ci: use hermetic mac SDK for the release ffmpeg build (#50755 )

* ci: use hermetic mac SDK for the release ffmpeg build gn gen out/ffmpeg runs as a raw gn invocation, so it never receives the mac_sdk_path arg that e build injects for out/Default. On macOS runners that means out/Default builds against the hermetic build-tools SDK while out/ffmpeg falls through to the runner's system Xcode SDK. Reuse the value e build already wrote so both builds share the same sysroot. Co-authored-by: Samuel Attard <sattard@anthropic.com> * ci: copy hermetic SDK symlink into out/ffmpeg and rewrite path mac_sdk_path must live under root_build_dir, so pointing out/ffmpeg at //out/Default/... doesn't work. Copy the xcode_links symlink tree into out/ffmpeg and rewrite the path. Gate on Darwin so Windows/Linux don't run the sed/cp at all. Co-authored-by: Samuel Attard <sattard@anthropic.com> --------- Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Samuel Attard <sattard@anthropic.com>
fix: enforce size constraints on window creation on Windows and Linux (#50753 )
2026-04-10 03:01:51 -04:00 · 2026-04-06 21:35:50 -04:00 · 2026-04-06 18:40:05 -05:00 · 2026-04-06 22:39:35 +00:00 · 2026-04-06 17:27:35 -04:00 · 2026-04-06 16:02:11 -04:00
580 changed files with 11429 additions and 5737 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -11,7 +11,6 @@ Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->

 - [ ] PR description included
- [ ] I have built and tested this PR
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -26,9 +26,6 @@ inputs:
  is-asan:
    description: 'The ASan Linux build'
    required: false
-  upload-out-gen-artifacts:
-    description: 'Whether to upload the out/${dir}/gen artifacts'
-    required: false
 runs:
  using: "composite"
  steps:
@@ -98,7 +95,7 @@ runs:
        # Upload build stats to Datadog
        if ($env:DD_API_KEY) {
          try {
-            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats
+            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats ; $LASTEXITCODE = 0
          } catch {
            Write-Host "Build stats upload failed, continuing..."
          }
@@ -128,6 +125,9 @@ runs:
        fi
        sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
        sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--reorder-builtins/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--warn-about-builtin-profile-data/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--abort-on-bad-builtin-profile-data/d' out/Default/mksnapshot_args

        if [ "${{ inputs.target-platform }}" = "win" ]; then
          cd out/Default
@@ -205,7 +205,17 @@ runs:
      if: ${{ inputs.is-release == 'true' }}
      run: |
        cd src
-        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $GN_EXTRA_ARGS"
+        # Reuse the hermetic mac_sdk_path that `e build` wrote for out/Default so
+        # out/ffmpeg builds against the same SDK instead of the runner's system Xcode.
+        # The path has to live under root_build_dir, so copy the symlink tree and
+        # rewrite Default -> ffmpeg.
+        MAC_SDK_ARG=""
+        if [ "$(uname)" = "Darwin" ]; then
+          mkdir -p out/ffmpeg
+          cp -a out/Default/xcode_links out/ffmpeg/
+          MAC_SDK_ARG=$(sed -n 's|^\(mac_sdk_path = "//out/\)Default/|\1ffmpeg/|p' out/Default/args.gn)
+        fi
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $MAC_SDK_ARG $GN_EXTRA_ARGS"
        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg
    - name: Remove Clang problem matcher
      shell: bash
@@ -274,18 +284,12 @@ runs:
      run: ./src/electron/script/actions/move-artifacts.sh
    - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
      if: always() && !cancelled()
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
      with:
        name: generated_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./generated_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
    - name: Upload Src Artifacts ${{ inputs.step-suffix }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
      with:
        name: src_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
-    - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
-      if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/Default/gen
--- a/.github/actions/checkout/action.yml
+++ b/.github/actions/checkout/action.yml
@@ -28,7 +28,7 @@ runs:
    shell: bash
    run: |
      node src/electron/script/generate-deps-hash.js
-      DEPSHASH="v1-src-cache-$(cat src/electron/.depshash)"
+      DEPSHASH="v2-src-cache-$(cat src/electron/.depshash)"
      echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
      echo "CACHE_FILE=$DEPSHASH.tar" >> $GITHUB_ENV
      if [ "${{ inputs.target-platform }}" = "win" ]; then
@@ -43,7 +43,7 @@ runs:
      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}&getAccountName=true" > sas-token
  - name: Save SAS Key
    if: ${{ inputs.generate-sas-token == 'true' }}
-    uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -109,7 +109,7 @@ runs:
        echo "target_os=['$TARGET_OS']" >> ./.gclient
      fi

-      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags -vv
+      ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=0 DEPOT_TOOLS_WIN_TOOLCHAIN=0 ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags
      if [[ "${{ inputs.is-release }}" != "true" ]]; then
        # Re-export all the patches to check if there were changes.
        python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
@@ -187,21 +187,35 @@ runs:
    shell: bash
    run: |
      echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-      tar -cf $CACHE_FILE src
+      # Named .tar but zstd-compressed; the sas-sidecar's filename allowlist
+      # only permits .tar/.tgz so we keep the extension and decode on restore.
+      tar -cf - src | zstd -T0 --long=30 -f -o $CACHE_FILE
      echo "Compressed src to $(du -sh $CACHE_FILE | cut -f1 -d' ')"
-      cp ./$CACHE_FILE $CACHE_DRIVE/
  - name: Persist Src Cache
    if: ${{ steps.check-cache.outputs.cache_exists == 'false' && inputs.use-cache == 'true' }}
    shell: bash
    run: |
      final_cache_path=$CACHE_DRIVE/$CACHE_FILE
+      # Upload to a run-unique temp name first so concurrent readers never
+      # observe a partially-written file, and an interrupted copy can't leave
+      # a truncated file at the final path. Orphaned temp files get swept by
+      # the clean-orphaned-cache-uploads workflow.
+      tmp_cache_path=$final_cache_path.upload-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}
+      echo "Uploading to temp path: $tmp_cache_path"
+      cp ./$CACHE_FILE $tmp_cache_path
+
      echo "Using cache key: $DEPSHASH"
-      echo "Checking path: $final_cache_path"
+      if [ -f "$final_cache_path" ]; then
+        echo "Cache already persisted at $final_cache_path by a concurrent run; discarding ours"
+        rm -f $tmp_cache_path
+      else
+        mv -f $tmp_cache_path $final_cache_path
+        echo "Cache key persisted in $final_cache_path"
+      fi
+
      if [ ! -f "$final_cache_path" ]; then
        echo "Cache key not found"
        exit 1
-      else
-        echo "Cache key persisted in $final_cache_path"
      fi
  - name: Wait for active SSH sessions
    shell: bash
--- a/.github/actions/cipd-install/action.yml
+++ b/.github/actions/cipd-install/action.yml
@@ -22,30 +22,50 @@ runs:
  steps:
    - name: Delete wrong ${{ inputs.dependency }}
      shell: bash
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
      run : |
-        rm -rf ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }}
+        rm -rf "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}"
    - name: Create ensure file for ${{ inputs.dependency }}
      if: ${{ inputs.dependency-version == '' }}
      shell: bash
+      env:
+        PACKAGE: ${{ inputs.package }}
+        DEPS_FILE: ${{ inputs.deps-file }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo '${{ inputs.package }}' `e d gclient getdep --deps-file=${{ inputs.deps-file }} -r '${{ inputs.installation-dir }}:${{ inputs.package }}'` > ${{ inputs.dependency }}_ensure_file
-        cat ${{ inputs.dependency }}_ensure_file
+        echo "$PACKAGE" $(e d gclient getdep --deps-file="$DEPS_FILE" -r "${INSTALLATION_DIR}:${PACKAGE}") > "${DEPENDENCY}_ensure_file"
+        cat "${DEPENDENCY}_ensure_file"

    - name: Create ensure file for ${{ inputs.dependency }} from dependency-version
      if: ${{ inputs.dependency-version != '' }}
      shell: bash
+      env:
+        PACKAGE: ${{ inputs.package }}
+        DEPENDENCY_VERSION: ${{ inputs.dependency-version }}
+        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo '${{ inputs.package }} ${{ inputs.dependency-version }}'  > ${{ inputs.dependency }}_ensure_file
-        cat ${{ inputs.dependency }}_ensure_file
+        echo "$PACKAGE $DEPENDENCY_VERSION" > "${DEPENDENCY}_ensure_file"
+        cat "${DEPENDENCY}_ensure_file"
    - name: CIPD installation of ${{ inputs.dependency }} (macOS)
      if: ${{ inputs.target-platform != 'win' }}
      shell: bash
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo "ensuring ${{ inputs.dependency }}"
-        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
+        echo "ensuring $DEPENDENCY"
+        e d cipd ensure --root "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}" -ensure-file "${DEPENDENCY}_ensure_file"
    - name: CIPD installation of ${{ inputs.dependency }} (Windows)
      if: ${{ inputs.target-platform == 'win' }}
      shell: powershell
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo "ensuring ${{ inputs.dependency }} on Windows"
-        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
+        echo "ensuring $env:DEPENDENCY on Windows"
+        e d cipd ensure --root "$env:CIPD_ROOT_PREFIX$env:INSTALLATION_DIR" -ensure-file "$($env:DEPENDENCY)_ensure_file"
--- a/.github/actions/fix-sync/action.yml
+++ b/.github/actions/fix-sync/action.yml
@@ -27,6 +27,7 @@ runs:
        python3 src/tools/clang/scripts/update.py
        # Refs https://chromium-review.googlesource.com/c/chromium/src/+/6667681
        python3 src/tools/clang/scripts/update.py --package objdump
+        python3 src/tools/clang/scripts/update.py --package clang-tidy
    - name: Fix esbuild
      if: ${{ inputs.target-platform != 'linux' }}
      uses: ./src/electron/.github/actions/cipd-install
--- a/.github/actions/install-build-tools/action.yml
+++ b/.github/actions/install-build-tools/action.yml
@@ -15,7 +15,7 @@ runs:
        git config --global core.preloadindex true
        git config --global core.longpaths true
      fi
-      export BUILD_TOOLS_SHA=4430e4a505e0f4fa2a41b707a10a36f780bbdd26
+      export BUILD_TOOLS_SHA=a0cc95a1884a631559bcca0c948465b725d9295a
      npm i -g @electron/build-tools
      # Update depot_tools to ensure python
      e d update_depot_tools
--- a/.github/actions/install-dependencies/action.yml
+++ b/.github/actions/install-dependencies/action.yml
@@ -7,7 +7,7 @@ runs:
    shell: bash
    id: yarn-cache-dir-path
    run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
-  - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+  - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
    id: yarn-cache
    with:
      path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
--- a/.github/actions/restore-cache-aks/action.yml
+++ b/.github/actions/restore-cache-aks/action.yml
@@ -31,7 +31,7 @@ runs:
      fi

      mkdir temp-cache
-      tar -xf $cache_path -C temp-cache
+      zstd -d --long=30 -c $cache_path | tar -xf - -C temp-cache
      echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"

      if [ -d "temp-cache/src" ]; then
--- a/.github/actions/restore-cache-azcopy/action.yml
+++ b/.github/actions/restore-cache-azcopy/action.yml
@@ -8,14 +8,14 @@ runs:
  steps:
  - name: Obtain SAS Key
    continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-1
      enableCrossOsArchive: true
  - name: Obtain SAS Key
    continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -24,7 +24,7 @@ runs:
    # The cache will always exist here as a result of the checkout job
    # Either it was uploaded to Azure in the checkout job for this commit
    # or it was uploaded in the checkout job for a previous commit.
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
    with:
      timeout_minutes: 30
      max_attempts: 3
@@ -61,9 +61,9 @@ runs:
        echo "Cache is empty - exiting"
        exit 1
      fi
-      
+
      mkdir temp-cache
-      tar -xf $DEPSHASH.tar -C temp-cache
+      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
      echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"

      if [ -d "temp-cache/src" ]; then
@@ -85,23 +85,21 @@ runs:

  - name: Unzip and Ensure Src Cache (Windows)
    if: ${{ inputs.target-platform == 'win' }}
-    shell: powershell
+    shell: bash
    run: |
-      $src_cache = "$env:DEPSHASH.tar"
-      $cache_size = $(Get-Item $src_cache).length
-      Write-Host "Downloaded cache is $cache_size"
-      if ($cache_size -eq 0) {
-        Write-Host "Cache is empty - exiting"
+      echo "Downloaded cache is $(du -sh $DEPSHASH.tar | cut -f1)"
+      if [ `du $DEPSHASH.tar | cut -f1` = "0" ]; then
+        echo "Cache is empty - exiting"
        exit 1
-      }
+      fi

-      $TEMP_DIR=New-Item -ItemType Directory -Path temp-cache
-      $TEMP_DIR_PATH = $TEMP_DIR.FullName
-      C:\ProgramData\Chocolatey\bin\7z.exe -y -snld20 x $src_cache -o"$TEMP_DIR_PATH"
+      mkdir temp-cache
+      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
+      rm -f $DEPSHASH.tar

  - name: Move Src Cache (Windows)
    if: ${{ inputs.target-platform == 'win' }}
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
    with:
      timeout_minutes: 30
      max_attempts: 3
@@ -112,9 +110,6 @@ runs:
          Write-Host "Relocating Cache"
          Remove-Item -Recurse -Force src
          Move-Item temp-cache\src src
-
-          Write-Host "Deleting zip file"
-          Remove-Item -Force $src_cache
        }
        if (-Not (Test-Path "src\third_party\blink")) {
          Write-Host "Cache was not correctly restored - exiting"
--- a/.github/actions/set-chromium-cookie/action.yml
+++ b/.github/actions/set-chromium-cookie/action.yml
@@ -7,7 +7,7 @@ runs:
    if: ${{ runner.os != 'Windows' }}
    shell: bash
    run: |
-      if [[ -z "${{ env.CHROMIUM_GIT_COOKIE }}" ]]; then
+      if [[ -z "$CHROMIUM_GIT_COOKIE" ]]; then
        echo "CHROMIUM_GIT_COOKIE is not set - cannot authenticate."
        exit 0
      fi
@@ -18,9 +18,7 @@ runs:

      git config --global http.cookiefile ~/.gitcookies

-      tr , \\t <<\__END__ >>~/.gitcookies
-      ${{ env.CHROMIUM_GIT_COOKIE }}
-      __END__
+      echo "$CHROMIUM_GIT_COOKIE" | tr , \\t >>~/.gitcookies
      eval 'set -o history' 2>/dev/null || unsetopt HIST_IGNORE_SPACE 2>/dev/null

