-        fi
-
     - name: Upload Test results to Datadog
       env:
         DD_ENV: ci
@@ -308,16 +241,15 @@ jobs:
         DD_TAGS: "os.architecture:${{ inputs.target-arch }},os.family:${{ inputs.target-platform }},os.platform:${{ inputs.target-platform }},asan:${{ inputs.is-asan }}"
       run: |
         if ! [ -z $DD_API_KEY ] && [ -f src/electron/junit/test-results-main.xml ]; then
-          cd src/electron
-          export DATADOG_PATH=`node script/yarn.js bin datadog-ci`
-          $DATADOG_PATH junit upload junit/test-results-main.xml
-        fi
+          export DATADOG_PATH=`node src/electron/script/yarn global bin`
+          $DATADOG_PATH/datadog-ci junit upload src/electron/junit/test-results-main.xml
+        fi          
       if: always() && !cancelled()
     - name: Upload Test Artifacts
-      if: always()
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+      if: always() && !cancelled()
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1
       with:
-        name: ${{ inputs.target-platform == 'linux' && format('test_artifacts_{0}_{1}_{2}', env.ARTIFACT_KEY, inputs.display-server, matrix.shard) || format('test_artifacts_{0}_{1}', env.ARTIFACT_KEY, matrix.shard) }}
+        name: test_artifacts_${{ env.ARTIFACT_KEY }}_${{ matrix.shard }}
         path: src/electron/spec/artifacts
         if-no-files-found: ignore
     - name: Wait for active SSH sessions

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -26,8 +26,6 @@ on:
         type: string
         default: testing
 
-permissions: {}
-
 concurrency:
   group: electron-node-nan-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -36,15 +34,11 @@ env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
   ELECTRON_OUT_DIR: Default
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
-  SENTRYCLI_SKIP_DOWNLOAD: 1
 
 jobs:
   node-tests:
     name: Run Node.js Tests
-    runs-on: electron-arc-centralus-linux-amd64-8core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-8core
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -52,7 +46,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -67,12 +61,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -98,9 +92,7 @@ jobs:
         done
   nan-tests:
     name: Run Nan Tests
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -108,7 +100,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -123,12 +115,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -140,16 +132,10 @@ jobs:
         unzip -:o dist.zip
     - name: Setup Linux for Headless Testing
       run: sh -e /etc/init.d/xvfb start
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
     - name: Run Nan Tests
       run: |
         cd src
         node electron/script/nan-spec-runner.js
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
     - name: Wait for active SSH sessions
       shell: bash
       if: always() && !cancelled()

.github/workflows/pr-template-check.yml

@@ -1,64 +0,0 @@
-name: PR Template Check
-
-on:
-  pull_request_target:
-    types: [opened, ready_for_review]
-
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
-permissions: {}
-
-jobs:
-  check-pr-template:
-    if: ${{ github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && !startsWith(github.head_ref, 'roller/') }}
-    name: Check PR Template
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          sparse-checkout: .github/PULL_REQUEST_TEMPLATE.md
-          sparse-checkout-cone-mode: false
-      - name: Check for required sections
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const fs = require('fs');
-            const template = fs.readFileSync('.github/PULL_REQUEST_TEMPLATE.md', 'utf8');
-            const requiredSections = [...template.matchAll(/^(#{1,4} .+)$/gm)].map(
-              (m) => m[1],
-            );
-            if (requiredSections.length === 0) {
-              console.log('No heading sections found in PR template');
-              return;
-            }
-            const body = context.payload.pull_request.body || '';
-            // Allow through if body contains a valid backport line
-            const backportRegex = /Backport of (?:#|https:\/\/github.com\/electron\/electron\/pull\/)\d+/i;
-            if (backportRegex.test(body)) {
-              console.log('Backport PR detected, skipping required section check.');
-              return;
-            }
-            const missingSections = requiredSections.filter(
-              (section) => !body.includes(section),
-            );
-            if (missingSections.length > 0) {
-              const list = missingSections.map((s) => `- \`${s}\``).join('\n');
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number,
-                body: `This PR was automatically closed because the PR template was not properly filled out. The following required sections are missing:\n\n${list}\n\nPlease update your PR description to include all required sections and reopen the PR.`,
-              });
-              await github.rest.pulls.update({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                pull_number: context.payload.pull_request.number,
-                state: 'closed',
-              });
-            }

.github/workflows/pr-triage-automation.yml

@@ -1,56 +0,0 @@
-name: PR Triage Automation
-
-on:
-  pull_request_target:
-    types: [synchronize, review_requested]
-  issue_comment:
-    types: [created]
-
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
-permissions: {}
-
-jobs:
-  set-needs-review:
-    name: Set status to Needs Review
-    if: >-
-      (github.event_name == 'pull_request_target'
-        && github.event.pull_request.state == 'open'
-        && github.event.pull_request.draft != true
-        && !contains(github.event.pull_request.labels.*.name, 'wip ⚒')
-        && (github.event.action == 'synchronize' || github.event.action == 'review_requested'))
-      || (github.event_name == 'issue_comment'
-          && github.event.issue.pull_request
-          && github.event.issue.state == 'open'
-          && !contains(github.event.issue.labels.*.name, 'wip ⚒')
-          && github.event.comment.user.login == github.event.issue.user.login)
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    steps:
-      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
-        id: generate-token
-        with:
-          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-          org: electron
-      - name: Get project item status
-        uses: dsanders11/project-actions/get-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
-        id: get-item
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          project-number: 118
-          fail-if-item-not-found: false
-      - name: Set status to Needs Review
-        if: >-
-          (steps.get-item.outputs.field-status == '🛑 Needs Submitter Response'
-          || steps.get-item.outputs.field-status == '🟡 WIP')
-        uses: dsanders11/project-actions/edit-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          project-number: 118
-          field: Status
-          field-value: 🌀 Needs Review
-          fail-if-item-not-found: false

.github/workflows/pull-request-labeled.yml

@@ -4,10 +4,6 @@ on:
   pull_request_target:
     types: [labeled]
 
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
 permissions: {}
 
 jobs:
@@ -15,68 +11,31 @@ jobs:
     name: backport/requested label added
     if: github.event.label.name == 'backport/requested 🗳'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Trigger Slack workflow
-        uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         with:
           webhook: ${{ secrets.BACKPORT_REQUESTED_SLACK_WEBHOOK_URL }} 
           webhook-type: webhook-trigger
           payload: |
             {
-              "base_ref": ${{ toJSON(github.event.pull_request.base.ref) }},
-              "title": ${{ toJSON(github.event.pull_request.title) }},
-              "url": ${{ toJSON(github.event.pull_request.html_url) }},
-              "user": ${{ toJSON(github.event.pull_request.user.login) }}
+              "url": "${{ github.event.pull_request.html_url }}"
             }
   pull-request-labeled-deprecation-review-complete:
     name: deprecation-review/complete label added
     if: github.event.label.name == 'deprecation-review/complete ✅'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/edit-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 94
           field: Status
           field-value: ✅ Reviewed
-  pull-request-labeled-ai-pr:
-    name: ai-pr label added
-    if: github.event.label.name == 'ai-pr' && github.event.pull_request.state != 'closed'
-    runs-on: ubuntu-latest
-    permissions: {}
-    steps:
-    - name: Generate GitHub App token
-      uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
-      id: generate-token
-      with:
-        creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-    - name: Create comment
-      uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
-      with:
-        actions: 'create-comment'
-        token: ${{ steps.generate-token.outputs.token }}
-        issue-number: ${{ github.event.pull_request.number }}
-        body: |
-          <!-- ai-pr -->
-
-          *AI PR Detected*
-
-          Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
-
-          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) and [AI Tool Policy](https://github.com/electron/governance/blob/main/policy/ai.md) carefully before reopening. Thanks for your contribution.
-    - name: Close the pull request
-      env:
-        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-        GH_REPO: electron/electron
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      run: |
-        gh pr close "$PR_NUMBER"