      RESPONSE=$(curl -s -b ~/.gitcookies https://chromium-review.googlesource.com/a/accounts/self)
@@ -42,7 +40,7 @@ runs:
      )

      git config --global http.cookiefile "%USERPROFILE%\.gitcookies"
-      powershell -noprofile -nologo -command Write-Output "${{ env.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}" >>"%USERPROFILE%\.gitcookies"
+      powershell -noprofile -nologo -command Write-Output $env:CHROMIUM_GIT_COOKIE_WINDOWS_STRING >>"%USERPROFILE%\.gitcookies"

      curl -s -b "%USERPROFILE%\.gitcookies" https://chromium-review.googlesource.com/a/accounts/self > response.txt

--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,122 @@
+# Copilot Instructions for Electron
+
+## Build System
+
+Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
+
+```bash
+e sync              # Fetch sources and apply patches
+e build             # Build Electron (GN + Ninja)
+e build -k 999      # Build, continuing through errors
+e start             # Run built Electron
+e start --version   # Verify Electron launches
+e test              # Run full test suite
+e debug             # Run in debugger (lldb on macOS, gdb on Linux)
+```
+
+### Linting
+
+```bash
+npm run lint              # Run all linters (JS, C++, Python, GN, docs)
+npm run lint:js           # JavaScript/TypeScript only
+npm run lint:clang-format # C++ formatting only
+npm run lint:cpp          # C++ linting only
+npm run lint:docs         # Documentation only
+```
+
+### Running a Single Test
+
+```bash
+npm run test -- -g "pattern"   # Run tests matching a regex pattern
+# Example: npm run test -- -g "ipc"
+```
+
+### Running a Single Node.js Test
+
+```bash
+node script/node-spec-runner.js parallel/test-crypto-keygen
+```
+
+## Architecture
+
+Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
+
+### Process Model
+
+Electron has two primary process types, mirroring Chromium:
+
+- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
+- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
+
+### Native ↔ JavaScript Bridge
+
+Each API is implemented as a C++/JS pair:
+
+- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
+- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
+- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
+- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
+
+### Patches System
+
+Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
+
+```text
+patches/{target}/*.patch  →  [e sync]   →  target repo commits
+                          ←  [e patches] ←
+```
+
+Key rules:
+
+- Fix existing patches rather than creating new ones
+- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
+- Each patch commit message must explain why the patch exists
+- After modifying patches, run `e patches {target}` to export
+
+When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
+
+## Conventions
+
+### File Naming
+
+- JS/TS files: kebab-case (`file-name.ts`)
+- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
+- Test files: `api-{module-name}-spec.ts` in `spec/`
+- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
+
+### JavaScript/TypeScript
+
+- Semicolons required (`"semi": ["error", "always"]`)
+- `const` and `let` only (no `var`)
+- Arrow functions preferred
+- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
+- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
+- Prefer getters/setters over jQuery-style `.text([text])` patterns
+
+### C++
+
+- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
+- Uses Chromium abstractions (`base::`, `content::`, etc.)
+- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
+- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
+
+### Testing
+
+- Framework: Mocha + Chai + Sinon
+- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
+- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
+- Tests import from `electron/main` or `electron/renderer`
+
+### Documentation
+
+- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
+- API history tracked via YAML blocks in HTML comments within doc files
+- Docs must pass `npm run lint:docs`
+
+### Build Configuration
+
+- `BUILD.gn`: Main GN build config
+- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
+- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
+- `DEPS`: Dependency versions and checkout paths
+- `chromium_src/`: Chromium source file overrides (compiled instead of originals)
--- a/.github/problem-matchers/markdownlint.json
+++ b/.github/problem-matchers/markdownlint.json
@@ -0,0 +1,16 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "markdownlint",
+      "pattern": [
+        {
+          "regexp": "^(.+):(\\d+):(\\d+)\\s+(.*)$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4
+        }
+      ]
+    }
+  ]
+}
--- a/.github/workflows/apply-patches.yml
+++ b/.github/workflows/apply-patches.yml
@@ -71,3 +71,11 @@ jobs:
      uses: ./src/electron/.github/actions/checkout
      with:
        target-platform: linux
+    - name: Upload Patch Conflict Fix
+      if: ${{ failure() }}
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: update-patches
+        path: patches/update-patches.patch
+        if-no-files-found: ignore
+        archive: false
--- a/.github/workflows/archaeologist-dig.yml
+++ b/.github/workflows/archaeologist-dig.yml
@@ -13,25 +13,29 @@ jobs:
      contents: read
    steps:
      - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
      - name: Setup Node.js/npm
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
        with:
          node-version: 24.12.x
      - name: Setting Up Dig Site
+        env:
+          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
-          echo "remote: ${{ github.event.pull_request.head.repo.clone_url }}"
-          echo "sha ${{ github.event.pull_request.head.sha }}"
-          echo "base ref ${{ github.event.pull_request.base.ref }}"
-          git clone https://github.com/electron/electron.git electron          
+          echo "remote: $CLONE_URL"
+          echo "sha $HEAD_SHA"
+          echo "base ref $BASE_REF"
+          git clone https://github.com/electron/electron.git electron
          cd electron
          mkdir -p artifacts
-          git remote add fork ${{ github.event.pull_request.head.repo.clone_url }} && git fetch fork
-          git checkout  ${{ github.event.pull_request.head.sha }}
-          git merge-base origin/${{ github.event.pull_request.base.ref }} HEAD > .dig-old
-          echo  ${{ github.event.pull_request.head.sha }} > .dig-new
+          git remote add fork "$CLONE_URL" && git fetch fork
+          git checkout "$HEAD_SHA"
+          git merge-base "origin/$BASE_REF" HEAD > .dig-old
+          echo "$HEAD_SHA" > .dig-new
          cp .dig-old artifacts

      - name: Generating Types for SHA in .dig-new
--- a/.github/workflows/audit-branch-ci.yml
+++ b/.github/workflows/audit-branch-ci.yml
@@ -11,17 +11,16 @@ permissions: {}
 jobs:
  audit_branch_ci:
    name: Audit CI on Branches
-    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: 22.17.x
      - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          sparse-checkout: |
            .
--- a/.github/workflows/branch-created.yml
+++ b/.github/workflows/branch-created.yml
@@ -14,7 +14,7 @@ permissions: {}
 jobs:
  release-branch-created:
    name: Release Branch Created
-    if: ${{ github.repository == 'electron/electron' && (github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller'))) }}
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller')) }}
    permissions:
      contents: read
      pull-requests: write
@@ -68,7 +68,7 @@ jobs:
          done
      - name: Generate GitHub App token
        if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
--- a/.github/workflows/build-git-cache.yml
+++ b/.github/workflows/build-git-cache.yml
@@ -10,7 +10,6 @@ permissions: {}

 jobs:
  build-git-cache-linux:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -24,7 +23,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -34,7 +33,6 @@ jobs:
        target-platform: linux

  build-git-cache-windows:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -49,7 +47,7 @@ jobs:
      TARGET_OS: 'win'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -59,7 +57,6 @@ jobs:
        target-platform: win

  build-git-cache-macos:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -75,7 +72,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,7 +47,6 @@ permissions: {}

 jobs:
  setup:
-    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -58,7 +57,7 @@ jobs:
        build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
        docs-only: ${{ steps.set-output.outputs.docs-only }}
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        ref: ${{ github.event.pull_request.head.sha }}
    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -125,7 +124,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -157,7 +156,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -189,7 +188,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -284,15 +283,13 @@ jobs:
      contents: read
      issues: read
      pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
    needs: checkout-linux
    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
      test-runs-on: electron-arc-centralus-linux-amd64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
      target-platform: linux
      target-arch: x64
@@ -429,8 +426,35 @@ jobs:
    permissions:
      contents: read
    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
-    if: always() && github.repository == 'electron/electron' && !contains(needs.*.result, 'failure')
+    if: always() && !contains(needs.*.result, 'failure')
    steps: 
    - name: GitHub Actions Jobs Done
      run: |
        echo "All GitHub Actions Jobs are done"
+
+  check-signed-commits:
+    name: Check signed commits in green PR
+    needs: gha-done
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
+            for all incoming PRs. To get your PR merged, please sign those commits 
+            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
+            (`git push --force-with-lease`)
+
+            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
+
+      - name: Remove needs-signed-commits label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --remove-label needs-signed-commits
--- a/.github/workflows/clean-orphaned-cache-uploads.yml
+++ b/.github/workflows/clean-orphaned-cache-uploads.yml
@@ -0,0 +1,32 @@
+name: Clean Orphaned Cache Uploads
+
+# Description:
+# Sweeps orphaned in-flight upload temp files left on the src-cache volumes
+# by checkout/action.yml when its cp-to-share step dies before the rename.
+# A successful upload finishes in minutes, so anything older than 4h is dead.
+
+on:
+  schedule:
+    - cron: "0 */4 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  clean-orphaned-uploads:
+    if: github.repository == 'electron/electron'
+    runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
+    container:
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
+        - /mnt/win-cache:/mnt/win-cache
+    steps:
+    - name: Remove Orphaned Upload Temp Files
+      shell: bash
+      run: |
+        find /mnt/cross-instance-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
+        find /mnt/win-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
--- a/.github/workflows/clean-src-cache.yml
+++ b/.github/workflows/clean-src-cache.yml
@@ -12,7 +12,6 @@ permissions: {}

 jobs:
  clean-src-cache:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
--- a/.github/workflows/issue-commented.yml
+++ b/.github/workflows/issue-commented.yml
@@ -21,7 +21,7 @@ jobs:
          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
        id: generate-token
        with:
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -15,7 +15,7 @@ jobs:
      contents: read
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -36,7 +36,7 @@ jobs:
      contents: read
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -61,15 +61,16 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_REPO: electron/electron
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
-          COMMENT_COUNT=$(gh issue view ${{ github.event.issue.number }} --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
+          COMMENT_COUNT=$(gh issue view "$ISSUE_NUMBER" --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
          if [[ $COMMENT_COUNT -eq 0 ]]; then
            echo "SHOULD_COMMENT=1" >> "$GITHUB_OUTPUT"
          fi
      - name: Generate GitHub App token
        if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -14,7 +14,7 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -32,13 +32,13 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
          org: electron
      - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          sparse-checkout: |
            .
--- a/.github/workflows/issue-transferred.yml
+++ b/.github/workflows/issue-transferred.yml
@@ -14,7 +14,7 @@ jobs:
    if: ${{ !github.event.changes.new_repository.private }}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/issue-unlabeled.yml
+++ b/.github/workflows/issue-unlabeled.yml
@@ -16,15 +16,17 @@ jobs:
    steps:
      - name: Check for any blocked labels
        id: check-for-blocked-labels
+        env:
+          LABELS_JSON: ${{ toJSON(github.event.issue.labels.*.name) }}
        run: |
          set -eo pipefail
-          BLOCKED_LABEL_COUNT=$(echo '${{ toJSON(github.event.issue.labels.*.name) }}' | jq '[ .[] | select(startswith("blocked/")) ] | length')
+          BLOCKED_LABEL_COUNT=$(echo "$LABELS_JSON" | jq '[ .[] | select(startswith("blocked/")) ] | length')
          if [[ $BLOCKED_LABEL_COUNT -eq 0 ]]; then
            echo "NOT_BLOCKED=1" >> "$GITHUB_OUTPUT"
          fi
      - name: Generate GitHub App token
        if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/linux-publish.yml
+++ b/.github/workflows/linux-publish.yml
@@ -21,7 +21,6 @@ permissions: {}

 jobs:
  checkout-linux:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -36,7 +35,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -46,6 +45,7 @@ jobs:
  publish-x64:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -65,6 +65,7 @@ jobs:
  publish-arm:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -84,6 +85,7 @@ jobs:
  publish-arm64:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
--- a/.github/workflows/macos-disk-cleanup.yml
+++ b/.github/workflows/macos-disk-cleanup.yml
@@ -13,7 +13,6 @@ permissions: {}

 jobs:
  macos-disk-cleanup:
-    if: github.repository == 'electron/electron'
    strategy:
      fail-fast: false
      matrix:
@@ -26,7 +25,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          sparse-checkout: |
            .github/actions/free-space-macos
--- a/.github/workflows/macos-publish.yml
+++ b/.github/workflows/macos-publish.yml
@@ -22,7 +22,6 @@ permissions: {}

 jobs:
  checkout-macos:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -37,7 +36,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -50,6 +49,7 @@ jobs:
  publish-x64-darwin:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -69,6 +69,7 @@ jobs:
  publish-x64-mas:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -88,6 +89,7 @@ jobs:
  publish-arm64-darwin:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -107,6 +109,7 @@ jobs:
  publish-arm64-mas:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
--- a/.github/workflows/non-maintainer-dependency-change.yml
+++ b/.github/workflows/non-maintainer-dependency-change.yml
@@ -10,6 +10,10 @@ on:
      - '.yarn/**'
      - '.yarnrc.yml'

+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
 permissions: {}

 jobs:
@@ -45,5 +49,6 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
-          printf "<!-- disallowed-non-maintainer-change -->\n\nHello @${{ github.event.pull_request.user.login }}! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-
+          printf "<!-- disallowed-non-maintainer-change -->\n\nHello @${PR_AUTHOR}! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-
--- a/.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
+++ b/.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
@@ -1,124 +0,0 @@
-name: Electron Build & Clang Tidy & Test (+ Node + NaN) Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux.'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-
-permissions: {}
-
-concurrency:
-  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-    secrets: inherit
-  nn-test:
-    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-    secrets: inherit
--- a/.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
+++ b/.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
@@ -1,121 +0,0 @@
-name: Electron Build & Clang Tidy & Test Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
-
-concurrency:
-  group: electron-build-and-tidy-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-permissions: {}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-    secrets: inherit
--- a/.github/workflows/pipeline-electron-docs-only.yml
+++ b/.github/workflows/pipeline-electron-docs-only.yml
@@ -27,7 +27,7 @@ jobs:
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -35,7 +35,7 @@ jobs:
    - name: Generate DEPS Hash
      run: |
        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
    - name: Restore src cache via AKS
@@ -43,7 +43,7 @@ jobs:
      with:
        target-platform: linux
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-electron-lint.yml
+++ b/.github/workflows/pipeline-electron-lint.yml
@@ -27,7 +27,7 @@ jobs:
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -46,7 +46,11 @@ jobs:
      shell: bash
      run: |
        chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        gn_version="$(curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/DEPS?format=TEXT" | base64 -d | grep gn_version | head -n1 | cut -d\' -f4)"
+        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid chromium_revision: $chromium_revision"
+          exit 1
+        fi
+        gn_version="$(curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/DEPS" | grep gn_version | head -n1 | cut -d\' -f4)"

        cipd ensure -ensure-file - -root . <<-CIPD
        \$ServiceURL https://chrome-infra-packages.appspot.com/
@@ -60,14 +64,20 @@ jobs:
      shell: bash
      run: |
        chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
+        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid chromium_revision: $chromium_revision"
+          exit 1
+        fi

        mkdir -p src/buildtools
-        curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS
+        curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/buildtools/DEPS" > src/buildtools/DEPS

        gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
-    - name: Add ESLint problem matcher
+    - name: Add problem matchers
      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
+      run: |
+        echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
+        echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
    - name: Run Lint
      shell: bash
      run: |
--- a/.github/workflows/pipeline-segment-electron-build.yml
+++ b/.github/workflows/pipeline-segment-electron-build.yml
@@ -53,11 +53,6 @@ on:
        required: false
        type: boolean
        default: false
-      upload-out-gen-artifacts:
-        description: 'Whether to upload the src/gen artifacts'
-        required: false
-        type: boolean
-        default: false
      enable-ssh:
        description: 'Enable SSH debugging'
        required: false
@@ -100,7 +95,7 @@ jobs:
      run: |
        mkdir src
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -124,7 +119,7 @@ jobs:
      run: df -h
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
      with:
        node-version: 22.21.x
        cache: yarn
@@ -156,7 +151,7 @@ jobs:
    - name: Generate DEPS Hash
      run: |
        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
    - name: Restore src cache via AZCopy
@@ -168,7 +163,7 @@ jobs:
      if: ${{ inputs.target-platform == 'linux' }}
      uses: ./src/electron/.github/actions/restore-cache-aks
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -206,7 +201,6 @@ jobs:
        generate-symbols: '${{ inputs.generate-symbols }}'
        upload-to-storage: '${{ inputs.upload-to-storage }}'
        is-asan: '${{ inputs.is-asan }}'
-        upload-out-gen-artifacts: '${{ inputs.upload-out-gen-artifacts }}'
    - name: Set GN_EXTRA_ARGS for MAS Build
      if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' || inputs.target-variant == 'mas') }}
      run: |
--- a/.github/workflows/pipeline-segment-electron-clang-tidy.yml
+++ b/.github/workflows/pipeline-segment-electron-clang-tidy.yml
@@ -1,159 +0,0 @@
-name: Pipeline Segment - Electron Clang-Tidy
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-
-permissions: {}
-
-concurrency:
-  group: electron-clang-tidy-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || (inputs.target-platform == 'linux' && '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' || '--custom-var=checkout_win=True') }}
-  ELECTRON_OUT_DIR: Default
-
-jobs:
-  clang-tidy:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.clang-tidy-runs-on }}
-    permissions:
-      contents: read
-    container: ${{ fromJSON(inputs.clang-tidy-container) }}
-    env:
-      BUILD_TYPE: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-      ARTIFACT_KEY: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}_${{ inputs.target-arch }}
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Cleanup disk space on macOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      shell: bash
-      run: |   
-        sudo mkdir -p $TMPDIR/del-target
-
-        tmpify() {
-          if [ -d "$1" ]; then
-            sudo mv "$1" $TMPDIR/del-target/$(echo $1|shasum -a 256|head -n1|cut -d " " -f1)
-          fi
-        }   
-        tmpify /Library/Developer/CoreSimulator
-        tmpify ~/Library/Developer/CoreSimulator
-        sudo rm -rf $TMPDIR/del-target
-    - name: Check disk space after freeing up space
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: df -h
-    - name: Set Chromium Git Cookie
-      uses: ./src/electron/.github/actions/set-chromium-cookie
-    - name: Install Build Tools
-      uses: ./src/electron/.github/actions/install-build-tools
-    - name: Enable windows toolchain
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        echo "ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=1" >> $GITHUB_ENV
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
-        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-    - name: Restore src cache via AZCopy
-      if: ${{ inputs.target-platform == 'macos' }}
-      uses: ./src/electron/.github/actions/restore-cache-azcopy
-      with:
-        target-platform: ${{ inputs.target-platform }}      
-    - name: Restore src cache via AKS
-      if: ${{ inputs.target-platform == 'linux' || inputs.target-platform == 'win' }}
-      uses: ./src/electron/.github/actions/restore-cache-aks
-      with:
-        target-platform: ${{ inputs.target-platform }}
-    - name: Run Electron Only Hooks
-      run: |
-        echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]" > tmpgclient
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False,'install_sysroot':False,'checkout_win':True},'managed':False}]" > tmpgclient
-          echo "target_os=['win']" >> tmpgclient
-        fi
-        e d gclient runhooks --gclientfile=tmpgclient
-
-        # Fix VS Toolchain
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          rm -rf src/third_party/depot_tools/win_toolchain/vs_files
-          e d python3 src/build/vs_toolchain.py update --force
-        fi
-    - name: Regenerate DEPS Hash
-      run: |
-        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js
-        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Install Dependencies
-      uses: ./src/electron/.github/actions/install-dependencies
-    - name: Default GN gen
-      run: |
-        cd src/electron
-        git pack-refs
-    - name: Download Out Gen Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
-    - name: Run Clang-Tidy
-      run: |
-        e init -f --root=$(pwd) --out=${ELECTRON_OUT_DIR} testing --target-cpu ${TARGET_ARCH}
-
-        export GN_EXTRA_ARGS="target_cpu=\"${TARGET_ARCH}\""
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          export GN_EXTRA_ARGS="$GN_EXTRA_ARGS use_v8_context_snapshot=true target_os=\"win\""
-        fi
-
-        e build --only-gen
-
-        cd src/electron
-        node script/yarn.js lint:clang-tidy --jobs 8 --out-dir ../out/${ELECTRON_OUT_DIR}
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
-    - name: Wait for active SSH sessions
-      if: always() && !cancelled()
-      shell: bash
-      run: |
-        while [ -f /var/.ssh-lock ]
-        do
-          sleep 60
-        done
--- a/.github/workflows/pipeline-segment-electron-gn-check.yml
+++ b/.github/workflows/pipeline-segment-electron-gn-check.yml
@@ -48,7 +48,7 @@ jobs:
    container: ${{ fromJSON(inputs.check-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -81,7 +81,7 @@ jobs:
    - name: Generate DEPS Hash
      run: |
        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
    - name: Restore src cache via AZCopy
@@ -115,7 +115,7 @@ jobs:
    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-segment-electron-publish.yml
+++ b/.github/workflows/pipeline-segment-electron-publish.yml
@@ -56,11 +56,6 @@ on:
        required: false
        type: boolean
        default: false
-      upload-out-gen-artifacts:
-        description: Whether to upload the src/gen artifacts
-        required: false
-        type: boolean
-        default: false
      enable-ssh:
        description: Enable SSH debugging
        required: false
@@ -93,6 +88,7 @@ jobs:
        shell: bash
    runs-on: ${{ inputs.build-runs-on }}
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -106,7 +102,7 @@ jobs:
        run: |
          mkdir src
      - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          path: src/electron
          fetch-depth: 0
@@ -131,7 +127,7 @@ jobs:
        run: df -h
      - name: Setup Node.js/npm
        if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
        with:
          node-version: 22.21.x
          cache: yarn
@@ -164,7 +160,7 @@ jobs:
      - name: Generate DEPS Hash
        run: |
          node src/electron/script/generate-deps-hash.js
-          DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+          DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
          echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
          echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
      - name: Restore src cache via AZCopy
@@ -176,7 +172,7 @@ jobs:
        if: ${{ inputs.target-platform == 'linux' }}
        uses: ./src/electron/.github/actions/restore-cache-aks
      - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          path: src/electron
          fetch-depth: 0
@@ -220,7 +216,6 @@ jobs:
          generate-symbols: ${{ inputs.generate-symbols }}
          upload-to-storage: ${{ inputs.upload-to-storage }}
          is-asan: ${{ inputs.is-asan }}
-          upload-out-gen-artifacts: ${{ inputs.upload-out-gen-artifacts }}
      - name: Set GN_EXTRA_ARGS for MAS Build
        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
          inputs.target-variant == 'mas') }}
--- a/.github/workflows/pipeline-segment-electron-test.yml
+++ b/.github/workflows/pipeline-segment-electron-test.yml
@@ -43,6 +43,8 @@ env:
  ELECTRON_OUT_DIR: Default
  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
+  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
+  SENTRYCLI_SKIP_DOWNLOAD: 1

 jobs:
  test:
@@ -72,7 +74,7 @@ jobs:
        cp $(which node) /mnt/runner-externals/node24/bin/
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
      with:
        node-version: 22.21.x
    - name: Add TCC permissions on macOS
@@ -119,7 +121,7 @@ jobs:
      if: ${{ inputs.target-platform == 'macos' }}
      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -191,15 +193,25 @@ jobs:
      run: |
        cd src/out/Default
        unzip -:o dist.zip
-    #- name: Import & Trust Self-Signed Codesigning Cert on MacOS
-    #  if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
-    #  run: |
-    #    sudo security authorizationdb write com.apple.trust-settings.admin allow
-    #    cd src/electron
-    #    ./script/codesign/generate-identity.sh
+    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: |
+        cd src/electron
+        ./script/codesign/generate-identity.sh
+    # Only sign on x64 — arm64 builds are already ad-hoc signed, and re-signing
+    # with an untrusted cert breaks macOS system integrations (e.g. dock bounce).
+    # Autoupdater tests sign their own fixture copies via signApp().
+    - name: Sign Electron.app for macOS tests
+      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+      run: |
+        identity=$(src/electron/script/codesign/get-trusted-identity.sh)
+        if [ -n "$identity" ]; then
+          codesign -s "$identity" --deep --force src/out/Default/Electron.app
+        fi

    - name: Run Electron Tests
      shell: bash
+      timeout-minutes: 40
      env:
        MOCHA_REPORTER: mocha-multi-reporters
        MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
@@ -250,6 +262,19 @@ jobs:
            
          fi
        fi
+    - name: Take screenshot on timeout or cancellation
+      if: ${{ inputs.target-platform != 'linux' && (cancelled() || failure()) }}
+      shell: bash
+      run: |
+        screenshot_dir="src/electron/spec/artifacts"
+        mkdir -p "$screenshot_dir"
+        screenshot_file="$screenshot_dir/screenshot-timeout-$(date +%Y%m%d%H%M%S).png"
+        if [ "${{ inputs.target-platform }}" = "macos" ]; then
+          screencapture -x "$screenshot_file" || true
+        elif [ "${{ inputs.target-platform }}" = "win" ]; then
+          powershell -command "Add-Type -AssemblyName System.Windows.Forms; \$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; \$bitmap = New-Object System.Drawing.Bitmap(\$screen.Width, \$screen.Height); \$graphics = [System.Drawing.Graphics]::FromImage(\$bitmap); \$graphics.CopyFromScreen(\$screen.Location, [System.Drawing.Point]::Empty, \$screen.Size); \$bitmap.Save('$screenshot_file')" || true
+        fi
+
    - name: Upload Test results to Datadog
      env:
        DD_ENV: ci
@@ -265,8 +290,8 @@ jobs:
        fi
      if: always() && !cancelled()
    - name: Upload Test Artifacts
-      if: always() && !cancelled()
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+      if: always()
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
      with:
        name: test_artifacts_${{ env.ARTIFACT_KEY }}_${{ matrix.shard }}
        path: src/electron/spec/artifacts
--- a/.github/workflows/pipeline-segment-node-nan-test.yml
+++ b/.github/workflows/pipeline-segment-node-nan-test.yml
@@ -36,6 +36,8 @@ env:
  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
  ELECTRON_OUT_DIR: Default
  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
+  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
+  SENTRYCLI_SKIP_DOWNLOAD: 1

 jobs:
  node-tests:
@@ -50,7 +52,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -106,7 +108,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pull-request-labeled.yml
+++ b/.github/workflows/pull-request-labeled.yml
@@ -4,6 +4,10 @@ on:
  pull_request_target:
    types: [labeled]

+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
 permissions: {}

 jobs:
@@ -32,7 +36,7 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
@@ -44,35 +48,3 @@ jobs:
          project-number: 94
          field: Status
          field-value: ✅ Reviewed
-  pull-request-labeled-ai-pr:
-    name: ai-pr label added
-    if: github.event.label.name == 'ai-pr'
-    runs-on: ubuntu-latest
-    permissions: {}
-    steps:
-    - name: Generate GitHub App token
-      uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
-      id: generate-token
-      with:
-        creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-    - name: Create comment
-      uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
-      with:
-        actions: 'create-comment'
-        token: ${{ steps.generate-token.outputs.token }}
-        issue-number: ${{ github.event.pull_request.number }}
-        body: |
-          <!-- ai-pr -->
-
-          *AI PR Detected*
-
-          Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
-
-          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](http://contributing.md/) carefully before reopening. Thanks for your contribution.
-    - name: Close the pull request
-      env:
-        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-        GH_REPO: electron/electron
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      run: |
-        gh pr close "$PR_NUMBER"
--- a/.github/workflows/pull-request-opened-synchronized.yml
+++ b/.github/workflows/pull-request-opened-synchronized.yml
@@ -0,0 +1,39 @@
+name: Pull Request Opened/Synchronized
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
+permissions: {}
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
+            for all incoming PRs. To get your PR merged, please sign those commits 
+            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
+            (`git push --force-with-lease`)
+
+            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
+
+      - name: Add needs-signed-commits label
+        if: ${{ failure() }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --add-label needs-signed-commits
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -13,7 +13,6 @@ permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
-    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
@@ -23,7 +22,7 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@@ -51,6 +50,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v3.29.5
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.29.5
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stable-prep-items.yml
+++ b/.github/workflows/stable-prep-items.yml
@@ -10,12 +10,11 @@ permissions: {}
 jobs:
  check-stable-prep-items:
    name: Check Stable Prep Items
-    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,12 +9,11 @@ permissions: {}

 jobs:
  stale:
-    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -34,11 +33,11 @@ jobs:
  pending-repro:
    runs-on: ubuntu-latest
    permissions: {}
-    if: ${{ always() && github.repository == 'electron/electron' }}
+    if: ${{ always() }}
    needs: stale
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/update-website-docs.yml
+++ b/.github/workflows/update-website-docs.yml
@@ -31,7 +31,7 @@ jobs:
            echo "isLatestRelease=false" >> $GITHUB_OUTPUT
          fi
      - name: Trigger website docs update
-        if: ${{ steps.check-if-latest-release.outputs.isLatestRelease }}
+        if: ${{ steps.check-if-latest-release.outputs.isLatestRelease == 'true' }}
        env:
          GH_REPO: electron/website
          GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).WEBSITE_DOCS_UPDATER_APP_TOKEN }}
--- a/.github/workflows/windows-publish.yml
+++ b/.github/workflows/windows-publish.yml
@@ -22,7 +22,6 @@ permissions: {}

 jobs:
  checkout-windows:
-    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -41,7 +40,7 @@ jobs:
      build-image-sha: ${{ inputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
      with:
        path: src/electron
        fetch-depth: 0
@@ -54,6 +53,7 @@ jobs:
  publish-x64-win:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -72,6 +72,7 @@ jobs:
  publish-arm64-win:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
@@ -90,6 +91,7 @@ jobs:
  publish-x86-win:
    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
      attestations: write
      contents: read
      id-token: write
--- a/.gitignore
+++ b/.gitignore
@@ -42,6 +42,7 @@ spec/.hash

 # Generated native addon files
 /spec/fixtures/native-addon/echo/build/
+/spec/fixtures/native-addon/dialog-helper/build/

 # If someone runs tsc this is where stuff will end up
 ts-gen
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -9,4 +9,8 @@ npmMinimalAgeGate: 10080
 npmPreapprovedPackages:
  - "@electron/*"

+httpProxy: "${HTTP_PROXY:-}"
+
+httpsProxy: "${HTTPS_PROXY:-}"
+
 yarnPath: .yarn/releases/yarn-4.12.0.cjs
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -127,6 +127,22 @@ patches/{target}/*.patch  →  [e sync --3]  →  target repo commits
 2. Create a git commit
 3. Run `e patches <target>` to export

+**Fixing patch conflicts on an existing PR:**
+
+If asked to fix a patch conflict on a branch that already has an open PR, check the PR's failed **Apply Patches** CI run for an `update-patches` artifact before running `e sync` locally. CI has already performed the 3-way merge and exported the resolved patch diff — applying it is much faster than a full local sync.
+
+```bash
+# Find the failed Apply Patches run for the PR and download the artifact
+gh run list --repo electron/electron --branch <pr-branch> --workflow "Apply Patches" --limit 1
+gh run download <run-id> --repo electron/electron --name update-patches
+
+# Apply the CI-generated fix, then push
+git am update-patches.patch
+git push
+```
+
+If no artifact exists (e.g. the 3-way merge itself failed), fall back to `e sync --3` and resolve manually.
+
 ## Testing

 **Test location:** `spec/` directory
@@ -155,6 +171,10 @@ e test                    # Run full test suite

 When working on the `roller/chromium/main` branch to upgrade Chromium activate the "Electron Chromium Upgrade" skill.