.github/workflows/pull-request-opened-synchronized.yml

@@ -1,46 +0,0 @@
-name: Pull Request Opened/Synchronized
-
-on:
-  pull_request_target:
-    types: [opened, synchronize]
-
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
-permissions: {}
-
-jobs:
-  check-signed-commits:
-    name: Check signed commits in PR
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
-        with:
-          comment: |
-            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification)
-            for all incoming PRs. To get your PR merged, please sign those commits
-            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch
-            (`git push --force-with-lease`)
-
-            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
-
-      - name: Add needs-signed-commits label
-        if: ${{ failure() }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: |
-          gh pr edit $PR_URL --add-label needs-signed-commits
-
-      - name: Remove needs-signed-commits label
-        if: ${{ success() && contains(github.event.pull_request.labels.*.name, 'needs-signed-commits') }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: |
-          gh pr edit $PR_URL --remove-label needs-signed-commits

.github/workflows/rerun-apply-patches.yml

@@ -1,72 +0,0 @@
-name: Rerun PR Apply Patches
-
-on:
-  push:
-    branches:
-      - main
-      - '[1-9][0-9]-x-y'
-    paths:
-      - 'DEPS'
-      - 'patches/**'
-      - '.github/siso-patches/**'
-
-permissions: {}
-
-jobs:
-  rerun-apply-patches:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-      checks: read
-      contents: read
-      pull-requests: read
-    steps:
-      - name: Find PRs and Rerun Apply Patches
-        env:
-          GH_REPO: ${{ github.repository }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          BRANCH="${GITHUB_REF#refs/heads/}"
-
-          # Find all open PRs targeting this branch
-          PRS=$(gh pr list --base "$BRANCH" --state open --limit 250 --json number)
-
-          echo "$PRS" | jq -c '.[]' | while read -r pr; do
-            PR_NUMBER=$(echo "$pr" | jq -r '.number')
-            echo "Processing PR #${PR_NUMBER}"
-
-            # Find the Apply Patches workflow check for this PR
-            CHECK=$(gh pr view "$PR_NUMBER" --json statusCheckRollup --jq '[.statusCheckRollup[] | select(.workflowName == "Apply Patches" and .name == "apply-patches")] | first')
-
-            if [ -z "$CHECK" ] || [ "$CHECK" = "null" ]; then
-              echo "  No Apply Patches workflow found for PR #${PR_NUMBER}"
-              continue
-            fi
-
-            CONCLUSION=$(echo "$CHECK" | jq -r '.conclusion')
-            if [ "$CONCLUSION" = "SKIPPED" ]; then
-              echo "  apply-patches job was skipped for PR #${PR_NUMBER} (no patches)"
-              continue
-            fi
-
-            LINK=$(echo "$CHECK" | jq -r '.detailsUrl')
-
-            # Extract the run ID from the link (format: .../runs/RUN_ID/job/JOB_ID)
-            RUN_ID=$(echo "$LINK" | grep -oE 'runs/[0-9]+' | cut -d'/' -f2)
-
-            if [ -z "$RUN_ID" ]; then
-              echo "  Could not extract run ID from link: ${LINK}"
-              continue
-            fi
-
-            # Check if the workflow is currently in progress
-            RUN_STATUS=$(gh run view "$RUN_ID" --json status --jq '.status')
-
-            if [ "$RUN_STATUS" = "in_progress" ] || [ "$RUN_STATUS" = "queued" ] || [ "$RUN_STATUS" = "waiting" ]; then
-              echo "  Workflow run ${RUN_ID} is ${RUN_STATUS}, cancelling..."
-              gh run cancel "$RUN_ID" --force
-              gh run watch "$RUN_ID"
-            fi
-
-            gh run rerun "$RUN_ID"
-          done

.github/workflows/scorecards.yml

@@ -13,7 +13,6 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -23,13 +22,13 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       # This is a pre-submit / pre-release.
       - name: "Run analysis"
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -43,7 +42,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif
@@ -51,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3.29.5
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif

.github/workflows/semantic.yml

@@ -7,7 +7,8 @@ on:
       - edited
       - synchronize
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   main:
@@ -18,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/stable-prep-items.yml

@@ -10,12 +10,10 @@ permissions: {}
 jobs:
   check-stable-prep-items:
     name: Check Stable Prep Items
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
@@ -29,7 +27,7 @@ jobs:
           PROJECT_NUMBER=$(gh project list --owner electron --format json | jq -r '.projects | map(select(.title | test("^[0-9]+-x-y$"))) | max_by(.number) | .number')
           echo "PROJECT_NUMBER=$PROJECT_NUMBER" >> "$GITHUB_OUTPUT"
       - name: Update Completed Stable Prep Items
-        uses: dsanders11/project-actions/completed-by@4b06452b0128cf601dac14399aa668a8eed2d684 # v2.0.1
+        uses: dsanders11/project-actions/completed-by@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           field: Prep Status
           field-value: ✅ Complete

.github/workflows/stale.yml

@@ -9,16 +9,14 @@ permissions: {}
 
 jobs:
   stale:
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # tag: v10.2.0
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
         with:
           repo-token: ${{ steps.generate-token.outputs.token }}
           days-before-stale: 90
@@ -29,20 +27,19 @@ jobs:
             This issue has been automatically marked as stale. **If this issue is still affecting you, please leave any comment** (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the [latest version of Electron](https://www.electronjs.org/releases/stable) or in the [beta](https://www.electronjs.org/releases/beta)—please include it with your comment!
           close-issue-message: >
             This issue has been closed due to inactivity, and will not be monitored.  If this is a bug and you can reproduce this issue on a [supported version of Electron](https://www.electronjs.org/docs/latest/tutorial/electron-timelines#timeline) please open a new issue and include instructions for reproducing the issue.
-          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt,upgrade-follow-up,tracking-upstream"
+          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt"
           only-pr-labels: not-a-real-label
   pending-repro:
     runs-on: ubuntu-latest
-    permissions: {}
-    if: ${{ always() && github.repository == 'electron/electron' }}
+    if: ${{ always() }}
     needs: stale
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@5f70a3726af01b612f29aac96d05aa524389c9e9 # v2.1.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # tag: v10.2.0
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
         with:
           repo-token: ${{ steps.generate-token.outputs.token }}
           days-before-stale: -1

.github/workflows/update-website-docs.yml

@@ -1,39 +0,0 @@
-name: Update Website Docs
-
-on:
-  release:
-    types: [published]
-
-permissions: {}
-
-jobs:
-  update-website-docs:
-    name: Update Website Docs
-    runs-on: ubuntu-latest
-    environment: website-docs-updater
-    permissions:
-      contents: read
-      id-token: write # needed for secret-service-action
-    steps:
-      - name: Get GitHub App token
-        id: secret-service
-        uses: electron/secret-service-action@3476425e8b30555aac15b1b7096938e254b0e155 # v1.0.0
-      - name: Check if this release is the latest
-        id: check-if-latest-release
-        env:
-          GH_REPO: electron/electron
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          LATEST_RELEASE_TAG="$(gh release view --json tagName --jq '.tagName')"
-          if [ "$LATEST_RELEASE_TAG" = "${GITHUB_REF#refs/tags/}" ]; then
-            echo "isLatestRelease=true" >> $GITHUB_OUTPUT
-          else
-            echo "isLatestRelease=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Trigger website docs update
-        if: ${{ steps.check-if-latest-release.outputs.isLatestRelease == 'true' }}
-        env:
-          GH_REPO: electron/website
-          GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).WEBSITE_DOCS_UPDATER_APP_TOKEN }}
-        run: |
-          gh workflow run update-docs.yml -f sha=$GITHUB_SHA

.github/workflows/windows-publish.yml

@@ -6,8 +6,8 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: ''
-        required: false
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
+        required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -18,31 +18,11 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-    outputs:
-      build-image-sha: ${{ steps.build-image-sha.outputs.build-image-sha }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-    - name: Set Build Image SHA
-      id: build-image-sha
-      uses: ./.github/actions/build-image-sha
-      with:
-        override: ${{ inputs.build-image-sha }}
-
   checkout-windows:
-    needs: setup
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
     container:
-      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
       volumes:
         - /mnt/win-cache:/mnt/win-cache
@@ -52,9 +32,11 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_win=True'
       TARGET_OS: 'win'
       ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN: '1'
+    outputs:
+      build-image-sha: ${{ inputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
@@ -64,25 +46,12 @@ jobs:
         generate-sas-token: 'true'
         target-platform: win
 