+## Pull Requests
+
+PR bodies must always include a `Notes:` section as the **last line** of the body. This is a consumer-facing release note for Electron app developers — describe the user-visible fix or change, not internal implementation details. Use `Notes: none` if there is no user-facing change.
+
 ## Code Style

 **C++:** Follows Chromium style, enforced by clang-format
--- a/6
+++ b/6
@@ -2,9 +2,9 @@ gclient_gn_args_from = 'src'

 vars = {
  'chromium_version':
-    '146.0.7650.0',
+    '146.0.7680.179',
  'node_version':
-    'v24.13.0',
+    'v24.14.0',
  'nan_version':
    '675cefebca42410733da8a454c8d9391fcebfbc2',
  'squirrel.mac_version':
@@ -12,7 +12,7 @@ vars = {
  'reactiveobjc_version':
    '74ab5baccc6f7202c8ac69a8d1e152c29dc1ea76',
  'mantle_version':
-    '2a8e2123a3931038179ee06105c9e6ec336b12ea',
+    '78d3966b3c331292ea29ec38661b25df0a245948',
  'engflow_reclient_configs_version':
    '955335c30a752e9ef7bff375baab5e0819b6c00d',

--- a/build/args/all.gn
+++ b/build/args/all.gn
@@ -51,9 +51,6 @@ is_cfi = false
 use_qt5 = false
 use_qt6 = false

-# Disables the builtins PGO for V8
-v8_builtins_profiling_log_file = ""
-
 # https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md
 # TODO(vertedinde): hunt down dangling pointers on Linux
 enable_dangling_raw_ptr_checks = false
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@@ -9,5 +9,6 @@
  "embedded_asar_integrity_validation": "0",
  "only_load_app_from_asar": "0",
  "load_browser_process_specific_v8_snapshot": "0",
-  "grant_file_protocol_extra_privileges": "1"
+  "grant_file_protocol_extra_privileges": "1",
+  "wasm_trap_handlers": "1"
 }
--- a/chromium_src/BUILD.gn
+++ b/chromium_src/BUILD.gn
@@ -245,6 +245,10 @@ static_library("chrome") {
      "//chrome/browser/ui/views/dark_mode_manager_linux.cc",
      "//chrome/browser/ui/views/dark_mode_manager_linux.h",
    ]
+    sources += [
+      "//chrome/browser/ui/views/frame/browser_frame_view_paint_utils_linux.cc",
+      "//chrome/browser/ui/views/frame/browser_frame_view_paint_utils_linux.h",
+    ]
    public_deps += [ "//components/dbus" ]
  }

--- a/default_app/main.ts
+++ b/default_app/main.ts
@@ -111,7 +111,10 @@ async function loadApplicationPackage (packagePath: string) {
        app.name = packageJson.name;
      }

-      app.setDesktopName(packageJson.desktopName || `${app.name}.desktop`);
+      // Set application's desktop name (Linux). These usually match the executable name,
+      // so use it as the default to ensure the app gets the correct icon in the taskbar and application switcher.
+      const desktopName = packageJson.desktopName || `${path.basename(process.execPath)}.desktop`;
+      app.setDesktopName(desktopName);

      // Set v8 flags, deliberately lazy load so that apps that do not use this
      // feature do not pay the price
@@ -253,7 +256,7 @@ async function startRepl () {
 if (option.file && !option.webdriver) {
  const file = option.file;
  // eslint-disable-next-line n/no-deprecated-api
-  const protocol = url.parse(file).protocol;
+  const protocol = URL.canParse(file) ? new URL(file).protocol : null;
  const extension = path.extname(file);
  if (protocol === 'http:' || protocol === 'https:' || protocol === 'file:' || protocol === 'chrome:') {
    await loadApplicationByURL(file);
--- a/default_app/styles.css
+++ b/default_app/styles.css
@@ -41,7 +41,7 @@ h4 {
  transform-origin: 50% 50%;
 }

-hero-icon.loop-3 {
+.hero-icon.loop-3 {
  transform: translate(79px, 21px);
  opacity: 1;
 }
--- a/docs/api/app.md
+++ b/docs/api/app.md
@@ -250,7 +250,9 @@ Returns:

 Emitted when the user clicks the native macOS new tab button. The new
 tab button is only visible if the current `BrowserWindow` has a
-`tabbingIdentifier`
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 ### Event: 'browser-window-blur'

@@ -633,7 +635,7 @@ Returns `string` - The current application directory.
 Returns `string` - A path to a special directory or file associated with `name`. On
 failure, an `Error` is thrown.

-If `app.getPath('logs')` is called without called `app.setAppLogsPath()` being called first, a default log directory will be created equivalent to calling `app.setAppLogsPath()` without a `path` parameter.
+If `app.getPath('logs')` is called without calling `app.setAppLogsPath()` being called first, a default log directory will be created equivalent to calling `app.setAppLogsPath()` without a `path` parameter.

 ### `app.getFileIcon(path[, options])`

@@ -648,7 +650,7 @@ Returns `Promise<NativeImage>` - fulfilled with the app's icon, which is a [Nati

 Fetches a path's associated icon.

-On _Windows_, there a 2 kinds of icons:
+On _Windows_, there are 2 kinds of icons:

 * Icons associated with certain file extensions, like `.mp3`, `.png`, etc.
 * Icons inside the file itself, like `.exe`, `.dll`, `.ico`.
@@ -764,7 +766,7 @@ app.getPreferredSystemLanguages() // ['fr-CA', 'en-US', 'zh-Hans-FI', 'es-419']

 Both the available languages and regions and the possible return values differ between the two operating systems.

-As can be seen with the example above, on Windows, it is possible that a preferred system language has no country code, and that one of the preferred system languages corresponds with the language used for the regional format. On macOS, the region serves more as a default country code: the user doesn't need to have Finnish as a preferred language to use Finland as the region,and the country code `FI` is used as the country code for preferred system languages that do not have associated countries in the language name.
+As can be seen with the example above, on Windows, it is possible that a preferred system language has no country code, and that one of the preferred system languages corresponds with the language used for the regional format. On macOS, the region serves more as a default country code: the user doesn't need to have Finnish as a preferred language to use Finland as the region, and the country code `FI` is used as the country code for preferred system languages that do not have associated countries in the language name.

 ### `app.addRecentDocument(path)` _macOS_ _Windows_

@@ -1122,6 +1124,19 @@ Updates the current activity if its type matches `type`, merging the entries fro

 Changes the [Application User Model ID][app-user-model-id] to `id`.

+### `app.setToastActivatorCLSID(id)` _Windows_
+
+* `id` string
+
+Changes the [Toast Activator CLSID][toast-activator-clsid] to `id`. If one is not set via this method, it will be randomly generated for the app.
+
+* The value must be a valid GUID/CLSID in one of the following forms:
+  * Canonical brace-wrapped: `{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}` (preferred)
+  * Canonical without braces: `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (braces will be added automatically)
+* Hex digits are case-insensitive.
+
+This method should be called early (before showing notifications) so the value is baked into the registration/shortcut. Supplying an empty string or an unparsable value throws and leaves the existing (or generated) CLSID unchanged. If this method is never called, a random CLSID is generated once per run and exposed via `app.toastActivatorCLSID`.
+
 ### `app.setActivationPolicy(policy)` _macOS_

 * `policy` string - Can be 'regular', 'accessory', or 'prohibited'.
@@ -1226,7 +1241,7 @@ Returns `boolean` - whether hardware acceleration is currently enabled.
 ### `app.disableDomainBlockingFor3DAPIs()`

 By default, Chromium disables 3D APIs (e.g. WebGL) until restart on a per
-domain basis if the GPU processes crashes too frequently. This function
+domain basis if the GPU process crashes too frequently. This function
 disables that behavior.

 This method can only be called before app is ready.
@@ -1317,7 +1332,7 @@ Returns `boolean` - Whether the current desktop environment is Unity launcher.
 ### `app.getLoginItemSettings([options])` _macOS_ _Windows_

 * `options` Object (optional)
-  * `type` string (optional) _macOS_ - Can be one of `mainAppService`, `agentService`, `daemonService`, or `loginItemService`. Defaults to `mainAppService`. Only available on macOS 13 and up. See [app.setLoginItemSettings](app.md#appsetloginitemsettingssettings-macos-windows) for more information about each type.
+  * `type` string (optional) _macOS_ - Can be `mainAppService`, `agentService`, `daemonService`, or `loginItemService`. Defaults to `mainAppService`. Only available on macOS 13 and up. See [app.setLoginItemSettings](app.md#appsetloginitemsettingssettings-macos-windows) for more information about each type.
  * `serviceName` string (optional) _macOS_ - The name of the service. Required if `type` is non-default. Only available on macOS 13 and up.
  * `path` string (optional) _Windows_ - The executable path to compare against. Defaults to `process.execPath`.
  * `args` string[] (optional) _Windows_ - The command-line arguments to compare against. Defaults to an empty array.
@@ -1332,13 +1347,13 @@ Returns `Object`:
 * `wasOpenedAtLogin` boolean _macOS_ - `true` if the app was opened at login automatically.
 * `wasOpenedAsHidden` boolean _macOS_ _Deprecated_ - `true` if the app was opened as a hidden login item. This indicates that the app should not open any windows at startup. This setting is not available on [MAS builds][mas-builds] or on macOS 13 and up.
 * `restoreState` boolean _macOS_ _Deprecated_ - `true` if the app was opened as a login item that should restore the state from the previous session. This indicates that the app should restore the windows that were open the last time the app was closed. This setting is not available on [MAS builds][mas-builds] or on macOS 13 and up.
-* `status` string _macOS_ - can be one of `not-registered`, `enabled`, `requires-approval`, or `not-found`.
+* `status` string _macOS_ - can be `not-registered`, `enabled`, `requires-approval`, or `not-found`.
 * `executableWillLaunchAtLogin` boolean _Windows_ - `true` if app is set to open at login and its run key is not deactivated. This differs from `openAtLogin` as it ignores the `args` option, this property will be true if the given executable would be launched at login with **any** arguments.
 * `launchItems` Object[] _Windows_
  * `name` string _Windows_ - name value of a registry entry.
  * `path` string _Windows_ - The executable to an app that corresponds to a registry entry.
  * `args` string[] _Windows_ - the command-line arguments to pass to the executable.
-  * `scope` string _Windows_ - one of `user` or `machine`. Indicates whether the registry entry is under `HKEY_CURRENT USER` or `HKEY_LOCAL_MACHINE`.
+  * `scope` string _Windows_ - can be `user` or `machine`. Indicates whether the registry entry is under `HKEY_CURRENT USER` or `HKEY_LOCAL_MACHINE`.
  * `enabled` boolean _Windows_ - `true` if the app registry key is startup approved and therefore shows as `enabled` in Task Manager and Windows settings.

 ### `app.setLoginItemSettings(settings)` _macOS_ _Windows_
@@ -1704,8 +1719,13 @@ platforms) that allows you to perform actions on your app icon in the user's doc

 A `boolean` property that returns  `true` if the app is packaged, `false` otherwise. For many apps, this property can be used to distinguish development and production environments.

+### `app.toastActivatorCLSID` _Windows_ _Readonly_
+
+A `string` property that returns the app's [Toast Activator CLSID][toast-activator-clsid].
+
 [tasks]:https://learn.microsoft.com/en-us/windows/win32/shell/taskbar-extensions#tasks
 [app-user-model-id]: https://learn.microsoft.com/en-us/windows/win32/shell/appids
+[toast-activator-clsid]: https://learn.microsoft.com/en-us/windows/win32/properties/props-system-appusermodel-toastactivatorclsid
 [electron-forge]: https://www.electronforge.io/
 [electron-packager]: https://github.com/electron/packager
 [CFBundleURLTypes]: https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html#//apple_ref/doc/uid/TP40009249-102207-TPXREF115
--- a/docs/api/base-window.md
+++ b/docs/api/base-window.md
@@ -351,7 +351,11 @@ Emitted when the window has closed a sheet.

 #### Event: 'new-window-for-tab' _macOS_

-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 #### Event: 'system-context-menu' _Windows_ _Linux_

@@ -1049,7 +1053,7 @@ under this mode apps can choose to optimize their UI for tablets, such as
 enlarging the titlebar and hiding titlebar buttons.

 This API returns whether the window is in tablet mode, and the `resize` event
-can be be used to listen to changes to tablet mode.
+can be used to listen to changes to tablet mode.

 #### `win.getMediaSourceId()`

--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@@ -435,7 +435,11 @@ Emitted when the window has closed a sheet.

 #### Event: 'new-window-for-tab' _macOS_

-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 #### Event: 'system-context-menu' _Windows_ _Linux_

@@ -1165,7 +1169,7 @@ under this mode apps can choose to optimize their UI for tablets, such as
 enlarging the titlebar and hiding titlebar buttons.

 This API returns whether the window is in tablet mode, and the `resize` event
-can be be used to listen to changes to tablet mode.
+can be used to listen to changes to tablet mode.