-  # Build the patched siso binary in parallel with checkout-windows; the
-  # publish-*-win jobs consume it via SISO_PATH.
-  build-siso-windows:
-    needs: setup
-    uses: ./.github/workflows/pipeline-segment-build-siso-windows.yml
-    permissions:
-      contents: read
-
   publish-x64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
       target-platform: win
       target-arch: x64
       is-release: true
@@ -92,16 +61,11 @@ jobs:
     secrets: inherit
 
   publish-arm64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
       target-platform: win
       target-arch: arm64
       is-release: true
@@ -111,16 +75,11 @@ jobs:
     secrets: inherit
 
   publish-x86-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
     with:
       environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
       target-platform: win
       target-arch: x86
       is-release: true

.gitignore

@@ -42,7 +42,6 @@ spec/.hash
 
 # Generated native addon files
 /spec/fixtures/native-addon/echo/build/
-/spec/fixtures/native-addon/dialog-helper/build/
 
 # If someone runs tsc this is where stuff will end up
 ts-gen
@@ -54,5 +53,3 @@ ts-gen
 patches/mtime-cache.json
 
 spec/fixtures/logo.png
-
-.yarn/install-state.gz

.husky/pre-commit

@@ -1 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
 npm run precommit

.husky/pre-push

@@ -1 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
 npm run prepack

.markdownlint-cli2.jsonc

@@ -1,7 +1,6 @@
 {
   "config": {
     "extends": "@electron/lint-roller/configs/markdownlint.json",
-    "descriptive-link-text": false,
     "link-image-style": {
       "autolink": false,
       "shortcut": false
@@ -21,14 +20,12 @@
         "ul",
         "unknown",
         "Tabs",
-        "TabItem",
-        "DocCardList",
-        "kbd"
+        "TabItem"
       ]
     },
     "no-newline-in-links": true
   },
   "customRules": [
-    "./node_modules/@electron/lint-roller/markdownlint-rules/index.mjs"
+    "@electron/lint-roller/markdownlint-rules/"
   ]
 }

.nvmrc

@@ -1 +1 @@
-22
+20

.oxfmtrc.json

@@ -1,47 +0,0 @@
-{
-  "$schema": "./node_modules/oxfmt/configuration_schema.json",
-  "printWidth": 120,
-  "tabWidth": 2,
-  "singleQuote": true,
-  "trailingComma": "none",
-  "sortImports": {
-    "newlinesBetween": true,
-    "groups": [
-      "electron-internal",
-      "electron-scoped",
-      "electron",
-      "external",
-      "builtin",
-      ["sibling", "parent"],
-      "index",
-      "type",
-      "unknown"
-    ],
-    "customGroups": [
-      {
-        "groupName": "electron-internal",
-        "elementNamePattern": ["@electron/internal", "@electron/internal/**"]
-      },
-      {
-        "groupName": "electron-scoped",
-        "elementNamePattern": ["@electron/**"]
-      },
-      {
-        "groupName": "electron",
-        "elementNamePattern": ["electron", "electron/**"]
-      }
-    ]
-  },
-  "ignorePatterns": [
-    "node_modules",
-    "out",
-    "ts-gen",
-    "spec/node_modules",
-    "spec/fixtures/native-addon",
-    ".github/workflows/node_modules",
-    "docs/fiddles",
-    "shell/browser/resources/win/resource.h",
-    "shell/common/node_includes.h",
-    "spec/fixtures/pages/jquery-3.6.0.min.js"
-  ]
-}

.oxlintrc.json

@@ -1,329 +0,0 @@
-{
-  "$schema": "./node_modules/oxlint/configuration_schema.json",
-  "plugins": [
-    "typescript",
-    "import",
-    "node",
-    "promise",
-    "unicorn"
-  ],
-  "jsPlugins": [
-    {
-      "name": "no-only-tests",
-      "specifier": "./script/lint-plugins/no-only-tests.mjs"
-    }
-  ],
-  "categories": {
-    "correctness": "off"
-  },
-  "options": {
-    "typeAware": false
-  },
-  "env": {
-    "builtin": true,
-    "browser": true
-  },
-  "ignorePatterns": [
-    ".github/workflows/node_modules",
-    "spec/node_modules",
-    "spec/fixtures/native-addon",
-    "shell/browser/resources/win/resource.h",
-    "shell/common/node_includes.h",
-    "spec/fixtures/pages/jquery-3.6.0.min.js"
-  ],
-  "rules": {
-    "no-var": "error",
-    "accessor-pairs": [
-      "error",
-      {
-        "setWithoutGet": true,
-        "enforceForClassMembers": true
-      }
-    ],
-    "array-callback-return": [
-      "error",
-      {
-        "allowImplicit": false,
-        "checkForEach": false
-      }
-    ],
-    "constructor-super": "error",
-    "curly": [
-      "error",
-      "multi-line"
-    ],
-    "default-case-last": "error",
-    "eqeqeq": [
-      "error",
-      "always",
-      {
-        "null": "ignore"
-      }
-    ],
-    "new-cap": [
-      "error",
-      {
-        "newIsCap": true,
-        "capIsNew": false,
-        "properties": true
-      }
-    ],
-    "no-array-constructor": "error",
-    "no-async-promise-executor": "error",
-    "no-caller": "error",
-    "no-case-declarations": "error",
-    "no-class-assign": "error",
-    "no-compare-neg-zero": "error",
-    "no-cond-assign": "error",
-    "no-const-assign": "error",
-    "no-constant-condition": [
-      "error",
-      {
-        "checkLoops": false
-      }
-    ],
-    "no-control-regex": "error",
-    "no-debugger": "error",
-    "no-delete-var": "error",
-    "no-dupe-class-members": "error",
-    "no-dupe-keys": "error",
-    "no-duplicate-case": "error",
-    "no-useless-backreference": "error",
-    "no-empty": [
-      "error",
-      {
-        "allowEmptyCatch": true
-      }
-    ],
-    "no-empty-character-class": "error",
-    "no-empty-pattern": "error",
-    "no-eval": "error",
-    "no-ex-assign": "error",
-    "no-extend-native": "error",
-    "no-extra-bind": "error",
-    "no-extra-boolean-cast": "error",
-    "no-fallthrough": "error",
-    "no-func-assign": "error",
-    "no-global-assign": "error",
-    "no-import-assign": "error",
-    "no-invalid-regexp": "error",
-    "no-irregular-whitespace": "error",
-    "no-iterator": "error",
-    "no-labels": [
-      "error",
-      {
-        "allowLoop": false,
-        "allowSwitch": false
-      }
-    ],
-    "no-lone-blocks": "error",
-    "no-loss-of-precision": "error",
-    "no-misleading-character-class": "error",
-    "no-prototype-builtins": "error",
-    "no-useless-catch": "error",
-    "no-useless-constructor": "error",
-    "no-use-before-define": [
-      "error",
-      {
-        "functions": false,
-        "classes": false,
-        "variables": false
-      }
-    ],
-    "no-multi-str": "error",
-    "no-new": "error",
-    "no-new-func": "error",
-    "no-new-wrappers": "error",
-    "no-obj-calls": "error",
-    "no-proto": "error",
-    "no-redeclare": [
-      "error"
-    ],
-    "no-regex-spaces": "error",
-    "no-return-assign": [
-      "error",
-      "except-parens"
-    ],
-    "no-self-assign": [
-      "error",
-      {
-        "props": true
-      }
-    ],
-    "no-self-compare": "error",
-    "no-sequences": "error",
-    "no-shadow-restricted-names": "error",
-    "no-sparse-arrays": "error",
-    "no-template-curly-in-string": "error",
-    "no-this-before-super": "error",
-    "no-throw-literal": "error",
-    "no-unexpected-multiline": "error",
-    "no-unmodified-loop-condition": "error",
-    "no-unneeded-ternary": [
-      "error",
-      {
-        "defaultAssignment": false