 #### `win.getMediaSourceId()`

--- a/docs/api/client-request.md
+++ b/docs/api/client-request.md
@@ -264,7 +264,7 @@ will not be allowed. The `finish` event is emitted just after the end operation.
 Cancels an ongoing HTTP transaction. If the request has already emitted the
 `close` event, the abort operation will have no effect. Otherwise an ongoing
 event will emit `abort` and `close` events. Additionally, if there is an ongoing
-response object,it will emit the `aborted` event.
+response object, it will emit the `aborted` event.

 #### `request.followRedirect()`

--- a/docs/api/clipboard.md
+++ b/docs/api/clipboard.md
@@ -1,11 +1,20 @@
 # clipboard

+<!--
+```YAML history
+deprecated:
+  - pr-url: https://github.com/electron/electron/pull/48877
+    description: "Using the `clipboard` API directly in the renderer process is deprecated."
+    breaking-changes-header: deprecated-clipboard-api-access-from-renderer-processes
+```
+-->
+
 > Perform copy and paste operations on the system clipboard.

 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process) _Deprecated_ (non-sandboxed only)

 > [!NOTE]
-> Using the `clipoard` API from the renderer process is deprecated.
+> Using the `clipboard` API from the renderer process is deprecated.

 > [!IMPORTANT]
 > If you want to call this API from a renderer process,
--- a/docs/api/command-line-switches.md
+++ b/docs/api/command-line-switches.md
@@ -172,7 +172,7 @@ Enables net log events to be saved and writes them to `path`.
 Sets the verbosity of logging when used together with `--enable-logging`.
 `N` should be one of [Chrome's LogSeverities][severities].

-Note that two complimentary logging mechanisms in Chromium -- `LOG()`
+Note that two complementary logging mechanisms in Chromium -- `LOG()`
 and `VLOG()` -- are controlled by different switches. `--log-level`
 controls `LOG()` messages, while `--v` and `--vmodule` control `VLOG()`
 messages. So you may want to use a combination of these three switches
@@ -354,6 +354,11 @@ Affects the default output directory of [v8.setHeapSnapshotNearHeapLimit](https:

 Disable exposition of [Navigator API][] on the global scope from Node.js.

+### `--experimental-transform-types`
+
+Enables the [transformation](https://nodejs.org/api/typescript.html#type-stripping)
+of TypeScript-only syntax into JavaScript code.
+
 ## Chromium Flags

 There isn't a documented list of all Chromium switches, but there are a few ways to find them.
@@ -370,6 +375,13 @@ Keep in mind that standalone switches can sometimes be split into individual fea

 Finally, you'll need to ensure that the version of Chromium in Electron matches the version of the browser you're using to cross-reference the switches.

+### Chromium features relevant to Electron apps
+
+* `AlwaysLogLOAFURL`: enables script attribution for
+  [`long-animation-frame`](https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Long_animation_frame_timing)
+  `PerformanceObserver` events for non-http(s), non-data, non-blob URLs (such as `file:` or custom
+  protocol URLs).
+
 [app]: app.md
 [append-switch]: command-line.md#commandlineappendswitchswitch-value
 [debugging-main-process]: ../tutorial/debugging-main-process.md
--- a/docs/api/content-tracing.md
+++ b/docs/api/content-tracing.md
@@ -33,6 +33,15 @@ The `contentTracing` module has the following methods:

 ### `contentTracing.getCategories()`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/16583
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 Returns `Promise<string[]>` - resolves with an array of category groups once all child processes have acknowledged the `getCategories` request

 Get a set of category groups. The category groups can change as new code paths
@@ -44,6 +53,17 @@ are reached. See also the

 ### `contentTracing.startRecording(options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/13914
+    description: "The `options` parameter now accepts `TraceConfig` in addition to `TraceCategoriesAndOptions`."
+  - pr-url: https://github.com/electron/electron/pull/16584
+    description: "This function now returns a callback`Promise<void>`."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 * `options` ([TraceConfig](structures/trace-config.md) | [TraceCategoriesAndOptions](structures/trace-categories-and-options.md))

 Returns `Promise<void>` - resolved once all child processes have acknowledged the `startRecording` request.
@@ -58,6 +78,17 @@ only one trace operation can be in progress at a time.

 ### `contentTracing.stopRecording([resultFilePath])`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/16584
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+  - pr-url: https://github.com/electron/electron/pull/18411
+    description: "The `resultFilePath` parameter is now optional."
+```
+-->
+
 * `resultFilePath` string (optional)

 Returns `Promise<string>` - resolves with a path to a file that contains the traced data once all child processes have acknowledged the `stopRecording` request
@@ -76,6 +107,15 @@ will be returned in the promise.

 ### `contentTracing.getTraceBufferUsage()`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/16600
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 Returns `Promise<Object>` - Resolves with an object containing the `value` and `percentage` of trace buffer maximum usage

 * `value` number
--- a/docs/api/corner-smoothing-css.md
+++ b/docs/api/corner-smoothing-css.md
@@ -49,7 +49,7 @@ Use the `system-ui` keyword to match the smoothness to the OS design language.
 | Value: | `60%` | `0%` |
 | Example: | ![A rectangle with round corners whose smoothness matches macOS](../images/corner-smoothing-example-60.svg) | ![A rectangle with round corners whose smoothness matches Windows and Linux](../images/corner-smoothing-example-0.svg) |

-### Controlling availibility
+### Controlling availability

 This CSS rule can be disabled using the Blink feature flag `ElectronCSSCornerSmoothing`.

--- a/docs/api/crash-reporter.md
+++ b/docs/api/crash-reporter.md
@@ -50,6 +50,22 @@ The `crashReporter` module has the following methods:

 ### `crashReporter.start(options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/23062
+    description: "Added `rateLimit` and `compress` options."
+  - pr-url: https://github.com/electron/electron/pull/23265
+    description: "Deprecated calling this method in the renderer process."
+    breaking-changes-header: deprecated-crashreporter-methods-in-the-renderer-process
+  - pr-url: https://github.com/electron/electron/pull/25288
+    description: "Default value of `compress` option changed from `false` to `true`."
+    breaking-changes-header: default-changed-crashreporterstart-compress-true-
+  - pr-url: https://github.com/electron/electron/pull/28105
+    description: "The `submitURL` parameter is now optional when `uploadToServer` is `false`."
+```
+-->
+
 * `options` Object
  * `submitURL` string (optional) - URL that crash reports will be sent to as
    POST. Required unless `uploadToServer` is `false`.
@@ -111,6 +127,15 @@ by the crash reporter.

 ### `crashReporter.getLastCrashReport()`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/23265
+    description: "Deprecated calling this method in the renderer process."
+    breaking-changes-header: deprecated-crashreporter-methods-in-the-renderer-process
+```
+-->
+
 Returns [`CrashReport | null`](structures/crash-report.md) - The date and ID of the
 last crash report. Only crash reports that have been uploaded will be returned;
 even if a crash report is present on disk it will not be returned until it is
@@ -121,6 +146,15 @@ uploaded. In the case that there are no uploaded reports, `null` is returned.

 ### `crashReporter.getUploadedReports()`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/23265
+    description: "Deprecated calling this method in the renderer process."
+    breaking-changes-header: deprecated-crashreporter-methods-in-the-renderer-process
+```
+-->
+
 Returns [`CrashReport[]`](structures/crash-report.md):

 Returns all uploaded crash reports. Each report contains the date and uploaded
@@ -131,6 +165,15 @@ ID.

 ### `crashReporter.getUploadToServer()`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/23265
+    description: "Deprecated calling this method in the renderer process."
+    breaking-changes-header: deprecated-crashreporter-methods-in-the-renderer-process
+```
+-->
+
 Returns `boolean` - Whether reports should be submitted to the server. Set through
 the `start` method or `setUploadToServer`.

@@ -139,6 +182,15 @@ the `start` method or `setUploadToServer`.

 ### `crashReporter.setUploadToServer(uploadToServer)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/23265
+    description: "Deprecated calling this method in the renderer process."
+    breaking-changes-header: deprecated-crashreporter-methods-in-the-renderer-process
+```
+-->
+
 * `uploadToServer` boolean - Whether reports should be submitted to the server.

 This would normally be controlled by user preferences. This has no effect if
--- a/docs/api/desktop-capturer.md
+++ b/docs/api/desktop-capturer.md
@@ -80,6 +80,17 @@ The `desktopCapturer` module has the following methods:

 ### `desktopCapturer.getSources(options)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/2963
+changes:
+  - pr-url: https://github.com/electron/electron/pull/16427
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 * `options` Object
  * `types` string[] - An array of strings that lists the types of desktop sources
    to be captured, available types can be `screen` and `window`.
@@ -94,18 +105,56 @@ The `desktopCapturer` module has the following methods:
 Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`DesktopCapturerSource`](structures/desktop-capturer-source.md) objects, each `DesktopCapturerSource` represents a screen or an individual window that can be captured.

 > [!NOTE]
-> Capturing the screen contents requires user consent on macOS 10.15 Catalina or higher,
-> which can detected by [`systemPreferences.getMediaAccessStatus`][].
+<!-- markdownlint-disable-next-line MD032 -->
+> * Capturing audio requires `NSAudioCaptureUsageDescription` Info.plist key on macOS 14.2 Sonoma and higher - [read more](#macos-versions-142-or-higher).
+> * Capturing the screen contents requires user consent on macOS 10.15 Catalina or higher, which can detected by [`systemPreferences.getMediaAccessStatus`][].

 [`navigator.mediaDevices.getUserMedia`]: https://developer.mozilla.org/en/docs/Web/API/MediaDevices/getUserMedia
 [`systemPreferences.getMediaAccessStatus`]: system-preferences.md#systempreferencesgetmediaaccessstatusmediatype-windows-macos

 ## Caveats

+### Linux
+
 `desktopCapturer.getSources(options)` only returns a single source on Linux when using Pipewire.

 PipeWire supports a single capture for both screens and windows. If you request the window and screen type, the selected source will be returned as a window capture.

-`navigator.mediaDevices.getUserMedia` does not work on macOS for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this.
+### macOS versions 14.2 or higher

-It is possible to circumvent this limitation by capturing system audio with another macOS app like Soundflower and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.
+`NSAudioCaptureUsageDescription` Info.plist key must be added in order for audio to be captured by
+`desktopCapturer`. If instead you are running Electron from another program like a terminal or IDE
+then that parent program must contain the Info.plist key.
+
+This is in order to facillitate use of Apple's new [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps#Configure-the-sample-code-project) by Chromium.
+
+> [!WARNING]
+> Failure of `desktopCapturer` to start an audio stream due to `NSAudioCaptureUsageDescription`
+> permission not present will still create a dead audio stream however no warnings or errors are
+> displayed.
+
+As of Electron `v39.0.0-beta.4`, Chromium [made Apple's new `CoreAudio Tap API` the default](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e)
+for desktop audio capture. There is no fallback to the older `Screen & System Audio Recording`
+permissions system even if [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps) stream creation fails.
+
+If you need to continue using `Screen & System Audio Recording` permissions for `desktopCapturer`
+on macOS versions 14.2 and later, you can apply a Chromium feature flag to force use of that older
+permissions system:
+
+```js
+// main.js (right beneath your require/import statments)
+app.commandLine.appendSwitch('disable-features', 'MacCatapLoopbackAudioForScreenShare')
+```
+
+### macOS versions 12.7.6 or lower
+
+`navigator.mediaDevices.getUserMedia` does not work on macOS versions 12.7.6 and prior for audio
+capture due to a fundamental limitation whereby apps that want to access the system's audio require
+a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html).
+Chromium, and by extension Electron, does not provide this. Only in macOS 13 and onwards does Apple
+provide APIs to capture desktop audio without the need for a signed kernel extension.
+
+It is possible to circumvent this limitation by capturing system audio with another macOS app like
+[BlackHole](https://existential.audio/blackhole/) or [Soundflower](https://rogueamoeba.com/freebies/soundflower/)
+and passing it through a virtual audio input device. This virtual device can then be queried
+with `navigator.mediaDevices.getUserMedia`.
--- a/docs/api/dialog.md
+++ b/docs/api/dialog.md
@@ -18,6 +18,13 @@ The `dialog` module has the following methods:

 ### `dialog.showOpenDialogSync([window, ]options)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/16973
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `title` string (optional)
@@ -30,7 +37,7 @@ The `dialog` module has the following methods:
    * `openFile` - Allow files to be selected.
    * `openDirectory` - Allow directories to be selected.
    * `multiSelections` - Allow multiple paths to be selected.
-    * `showHiddenFiles` - Show hidden files in dialog.
+    * `showHiddenFiles` _macOS_ _Windows_ _Deprecated_ - Show hidden files in dialog. Deprecated on Linux.
    * `createDirectory` _macOS_ - Allow creating new directories from dialog.
    * `promptToCreate` _Windows_ - Prompt for creation if the file path entered
      in the dialog does not exist. This does not actually create the file at
@@ -90,6 +97,15 @@ dialog.showOpenDialogSync(mainWindow, {

 ### `dialog.showOpenDialog([window, ]options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/16973
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `title` string (optional)
@@ -102,7 +118,7 @@ dialog.showOpenDialogSync(mainWindow, {
    * `openFile` - Allow files to be selected.
    * `openDirectory` - Allow directories to be selected.
    * `multiSelections` - Allow multiple paths to be selected.
-    * `showHiddenFiles` - Show hidden files in dialog.
+    * `showHiddenFiles` _macOS_ _Windows_ _Deprecated_ - Show hidden files in dialog. Deprecated on Linux.
    * `createDirectory` _macOS_ - Allow creating new directories from dialog.
    * `promptToCreate` _Windows_ - Prompt for creation if the file path entered
      in the dialog does not exist. This does not actually create the file at
@@ -171,6 +187,13 @@ dialog.showOpenDialog(mainWindow, {

 ### `dialog.showSaveDialogSync([window, ]options)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/17054
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `title` string (optional) - The dialog title. Cannot be displayed on some _Linux_ desktop environments.
@@ -185,7 +208,7 @@ dialog.showOpenDialog(mainWindow, {
  * `showsTagField` boolean (optional) _macOS_ - Show the tags input box,
    defaults to `true`.
  * `properties` string[]&#32;(optional)
-    * `showHiddenFiles` - Show hidden files in dialog.
+    * `showHiddenFiles` _macOS_ _Windows_ _Deprecated_ - Show hidden files in dialog. Deprecated on Linux.
    * `createDirectory` _macOS_ - Allow creating new directories from dialog.
    * `treatPackageAsDirectory` _macOS_ - Treat packages, such as `.app` folders,
      as a directory instead of a file.
@@ -202,6 +225,15 @@ The `filters` specifies an array of file types that can be displayed, see

 ### `dialog.showSaveDialog([window, ]options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/17054
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `title` string (optional) - The dialog title. Cannot be displayed on some _Linux_ desktop environments.
@@ -215,7 +247,7 @@ The `filters` specifies an array of file types that can be displayed, see
    displayed in front of the filename text field.
  * `showsTagField` boolean (optional) _macOS_ - Show the tags input box, defaults to `true`.
  * `properties` string[]&#32;(optional)
-    * `showHiddenFiles` - Show hidden files in dialog.
+    * `showHiddenFiles` _macOS_ _Windows_ _Deprecated_ - Show hidden files in dialog. Deprecated on Linux.
    * `createDirectory` _macOS_ - Allow creating new directories from dialog.
    * `treatPackageAsDirectory` _macOS_ - Treat packages, such as `.app` folders,
      as a directory instead of a file.
@@ -240,6 +272,13 @@ The `filters` specifies an array of file types that can be displayed, see

 ### `dialog.showMessageBoxSync([window, ]options)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/17298
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `message` string - Content of the message box.
@@ -283,6 +322,19 @@ If `window` is not shown dialog will not be attached to it. In such case it will

 ### `dialog.showMessageBox([window, ]options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/17298
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+  - pr-url: https://github.com/electron/electron/pull/26102
+    description: "Added the `signal` option."
+  - pr-url: https://github.com/electron/electron/pull/30474
+    description: "Added the `textWidth` option."
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `message` string - Content of the message box.
@@ -344,11 +396,22 @@ Displays a modal dialog that shows an error message.

 This API can be called safely before the `ready` event the `app` module emits,
 it is usually used to report errors in early stage of startup. If called
-before the app `ready`event on Linux, the message will be emitted to stderr,
+before the app `ready` event on Linux, the message will be emitted to stderr,
 and no GUI dialog will appear.

 ### `dialog.showCertificateTrustDialog([window, ]options)` _macOS_ _Windows_

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/9099
+changes:
+  - pr-url: https://github.com/electron/electron/pull/17181
+    description: "This method now returns a Promise instead of using a callback function."
+    breaking-changes-header: api-changed-callback-based-versions-of-promisified-apis
+```
+-->
+
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
  * `certificate` [Certificate](structures/certificate.md) - The certificate to trust/import.
--- a/docs/api/incoming-message.md
+++ b/docs/api/incoming-message.md
@@ -34,7 +34,7 @@ Returns:
 * `error` Error - Typically holds an error string identifying failure root cause.

 Emitted when an error was encountered while streaming response data events. For
-instance, if the server closes the underlying while the response is still
+instance, if the server closes the underlying connection while the response is still
 streaming, an `error` event will be emitted on the response object and a `close`
 event will subsequently follow on the request object.

--- a/docs/api/menu-item.md
+++ b/docs/api/menu-item.md
@@ -44,8 +44,8 @@ See [`Menu`](menu.md) for examples.
    menu items.
  * `registerAccelerator` boolean (optional) _Linux_ _Windows_ - If false, the accelerator won't be registered
    with the system, but it will still be displayed. Defaults to true.
-  * `sharingItem` SharingItem (optional) _macOS_ - The item to share when the `role` is `shareMenu`.
-  * `submenu` (MenuItemConstructorOptions[] | [Menu](menu.md)) (optional) - Should be specified
+  * `sharingItem` [SharingItem](structures/sharing-item.md) (optional) _macOS_ - The item to share when the `role` is `shareMenu`.
+  * `submenu` ([MenuItemConstructorOptions](#new-menuitemoptions)[] | [Menu](menu.md)) (optional) - Should be specified
    for `submenu` type menu items. If `submenu` is specified, the `type: 'submenu'` can be omitted.
    If the value is not a [`Menu`](menu.md) then it will be automatically converted to one using
    `Menu.buildFromTemplate`.
@@ -73,20 +73,23 @@ The following properties are available on instances of `MenuItem`:

 #### `menuItem.id`

-A `string` indicating the item's unique id. This property can be
-dynamically changed.
+A `string` indicating the item's unique id.
+
+This property can be dynamically changed.

 #### `menuItem.label`

 A `string` indicating the item's visible label.

+This property can be dynamically changed.
+
 #### `menuItem.click`

 A `Function` that is fired when the MenuItem receives a click event.
 It can be called with `menuItem.click(event, focusedWindow, focusedWebContents)`.

 * `event` [KeyboardEvent](structures/keyboard-event.md)
-* `focusedWindow` [BaseWindow](browser-window.md)
+* `focusedWindow` [BaseWindow](base-window.md)
 * `focusedWebContents` [WebContents](web-contents.md)

 #### `menuItem.submenu`
@@ -107,42 +110,48 @@ A `string` (optional) indicating the item's role, if set. Can be `undo`, `redo`,

 #### `menuItem.accelerator`

-An `Accelerator | null` indicating the item's accelerator, if set.
+An [`Accelerator | null`](../tutorial/keyboard-shortcuts.md#accelerators) indicating the item's accelerator, if set.

 #### `menuItem.userAccelerator` _Readonly_ _macOS_

-An `Accelerator | null` indicating the item's [user-assigned accelerator](https://developer.apple.com/documentation/appkit/nsmenuitem/1514850-userkeyequivalent?language=objc) for the menu item.
+An [`Accelerator | null`](../tutorial/keyboard-shortcuts.md#accelerators) indicating the item's [user-assigned accelerator](https://developer.apple.com/documentation/appkit/nsmenuitem/1514850-userkeyequivalent?language=objc) for the menu item.

 > [!NOTE]
 > This property is only initialized after the `MenuItem` has been added to a `Menu`. Either via `Menu.buildFromTemplate` or via `Menu.append()/insert()`.  Accessing before initialization will just return `null`.

 #### `menuItem.icon`

-A `NativeImage | string` (optional) indicating the
-item's icon, if set.
+A `NativeImage | string` (optional) indicating the item's icon, if set.
+
+This property can be dynamically changed.

 #### `menuItem.sublabel`

 A `string` indicating the item's sublabel.

+This property can be dynamically changed.
+
 #### `menuItem.toolTip` _macOS_

 A `string` indicating the item's hover text.

 #### `menuItem.enabled`

-A `boolean` indicating whether the item is enabled. This property can be
-dynamically changed.
+A `boolean` indicating whether the item is enabled.
+
+This property can be dynamically changed.

 #### `menuItem.visible`

-A `boolean` indicating whether the item is visible. This property can be
-dynamically changed.
+A `boolean` indicating whether the item is visible.
+
+This property can be dynamically changed.

 #### `menuItem.checked`

-A `boolean` indicating whether the item is checked. This property can be
-dynamically changed.
+A `boolean` indicating whether the item is checked.
+
+This property can be dynamically changed.

 A `checkbox` menu item will toggle the `checked` property on and off when
 selected.
@@ -161,7 +170,7 @@ This property can be dynamically changed.

 #### `menuItem.sharingItem` _macOS_

-A `SharingItem` indicating the item to share when the `role` is `shareMenu`.
+A [`SharingItem`](structures/sharing-item.md) indicating the item to share when the `role` is `shareMenu`.

 This property can be dynamically changed.

--- a/docs/api/menu.md
+++ b/docs/api/menu.md
@@ -39,7 +39,7 @@ indicate which letter should get a generated accelerator. For example, using
 opens the associated menu. The indicated character in the button label then gets an
 underline, and the `&` character is not displayed on the button label.

-In order to escape the `&` character in an item name, add a proceeding `&`. For example, `&&File` would result in `&File` displayed on the button label.
+In order to escape the `&` character in an item name, add a preceding `&`. For example, `&&File` would result in `&File` displayed on the button label.

 Passing `null` will suppress the default menu. On Windows and Linux,
 this has the additional effect of removing the menu bar from the window.
@@ -70,7 +70,7 @@ for more information on macOS' native actions.

 #### `Menu.buildFromTemplate(template)`

- `template` (MenuItemConstructorOptions | [MenuItem](menu-item.md))[]
+- `template` ([MenuItemConstructorOptions](menu-item.md#new-menuitemoptions) | [MenuItem](menu-item.md))[]

 Returns [`Menu`](menu.md)

@@ -123,7 +123,7 @@ Appends the `menuItem` to the menu.

 - `id` string

-Returns [`MenuItem | null`](menu-item.md) - the item with the specified `id`
+Returns `MenuItem | null` the item with the specified `id`

 #### `menu.insert(pos, menuItem)`

@@ -162,7 +162,7 @@ Emitted when a popup is closed either manually or with `menu.closePopup()`.

 #### `menu.items`

-A `MenuItem[]` array containing the menu's items.
+A [`MenuItem[]`](menu-item.md) array containing the menu's items.

 Each `Menu` consists of multiple [`MenuItem`](menu-item.md) instances and each `MenuItem`
 can nest a `Menu` into its `submenu` property.
--- a/docs/api/native-theme.md
+++ b/docs/api/native-theme.md
@@ -83,4 +83,8 @@ Currently, Windows high contrast is the only system setting that triggers forced

 ### `nativeTheme.prefersReducedTransparency` _Readonly_

-A `boolean` that indicates the whether the user has chosen via system accessibility settings to reduce transparency at the OS level.
+A `boolean` that indicates whether the user has chosen via system accessibility settings to reduce transparency at the OS level.
+
+### `nativeTheme.shouldDifferentiateWithoutColor` _macOS_ _Readonly_
+
+A `boolean` that indicates whether the user prefers UI that differentiates items using something other than color alone (e.g. shapes or labels). This maps to [NSWorkspace.accessibilityDisplayShouldDifferentiateWithoutColor](https://developer.apple.com/documentation/appkit/nsworkspace/accessibilitydisplayshoulddifferentiatewithoutcolor).
--- a/docs/api/notification.md
+++ b/docs/api/notification.md
@@ -42,11 +42,15 @@ Returns `boolean` - Whether or not desktop notifications are supported on the cu
  * `timeoutType` string (optional) _Linux_ _Windows_ - The timeout duration of the notification. Can be 'default' or 'never'.
  * `replyPlaceholder` string (optional) _macOS_ - The placeholder to write in the inline reply input field.
  * `sound` string (optional) _macOS_ - The name of the sound file to play when the notification is shown.
-  * `urgency` string (optional) _Linux_ - The urgency level of the notification. Can be 'normal', 'critical', or 'low'.
+  * `urgency` string (optional) _Linux_ _Windows_ - The urgency level of the notification. Can be 'normal', 'critical', or 'low'.
  * `actions` [NotificationAction[]](structures/notification-action.md) (optional) _macOS_ - Actions to add to the notification. Please read the available actions and limitations in the `NotificationAction` documentation.
  * `closeButtonText` string (optional) _macOS_ - A custom title for the close button of an alert. An empty string will cause the default localized text to be used.
  * `toastXml` string (optional) _Windows_ - A custom description of the Notification on Windows superseding all properties above. Provides full customization of design and behavior of the notification.

+> [!NOTE]
+> On Windows, `urgency` type 'critical' sorts the notification higher in Action Center (above default priority notifications), but does not prevent auto-dismissal. To prevent auto-dismissal, you should also set
+> `timeoutType` to 'never'.
+
 ### Instance Events

 Objects created with `new Notification` emit the following events:
@@ -67,6 +71,22 @@ Emitted when the notification is shown to the user. Note that this event can be
 multiple times as a notification can be shown multiple times through the
 `show()` method.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('show', () => console.log('Notification shown!'))
+
+  n.show()
+})
+```
+
 #### Event: 'click'

 Returns:
@@ -75,11 +95,28 @@ Returns:

 Emitted when the notification is clicked by the user.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('click', () => console.log('Notification clicked!'))
+
+  n.show()
+})
+```
+
 #### Event: 'close'

 Returns:

-* `event` Event
+* `details` Event\<\>
+  * `reason` _Windows_ string (optional) - The reason the notification was closed. This can be 'userCanceled', 'applicationHidden', or 'timedOut'.

 Emitted when the notification is closed by manual intervention from the user.

@@ -88,21 +125,85 @@ is closed.

 On Windows, the `close` event can be emitted in one of three ways: programmatic dismissal with `notification.close()`, by the user closing the notification, or via system timeout. If a notification is in the Action Center after the initial `close` event is emitted, a call to `notification.close()` will remove the notification from the action center but the `close` event will not be emitted again.

-#### Event: 'reply' _macOS_
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('close', () => console.log('Notification closed!'))
+
+  n.show()
+})
+```
+
+#### Event: 'reply' _macOS_ _Windows_

 Returns:

-* `event` Event
-* `reply` string - The string the user entered into the inline reply field.
+* `details` Event\<\>
+  * `reply` string - The string the user entered into the inline reply field.
+* `reply` string _Deprecated_

 Emitted when the user clicks the "Reply" button on a notification with `hasReply: true`.

-#### Event: 'action' _macOS_
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Send a Message',
+    body: 'Body Text',
+    hasReply: true,
+    replyPlaceholder: 'Message text...'
+  })
+
+  n.on('reply', (e, reply) => console.log(`User replied: ${reply}`))
+  n.on('click', () => console.log('Notification clicked'))
+
+  n.show()
+})
+```
+
+#### Event: 'action' _macOS_ _Windows_

 Returns:

-* `event` Event
-* `index` number - The index of the action that was activated.
+* `details` Event\<\>
+  * `actionIndex` number - The index of the action that was activated.
+  * `selectionIndex` number _Windows_ - The index of the selected item, if one was chosen. -1 if none was chosen.
+* `actionIndex` number _Deprecated_
+* `selectionIndex` number _Windows_ _Deprecated_
+
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const items = ['One', 'Two', 'Three']
+  const n = new Notification({
+    title: 'Choose an Action!',
+    actions: [
+      { type: 'button', text: 'Action 1' },
+      { type: 'button', text: 'Action 2' },
+      { type: 'selection', text: 'Apply', items }
+    ]
+  })
+
+  n.on('click', () => console.log('Notification clicked'))
+  n.on('action', (e) => {
+    console.log(`User triggered action at index: ${e.actionIndex}`)
+    if (e.selectionIndex > -1) {
+      console.log(`User chose selection item '${items[e.selectionIndex]}'`)
+    }
+  })
+
+  n.show()
+})
+```

 #### Event: 'failed' _Windows_

@@ -113,6 +214,22 @@ Returns:

 Emitted when an error is encountered while creating and showing the native notification.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Bad Action'
+  })
+
+  n.on('failed', (e, err) => {
+    console.log('Notification failed: ', err)
+  })
+
+  n.show()
+})
+```
+
 ### Instance Methods

 Objects created with the `new Notification()` constructor have the following instance methods:
@@ -126,12 +243,42 @@ call this method before the OS will display it.
 If the notification has been shown before, this method will dismiss the previously
 shown notification and create a new one with identical properties.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.show()
+})
+```
+
 #### `notification.close()`

 Dismisses the notification.

 On Windows, calling `notification.close()` while the notification is visible on screen will dismiss the notification and remove it from the Action Center. If `notification.close()` is called after the notification is no longer visible on screen, calling `notification.close()` will try remove it from the Action Center.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.show()
+
+  setTimeout(() => n.close(), 5000)
+})
+```
+
 ### Instance Properties

 #### `notification.title`
--- a/docs/api/process.md
+++ b/docs/api/process.md
@@ -99,13 +99,13 @@ property is used instead of the `--throw-deprecation` command line flag.