-      }
-    ],
-    "no-unreachable": "error",
-    "no-unsafe-finally": "error",
-    "no-unsafe-negation": "error",
-    "no-unused-vars": [
-      "error",
-      {
-        "vars": "all",
-        "args": "after-used",
-        "argsIgnorePattern": "^_",
-        "ignoreRestSiblings": true
-      }
-    ],
-    "no-useless-call": "error",
-    "no-useless-computed-key": "error",
-    "no-useless-escape": "error",
-    "no-useless-rename": "error",
-    "no-useless-return": "error",
-    "no-void": "error",
-    "no-with": "error",
-    "prefer-const": [
-      "error",
-      {
-        "destructuring": "all"
-      }
-    ],
-    "prefer-promise-reject-errors": "error",
-    "symbol-description": "error",
-    "unicode-bom": [
-      "error",
-      "never"
-    ],
-    "use-isnan": [
-      "error",
-      {
-        "enforceForSwitchCase": true,
-        "enforceForIndexOf": true
-      }
-    ],
-    "valid-typeof": [
-      "error",
-      {
-        "requireStringLiterals": true
-      }
-    ],
-    "yoda": [
-      "error",
-      "never"
-    ],
-    "import/export": "error",
-    "import/first": "error",
-    "import/no-absolute-path": [
-      "error",
-      {
-        "esmodule": true,
-        "commonjs": true,
-        "amd": false
-      }
-    ],
-    "import/no-duplicates": "error",
-    "import/no-named-default": "error",
-    "import/no-webpack-loader-syntax": "error",
-    "promise/param-names": "error",
-    "guard-for-in": "error",
-    "node/handle-callback-err": [
-      "error",
-      "^(err|error)$"
-    ],
-    "node/no-exports-assign": "error",
-    "node/no-new-require": "error",
-    "node/no-path-concat": "error"
-  },
-  "overrides": [
-    {
-      "files": ["**/*.ts", "**/*.tsx", "**/*.mts", "**/*.cts"],
-      "rules": {
-        "no-use-before-define": "off"
-      }
-    },
-    {
-      "files": ["lib/browser/**", "lib/utility/**"],
-      "rules": {
-        "no-restricted-imports": [
-          "error",
-          {
-            "paths": ["electron", "electron/renderer"],
-            "patterns": [
-              "./*",
-              "../*",
-              "@electron/internal/isolated_renderer/*",
-              "@electron/internal/renderer/*",
-              "@electron/internal/sandboxed_worker/*",
-              "@electron/internal/worker/*"
-            ]
-          }
-        ]
-      }
-    },
-    {
-      "files": [
-        "lib/renderer/**",
-        "lib/worker/**",
-        "lib/preload_realm/**",
-        "lib/sandboxed_renderer/**",
-        "lib/isolated_renderer/**"
-      ],
-      "rules": {
-        "no-restricted-imports": [
-          "error",
-          {
-            "paths": ["electron", "electron/main"],
-            "patterns": ["./*", "../*", "@electron/internal/browser/*"]
-          }
-        ]
-      }
-    },
-    {
-      "files": ["lib/common/**"],
-      "rules": {
-        "no-restricted-imports": [
-          "error",
-          {
-            "paths": ["electron", "electron/main", "electron/renderer"],
-            "patterns": [
-              "./*",
-              "../*",
-              "@electron/internal/browser/*",
-              "@electron/internal/isolated_renderer/*",
-              "@electron/internal/renderer/*",
-              "@electron/internal/sandboxed_worker/*",
-              "@electron/internal/worker/*"
-            ]
-          }
-        ]
-      }
-    },
-    {
-      "files": [
-        "build/**",
-        "script/**",
-        "docs/**",
-        "default_app/**",
-        "spec/**"
-      ],
-      "rules": {
-        "unicorn/prefer-node-protocol": "error"
-      }
-    },
-    {
-      "files": ["spec/**/*.ts", "spec/**/*.js", "spec/**/*.mjs"],
-      "rules": {
-        "no-only-tests/no-only-tests": "error"
-      }
-    },
-    {
-      "files": ["**/*.d.ts"],
-      "rules": {
-        "no-useless-constructor": "off",
-        "no-unused-vars": "off"
-      }
-    }
-  ]
-}