 A `boolean` that controls whether or not deprecations printed to `stderr` include
 their stack trace. Setting this to `true` will print stack traces for deprecations.
- This property is instead of the `--trace-deprecation` command line flag.
+ This property is used instead of the `--trace-deprecation` command line flag.

 ### `process.traceProcessWarnings`

 A `boolean` that controls whether or not process warnings printed to `stderr` include
 their stack trace. Setting this to `true` will print stack traces for process warnings
- (including deprecations). This property is instead of the `--trace-warnings` command
+ (including deprecations). This property is used instead of the `--trace-warnings` command
 line flag.

 ### `process.type` _Readonly_
--- a/docs/api/protocol.md
+++ b/docs/api/protocol.md
@@ -56,6 +56,15 @@ app.whenReady().then(() => {
 })
 ```

+## Protocol names
+
+[RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) defines what a valid
+protocol name is:
+
+> Scheme names consist of a sequence of characters beginning with a letter and followed
+> by any combination of letters, digits, plus ("+"), period ("."), or hyphen ("-").
+> Although schemes are case-insensitive, the canonical form is lowercase […].
+
 ## Methods

 The `protocol` module has the following methods:
--- a/docs/api/screen.md
+++ b/docs/api/screen.md
@@ -110,6 +110,8 @@ Returns [`Point`](structures/point.md)

 The current absolute position of the mouse pointer.

+Not supported on Wayland (Linux).
+
 > [!NOTE]
 > The return value is a DIP point, not a screen physical point.

--- a/docs/api/session.md
+++ b/docs/api/session.md
@@ -1216,7 +1216,7 @@ function createWindow () {

  mainWindow.webContents.session.setBluetoothPairingHandler((details, callback) => {
    bluetoothPinCallback = callback
-    // Send a IPC message to the renderer to prompt the user to confirm the pairing.
+    // Send an IPC message to the renderer to prompt the user to confirm the pairing.
    // Note that this will require logic in the renderer to handle this message and
    // display a prompt to the user.
    mainWindow.webContents.send('bluetooth-pairing-request', details)
@@ -1264,7 +1264,7 @@ session.defaultSession.allowNTLMCredentialsForDomains('*')

 Overrides the `userAgent` and `acceptLanguages` for this session.

-The `acceptLanguages` must a comma separated ordered list of language codes, for
+The `acceptLanguages` must be a comma separated ordered list of language codes, for
 example `"en-US,fr,de,ko,zh-CN,ja"`.

 This doesn't affect existing `WebContents`, and each `WebContents` can use
--- a/docs/api/shared-texture.md
+++ b/docs/api/shared-texture.md
@@ -1,6 +1,6 @@
 # sharedTexture

-> Import shared textures into Electron and converts platform specific handles into [`VideoFrame`](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame). Supports all Web rendering systems, and can be transferred across Electron processes. Read [here](https://github.com/electron/electron/blob/main/shell/common/api/shared_texture/README.md) for more information.
+> Import shared textures into Electron and converts platform specific handles into [`VideoFrame`](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame). Supports all Web rendering systems, and can be transferred across Electron processes. Read [here](../../shell/common/api/shared_texture/README.md) for more information.

 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process)

@@ -21,7 +21,7 @@ Imports the shared texture from the given options.
 > [!NOTE]
 > This method is only available in the main process.

-Returns [`SharedTextureImported`](structures/shared-texture-imported.md) - The imported shared texture.
+Returns `SharedTextureImported` - The imported shared texture.

 ### `sharedTexture.sendSharedTexture(options, ...args)` _Experimental_

--- a/docs/api/structures/custom-scheme.md
+++ b/docs/api/structures/custom-scheme.md
@@ -11,3 +11,5 @@
  * `stream` boolean (optional) - Default false.
  * `codeCache` boolean (optional) - Enable V8 code cache for the scheme, only
    works when `standard` is also set to true. Default false.
+  * `allowExtensions` boolean (optional) - Allow Chrome extensions to be used
+    on pages served over this protocol. Default false.
--- a/docs/api/structures/display.md
+++ b/docs/api/structures/display.md
@@ -7,7 +7,7 @@
 * `depthPerComponent` number - The number of bits per color component.
 * `detected` boolean - `true` if the display is detected by the system.
 * `displayFrequency` number - The display refresh rate.
-* `id` number - Unique identifier associated with the display. A value of of -1 means the display is invalid or the correct `id` is not yet known, and a value of -10 means the display is a virtual display assigned to a unified desktop.
+* `id` number - Unique identifier associated with the display. A value of -1 means the display is invalid or the correct `id` is not yet known, and a value of -10 means the display is a virtual display assigned to a unified desktop.
 * `internal` boolean - `true` for an internal display and `false` for an external display.
 * `label` string - User-friendly label, determined by the platform.
 * `maximumCursorSize` [Size](size.md) - Maximum cursor size in native pixels.
--- a/docs/api/structures/notification-action.md
+++ b/docs/api/structures/notification-action.md
@@ -1,13 +1,15 @@
 # NotificationAction Object

-* `type` string - The type of action, can be `button`.
+* `type` string - The type of action, can be `button` or `selection`. `selection` is only supported on Windows.
 * `text` string (optional) - The label for the given action.
+* `items` string[] (optional) _Windows_ - The list of items for the `selection` action `type`.

 ## Platform / Action Support

 | Action Type | Platform Support | Usage of `text` | Default `text` | Limitations |
 |-------------|------------------|-----------------|----------------|-------------|
-| `button`    | macOS            | Used as the label for the button | "Show" (or a localized string by system default if first of such `button`, otherwise empty) | Only the first one is used. If multiple are provided, those beyond the first will be listed as additional actions (displayed when mouse active over the action button). Any such action also is incompatible with `hasReply` and will be ignored if `hasReply` is `true`. |
+| `button`    | macOS, Windows   | Used as the label for the button | "Show" on macOS (localized) if first `button`, otherwise empty; Windows uses provided `text` | macOS: Only the first one is used as primary; others shown as additional actions (hover). Incompatible with `hasReply` (beyond first ignored). |
+| `selection` | Windows          | Used as the label for the submit button for the selection menu | "Select" | Requires an `items` array property specifying option labels. Emits the `action` event with `(index, selectedIndex)` where `selectedIndex` is the chosen option (>= 0). Ignored on platforms that do not support selection actions. |

 ### Button support on macOS

@@ -15,6 +17,37 @@ In order for extra notification buttons to work on macOS your app must meet the
 following criteria.

 * App is signed
-* App has it's `NSUserNotificationAlertStyle` set to `alert` in the `Info.plist`.
+* App has its `NSUserNotificationAlertStyle` set to `alert` in the `Info.plist`.

 If either of these requirements are not met the button won't appear.
+
+### Selection support on Windows
+
+To add a selection (combo box) style action, include an action with `type: 'selection'`, a `text` label for the submit button, and an `items` array of strings:
+
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const items = ['One', 'Two', 'Three']
+  const n = new Notification({
+    title: 'Choose an option',
+    actions: [{
+      type: 'selection',
+      text: 'Apply',
+      items
+    }]
+  })
+
+  n.on('action', (e) => {
+    console.log(`User triggered action at index: ${e.actionIndex}`)
+    if (e.selectionIndex > 0) {
+      console.log(`User chose selection item '${items[e.selectionIndex]}'`)
+    }
+  })
+
+  n.show()
+})
+```
+
+When the user activates the selection action, the notification's `action` event will be emitted with two parameters: `actionIndex` (the action's index in the `actions` array) and `selectedIndex` (the zero-based index of the chosen item, or `-1` if unavailable). On non-Windows platforms selection actions are ignored.
--- a/docs/api/structures/shared-texture-handle.md
+++ b/docs/api/structures/shared-texture-handle.md
@@ -1,6 +1,6 @@
 # SharedTextureHandle Object

-* `ntHandle` Buffer (optional) _Windows_ - NT HANDLE holds the shared texture. Note that this NT HANDLE is local to current process.
+* `ntHandle` Buffer (optional) _Windows_ - NT HANDLE holds the shared texture. Note that this NT HANDLE is local to current process.  Output textures of `rgba`, `bgra`, `rgbaf16` formats don't have a keyed mutex on the texture handle, but `nv12` format texture handles do have a keyed mutex.
 * `ioSurface` Buffer (optional) _macOS_ - IOSurfaceRef holds the shared texture. Note that this IOSurface is local to current process (not global).
 * `nativePixmap` Object (optional) _Linux_ - Structure contains planes of shared texture.
  * `planes` Object[] _Linux_ - Each plane's info of the shared texture.
--- a/docs/api/structures/shared-texture-import-texture-info.md
+++ b/docs/api/structures/shared-texture-import-texture-info.md
@@ -5,7 +5,6 @@
  * `rgba` - 32bpp RGBA (byte-order), 1 plane.
  * `rgbaf16` - Half float RGBA, 1 plane.
  * `nv12` - 12bpp with Y plane followed by a 2x2 interleaved UV plane.
-  * `p010le` - 4:2:0 10-bit YUV (little-endian), Y plane followed by a 2x2 interleaved UV plane.
 * `colorSpace` [ColorSpace](color-space.md) (optional) - The color space of the texture.
 * `codedSize` [Size](size.md) - The full dimensions of the shared texture.
 * `visibleRect` [Rectangle](rectangle.md) (optional) - A subsection of [0, 0, codedSize.width, codedSize.height]. In common cases, it is the full section area.
--- a/docs/api/structures/web-preferences.md
+++ b/docs/api/structures/web-preferences.md
@@ -40,7 +40,7 @@
 * `javascript` boolean (optional) - Enables JavaScript support. Default is `true`.
 * `webSecurity` boolean (optional) - When `false`, it will disable the
  same-origin policy (usually using testing websites by people), and set
-  `allowRunningInsecureContent` to `true` if this options has not been set
+  `allowRunningInsecureContent` to `true` if this option has not been set
  by user. Default is `true`.
 * `allowRunningInsecureContent` boolean (optional) - Allow an https page to run
  JavaScript, CSS or plugins from http URLs. Default is `false`.
@@ -94,7 +94,6 @@
    The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
    * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
    * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
-  * `deviceScaleFactor` number (optional) _Experimental_ - The device scale factor of the offscreen rendering output. If not set, will use primary display's scale factor as default.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
  the specified `preload` script in a separate JavaScript context. Defaults
  to `true`. The context that the `preload` script runs in will only have
--- a/docs/api/view.md
+++ b/docs/api/view.md
@@ -62,17 +62,9 @@ it becomes the topmost view.

 If the view passed as a parameter is not a child of this view, this method is a no-op.

-#### `view.setBounds(bounds[, options])`
+#### `view.setBounds(bounds)`

 * `bounds` [Rectangle](structures/rectangle.md) - New bounds of the View.
-* `options` Object (optional) - Options for setting the bounds.
-  * `animate` boolean | Object (optional) - If true, the bounds change will be animated. If an object is passed, it can contain the following properties:
-    * `duration` Integer (optional) - Duration of the animation in milliseconds. Default is `250`.
-    * `easing` string (optional) - Easing function for the animation. Default is `linear`.
-      * `linear`
-      * `ease-in`
-      * `ease-out`
-      * `ease-in-out`

 #### `view.getBounds()`

--- a/docs/api/web-contents.md
+++ b/docs/api/web-contents.md
@@ -383,7 +383,7 @@ Emitted after a server side redirect occurs during navigation.  For example a 30
 redirect.

 This event cannot be prevented, if you want to prevent redirects you should
-checkout out the `will-redirect` event above.
+check out the `will-redirect` event above.

 #### Event: 'did-navigate'

@@ -933,7 +933,7 @@ copying data between CPU and GPU memory, with Chromium's hardware acceleration s
 Only a limited number of textures can exist at the same time, so it's important that you call `texture.release()` as soon as you're done with the texture.
 By managing the texture lifecycle by yourself, you can safely pass the `texture.textureInfo` to other processes through IPC.

-More details can be found in the [offscreen rendering tutorial](../tutorial/offscreen-rendering.md). To learn about how to handle the texture in native code, refer to [offscreen rendering's code documentation.](https://github.com/electron/electron/blob/main/shell/browser/osr/README.md).
+More details can be found in the [offscreen rendering tutorial](../tutorial/offscreen-rendering.md). To learn about how to handle the texture in native code, refer to [offscreen rendering's code documentation.](../../shell/browser/osr/README.md).

 ```js
 const { BrowserWindow } = require('electron')
@@ -1465,7 +1465,7 @@ Ignore application menu shortcuts while this web contents is focused.
  without a recognized 'action' value will result in a console error and have
  the same effect as returning `{action: 'deny'}`.

-Called before creating a window a new window is requested by the renderer, e.g.
+Called before creating a window when a new window is requested by the renderer, e.g.
 by `window.open()`, a link with `target="_blank"`, shift+clicking on a link, or
 submitting a form with `<form target="_blank">`. See
 [`window.open()`](window-open.md) for more details and how to use this in
@@ -1485,6 +1485,11 @@ mainWindow.webContents.setWindowOpenHandler((details) => {
      const browserView = new BrowserView(options)
      mainWindow.addBrowserView(browserView)
      browserView.setBounds({ x: 0, y: 0, width: 640, height: 480 })
+      // For `background-tab` disposition (e.g., when middle-clicking or ctrl/cmd-clicking a link),
+      // `options.webContents` is undefined because its creation can be deferred. So load the URL manually.
+      if (details.disposition === 'background-tab') {
+        browserView.webContents.loadURL(details.url)
+      }
      return browserView.webContents
    }
  }
@@ -1748,11 +1753,12 @@ Returns `Promise<PrinterInfo[]>` - Resolves with a [`PrinterInfo[]`](structures/
  * `footer` string (optional) - string to be printed as page footer.
  * `pageSize` string | Size (optional) - Specify page size of the printed document. Can be `A0`, `A1`, `A2`, `A3`,
  `A4`, `A5`, `A6`, `Legal`, `Letter`, `Tabloid` or an Object containing `height` and `width`.
+  * `usePrinterDefaultPageSize` boolean (optional) - Whether to use a given printer's default page size. Default is `false`. Cannot be combined with `pageSize`. When `deviceName` is provided, uses the default page size of that specific printer. When `deviceName` is not provided, uses the default page size of the system's default printer. If the printer's default page size cannot be retrieved, falls back to A4 (210mm x 297mm).
 * `callback` Function (optional)
  * `success` boolean - Indicates success of the print call.
  * `failureReason` string - Error description called back if the print fails.

-When a custom `pageSize` is passed, Chromium attempts to validate platform specific minimum values for `width_microns` and `height_microns`. Width and height must both be minimum 353 microns but may be higher on some operating systems.
+When a custom `pageSize` is passed, Chromium attempts to validate platform specific minimum values for `width_microns` and `height_microns`. Width and height must both be minimum 353 microns but may be higher on some operating systems. If a valid `pageSize` is not passed and `usePrinterDefaultPageSize` is `false`, an error will be thrown.