.remarkrc

@@ -0,0 +1,6 @@
+{
+  "plugins": [
+    ["remark-lint-code-block-style", "fenced"],
+    ["remark-lint-fenced-code-flag"]
+  ]
+}

.yarn/README.md

@@ -1,82 +0,0 @@
-# Vendored Yarn release
-
-This directory holds the Yarn release used by this repo (`yarnPath` in
-`.yarnrc.yml`). The release file is checked in so every contributor and CI job
-runs the exact same Yarn, and so we can carry small local patches when needed.
-
-`releases/yarn-4.12.0.cjs` currently carries one such patch, described below.
-If you bump the Yarn version, read the **Upgrading Yarn** section first.
-
-## Patch: use `JsZipImpl` for the node-modules link step
-
-### What changed
-
-Two call sites in `releases/yarn-4.12.0.cjs` are modified so the
-`node-modules` linker (and the `pnpm`-loose linker) construct their read-only
-`ZipOpenFS` with `customZipImplementation: ST` — Yarn's pure-JS `JsZipImpl` —
-instead of falling through to the default WASM-backed `LibZipImpl`:
-
-```text
-new $f({maxOpenFiles:80,readOnlyArchives:!0})
-  → new $f({maxOpenFiles:80,readOnlyArchives:!0,customZipImplementation:ST})
-```
-
-A comment block at the top of the `.cjs` file marks the file as patched and
-points back here.
-
-### Why
-
-On the `linux-arm` CI test shards we run a 32-bit `arm32v7` container. During
-`yarn install`'s **Link step**, Yarn opens up to 80 cache zips concurrently.
-With `LibZipImpl`, each open zip is `readFileSync`'d into a Node `Buffer`
-**and copied again into the WASM linear memory**, and every file read does a
-WASM `_malloc(size)` for the entry. The WASM heap has to grow as a single
-contiguous region of the 32-bit address space; once enough zips are resident,
-the `_malloc` for a large entry — most often `typescript/lib/typescript.js`
-(~9 MB inside a ~22 MB zip) — fails.
-
-Yarn's cross-FS `copyFilePromise` swallows the underlying error and re-throws
-a generic one, so CI shows:
-
-```text
-YN0001: While persisting .../typescript-patch-...zip/node_modules/typescript/
-  EINVAL: invalid argument, copyfile '/node_modules/typescript/lib/typescript.js' -> '...'
-```
-
-The unmasked form (occasionally seen on `pdfjs-dist`) is the WASM-heap failure
-string `Couldn't allocate enough memory`. This started failing ~1-in-3
-`linux-arm / test` shards at **Install Dependencies** on 2026-04-13, after
-[#50692](https://github.com/electron/electron/pull/50692) grew the cache enough
-to push the 32-bit process over the edge nondeterministically — e.g.
-[run 24739817558](https://github.com/electron/electron/actions/runs/24739817558/job/72380803746).
-
-`JsZipImpl` avoids the problem entirely: it opens the zip by file descriptor,
-reads only the central directory into memory, and `readSync`s individual
-entries into ordinary Node `Buffer`s — **no WASM heap involved**. It is
-read-only and path-based, which is exactly how the linker uses these archives.
-
-There is no `.yarnrc.yml` setting or environment variable to select the zip
-implementation (verified against the bundle), so editing the vendored release
-is the only way to switch it short of re-implementing the linker in a plugin.
-
-Upstream references:
-[yarnpkg/berry#3972](https://github.com/yarnpkg/berry/issues/3972),
-[yarnpkg/berry#6722](https://github.com/yarnpkg/berry/issues/6722),
-[yarnpkg/berry#6550](https://github.com/yarnpkg/berry/issues/6550).
-
-### Upgrading Yarn
-
-When bumping `releases/yarn-*.cjs`:
-
-1. Check whether upstream now defaults `readOnlyArchives` opens to `JsZipImpl`,
-   or exposes a config knob for the zip implementation. If so, drop this patch.
-2. Otherwise, re-apply: search the new bundle for
-   `maxOpenFiles:80,readOnlyArchives:!0` (the surrounding minified identifiers
-   will differ) and add `,customZipImplementation:<JsZipImpl symbol>` — that
-   symbol is whatever the new bundle exports as `JsZipImpl` from
-   `@yarnpkg/libzip`.
-3. Re-add the header comment pointing back to this README.
-4. Verify with
-   `rm -rf node_modules spec/node_modules && node script/yarn.js install --immutable --mode=skip-build`
-   and confirm `node_modules/typescript/lib/typescript.js` is byte-identical to
-   an unpatched install.

.yarnrc.yml

@@ -1,16 +0,0 @@
-enableScripts: false
-
-nmHoistingLimits: workspaces
-
-nodeLinker: node-modules
-
-npmMinimalAgeGate: 10080
-
-npmPreapprovedPackages:
-  - "@electron/*"
-
-httpProxy: "${HTTP_PROXY:-}"
-
-httpsProxy: "${HTTPS_PROXY:-}"
-
-yarnPath: .yarn/releases/yarn-4.12.0.cjs