 Prints window's web page. When `silent` is set to `true`, Electron will pick
 the system's default printer if `deviceName` is empty and the default settings for printing.
@@ -2234,6 +2240,16 @@ Returns `string` - The identifier of a WebContents stream. This identifier can b
 with `navigator.mediaDevices.getUserMedia` using a `chromeMediaSource` of `tab`.
 The identifier is restricted to the web contents that it is registered to and is only valid for 10 seconds.

+#### `contents.getOrCreateDevToolsTargetId()`
+
+Returns `string` - The Chrome DevTools Protocol
+[TargetID](https://chromedevtools.github.io/devtools-protocol/tot/Target/#type-TargetID)
+associated with this WebContents. This is the reverse of
+[`webContents.fromDevToolsTargetId()`](#webcontentsfromdevtoolstargetidtargetid).
+
+> [!NOTE]
+> This method creates a new DevTools agent for this WebContents if one does not already exist.
+
 #### `contents.getOSProcessId()`

 Returns `Integer` - The operating system `pid` of the associated renderer
@@ -2369,7 +2385,7 @@ instance that might own this `WebContents`.

 #### `contents.devToolsWebContents` _Readonly_

-A `WebContents | null` property that represents the of DevTools `WebContents` associated with a given `WebContents`.
+A `WebContents | null` property that represents the DevTools `WebContents` associated with a given `WebContents`.

 > [!NOTE]
 > Users should never store this object because it may become `null`
--- a/docs/api/webview-tag.md
+++ b/docs/api/webview-tag.md
@@ -588,6 +588,7 @@ Stops any `findInPage` request for the `webview` with the provided `action`.
  * `footer` string (optional) - string to be printed as page footer.
  * `pageSize` string | Size (optional) - Specify page size of the printed document. Can be `A3`,
  `A4`, `A5`, `Legal`, `Letter`, `Tabloid` or an Object containing `height` in microns.
+  * `usePrinterDefaultPageSize` boolean (optional) - Whether to use the system's default page size. Default is `false`. Cannot be combined with `pageSize`. When `deviceName` is provided, uses the default page size of that specific printer. When `deviceName` is not provided, uses the default page size of the system's default printer. If the printer's default page size cannot be retrieved, falls back to A4 (210mm x 297mm).

 Returns `Promise<void>`

--- a/docs/breaking-changes.md
+++ b/docs/breaking-changes.md
@@ -12,16 +12,6 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.

-## Planned Breaking API Changes (42.0)
-
-### Behavior Changed: Offscreen rendering will use `1.0` as default device scale factor.
-
-Previously, OSR used the primary display's device scale factor for rendering, which made the output frame size vary across users.
-Developers had to manually calculate the correct size using `screen.getPrimaryDisplay().scaleFactor`. We now provide an optional property
-`webPreferences.offscreen.deviceScaleFactor` to specify a custom value when creating an OSR window. At first, if the property is not set, it defaults
-to the primary display's scale factor (preserving the old behavior). Starting from Electron 42, the default will change to a constant value of `1.0`
-for more consistent output sizes.
-
 ## Planned Breaking API Changes (41.0)

 ### Behavior Changed: PDFs no longer create a separate WebContents
@@ -51,6 +41,12 @@ your preload script and expose it using the [contextBridge](https://www.electron
 Debug symbols for MacOS (dSYM) now use xz compression in order to handle larger file sizes. `dsym.zip` files are now
 `dsym.tar.xz` files. End users using debug symbols may need to update their zip utilities.

+### Deprecated: `showHiddenFiles` in Dialogs on Linux
+
+This property will still be honored on macOS and Windows, but support on Linux
+will be removed in Electron 42. GTK intends for this to be a user choice rather
+than an app choice and has removed the API to do this programmatically.
+
 ## Planned Breaking API Changes (39.0)

 ### Deprecated: `--host-rules` command line switch
@@ -76,6 +72,22 @@ webContents.setWindowOpenHandler((details) => {
 })
 ```

+### Behavior Changed: `NSAudioCaptureUsageDescription` should be included in your app's Info.plist file to use `desktopCapturer` (🍏 macOS ≥14.2)
+
+Per [Chromium update](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e) which enables Apple's newer [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps#Configure-the-sample-code-project) by default, you now must have `NSAudioCaptureUsageDescription` defined in your `Info.plist` to use `desktopCapturer`.
+
+Electron's `desktopCapturer` will create a dead audio stream if the new permission is absent however no errors or warnings will occur. This is partially a side-effect of Chromium not falling back to the older `Screen & System Audio Recording` permissions system if the new system fails.
+
+To restore previous behavior:
+
+```js
+// main.js (right beneath your require/import statments)
+app.commandLine.appendSwitch(
+  'disable-features',
+  'MacCatapLoopbackAudioForScreenShare'
+)
+```
+
 ### Behavior Changed: shared texture OSR `paint` event data structure

 When using shared texture offscreen rendering feature, the `paint` event now emits a more structured object.
@@ -94,7 +106,7 @@ Users can force XWayland by passing `--ozone-platform=x11`.
 ### Removed: `ORIGINAL_XDG_CURRENT_DESKTOP` environment variable

 Previously, Electron changed the value of `XDG_CURRENT_DESKTOP` internally to `Unity`, and stored the original name of the desktop session
-in a separate variable. `XDG_CURRENT_DESKTOP` is no longer overriden and now reflects the actual desktop environment.
+in a separate variable. `XDG_CURRENT_DESKTOP` is no longer overridden and now reflects the actual desktop environment.

 ### Removed: macOS 11 support

@@ -175,7 +187,7 @@ window is not currently visible.

 `app.commandLine` was only meant to handle chromium switches (which aren't case-sensitive) and switches passed via `app.commandLine` will not be passed down to any of the child processes.

-If you were using `app.commandLine` to control the behavior of the  main process, you should do this via `process.argv`.
+If you were using `app.commandLine` to control the behavior of the main process, you should do this via `process.argv`.

 ### Deprecated: `NativeImage.getBitmap()`

@@ -205,7 +217,7 @@ from upstream Chromium.
 ### Deprecated: `null` value for `session` property in `ProtocolResponse`

 Previously, setting the ProtocolResponse.session property to `null`
-Would create a random independent session. This is no longer supported.
+would create a random independent session. This is no longer supported.

 Using single-purpose sessions here is discouraged due to overhead costs;
 however, old code that needs to preserve this behavior can emulate it by
@@ -216,7 +228,7 @@ and then using it in `ProtocolResponse.session`.

 When calling `Session.clearStorageData(options)`, the `options.quota`
 property is deprecated. Since the `syncable` type was removed, there
-is only type left -- `'temporary'` -- so specifying it is unnecessary.
+is only one type left -- `'temporary'` -- so specifying it is unnecessary.

 ### Deprecated: Extension methods and events on `session`

@@ -545,7 +557,7 @@ more information.

 ### Removed: The `--disable-color-correct-rendering` switch

-This switch was never formally documented but it's removal is being noted here regardless. Chromium itself now has better support for color spaces so this flag should not be needed.
+This switch was never formally documented but its removal is being noted here regardless. Chromium itself now has better support for color spaces so this flag should not be needed.

 ### Behavior Changed: `BrowserView.setAutoResize` behavior on macOS

@@ -1236,7 +1248,7 @@ more details.

 ### API Changed: `webContents.printToPDF()`

-`webContents.printToPDF()` has been modified to conform to [`Page.printToPDF`](https://chromedevtools.github.io/devtools-protocol/tot/Page/#method-printToPDF) in the Chrome DevTools Protocol. This has been changes in order to
+`webContents.printToPDF()` has been modified to conform to [`Page.printToPDF`](https://chromedevtools.github.io/devtools-protocol/tot/Page/#method-printToPDF) in the Chrome DevTools Protocol. This has been changed in order to
 address changes upstream that made our previous implementation untenable and rife with bugs.

 **Arguments Changed**
--- a/docs/development/build-instructions-gn.md
+++ b/docs/development/build-instructions-gn.md
@@ -41,7 +41,7 @@ e init --root=~/electron --bootstrap testing
 ```

 The `--bootstrap` flag also runs `e sync` (synchronizes source code branches from
-[`DEPS`](https://github.com/electron/electron/blob/main/DEPS) using
+[`DEPS`](../../DEPS) using
 [`gclient`](https://chromium.googlesource.com/chromium/tools/depot_tools.git/+/HEAD/README.gclient.md))
 and `e build` (compiles the Electron binary into the `${root}/src/out` folder).

@@ -63,7 +63,7 @@ Some quick tips on building once your checkout is set up:
 * **Updating your checkout:** Run git commands such as `git checkout <branch>` and `git pull` from `${root}/src/electron`.
  Whenever you update your commit `HEAD`, make sure to `e sync` before `e build` to sync dependencies
  such as Chromium and Node.js. This is especially relevant because the Chromium version in
-  [`DEPS`](https://github.com/electron/electron/blob/main/DEPS) changes frequently.
+  [`DEPS`](../../DEPS) changes frequently.
 * **Rebuilding:** When making changes to code in `${root}/src/electron/` in a local branch, you only need to re-run `e build`.
 * **Adding patches:** When contributing changes in `${root}/src/` outside of `${root}/src/electron/`, you need to do so
  via Electron's [patch system](./patches.md). The `e patches` command can export all relevant patches to
@@ -98,7 +98,7 @@ Project configurations can be found in the `.gn` and `.gni` files in the `electr

 The following `gn` files contain the main rules for building Electron:

-* [`BUILD.gn`](https://github.com/electron/electron/blob/main/BUILD.gn) defines how Electron itself
+* [`BUILD.gn`](../../BUILD.gn) defines how Electron itself
  is built and includes the default configurations for linking with Chromium.
 * [`build/args/{testing,release,all}.gn`](https://github.com/electron/electron/tree/main/build/args)
  contain the default build arguments for building Electron.
--- a/docs/development/build-instructions-macos.md
+++ b/docs/development/build-instructions-macos.md
@@ -40,7 +40,7 @@ If you are on arm64 architecture, the build script may be pointing to the wrong

 ### Certificates fail to verify

-installing [`certifi`](https://pypi.org/project/certifi/) will fix the following error:
+Installing [`certifi`](https://pypi.org/project/certifi/) will fix the following error:

 ```sh
 ________ running 'python3 src/tools/clang/scripts/update.py' in '/Users/<user>/electron'
--- a/docs/development/creating-api.md
+++ b/docs/development/creating-api.md
@@ -6,7 +6,7 @@ This is not a comprehensive end-all guide to creating an Electron Browser API, r

 ## Add your files to Electron's project configuration

-Electron uses [GN](https://gn.googlesource.com/gn) as a meta build system to generate files for its compiler, [Ninja](https://ninja-build.org/). This means that in order to tell Electron to compile your code, we have to add your API's code and header file names into [`filenames.gni`](https://github.com/electron/electron/blob/main/filenames.gni).
+Electron uses [GN](https://gn.googlesource.com/gn) as a meta build system to generate files for its compiler, [Ninja](https://ninja-build.org/). This means that in order to tell Electron to compile your code, we have to add your API's code and header file names into [`filenames.gni`](../../filenames.gni).

 You will need to append your API file names alphabetically into the appropriate files like so:

@@ -127,7 +127,7 @@ void Initialize(v8::Local<v8::Object> exports,

 ## Link your Electron API with Node

-In the [`typings/internal-ambient.d.ts`](https://github.com/electron/electron/blob/main/typings/internal-ambient.d.ts) file, we need to append a new property onto the `Process` interface like so:
+In the [`typings/internal-ambient.d.ts`](../../typings/internal-ambient.d.ts) file, we need to append a new property onto the `Process` interface like so:

 ```ts title='typings/internal-ambient.d.ts' @ts-nocheck
 interface Process {
@@ -141,7 +141,7 @@ At the very bottom of your `api_name.cc` file:
 NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{api_name},Initialize)
 ```

-In your [`shell/common/node_bindings.cc`](https://github.com/electron/electron/blob/main/shell/common/node_bindings.cc) file, add your node binding name to Electron's built-in modules.
+In your [`shell/common/node_bindings.cc`](../../shell/common/node_bindings.cc) file, add your node binding name to Electron's built-in modules.

 ```cpp title='shell/common/node_bindings.cc'
 #define ELECTRON_BROWSER_MODULES(V)      \
@@ -159,7 +159,7 @@ We will need to create a new TypeScript file in the path that follows:

 `"lib/browser/api/{electron_browser_{api_name}}.ts"`

-An example of the contents of this file can be found [here](https://github.com/electron/electron/blob/main/lib/browser/api/native-theme.ts).
+An example of the contents of this file can be found [here](../../lib/browser/api/native-theme.ts).

 ### Expose your module to TypeScript

--- a/docs/development/debugging-on-windows.md
+++ b/docs/development/debugging-on-windows.md
@@ -28,7 +28,7 @@ with breakpoints inside Electron's source code.
  format.

 * **ProcMon**: The [free SysInternals tool][sys-internals] allows you to inspect
-  a processes parameters, file handles, and registry operations.
+  a process's parameters, file handles, and registry operations.

 ## Attaching to and Debugging Electron

--- a/docs/development/patches.md
+++ b/docs/development/patches.md
@@ -79,7 +79,7 @@ $ ../../electron/script/git-import-patches ../../electron/patches/node
 $ ../../electron/script/git-export-patches -o ../../electron/patches/node
 ```

-Note that `git-import-patches` will mark the commit that was `HEAD` when it was run as `refs/patches/upstream-head`. This lets you keep track of which commits are from Electron patches (those that come after `refs/patches/upstream-head`) and which commits are in upstream (those before `refs/patches/upstream-head`).
+Note that `git-import-patches` will mark the commit that was `HEAD` when it was run as `refs/patches/upstream-head` (and a checkout-specific `refs/patches/upstream-head-<hash>` so that gclient worktrees sharing a `.git/refs` directory don't clobber each other). This lets you keep track of which commits are from Electron patches (those that come after `refs/patches/upstream-head`) and which commits are in upstream (those before `refs/patches/upstream-head`).

 #### Resolving conflicts

--- a/docs/development/pull-requests.md
+++ b/docs/development/pull-requests.md
@@ -21,24 +21,33 @@

 ### Step 1: Fork

-Fork the project [on GitHub](https://github.com/electron/electron) and clone your fork
-locally.
-
-```sh
-$ git clone git@github.com:username/electron.git
-$ cd electron
-$ git remote add upstream https://github.com/electron/electron.git
-$ git fetch upstream
-```
+Fork Electron's [GitHub repository](https://github.com/electron/electron).

 ### Step 2: Build

-Build steps and dependencies differ slightly depending on your operating system.
-See these detailed guides on building Electron locally:
+We recommend using [`@electron/build-tools`](https://github.com/electron/build-tools) to build
+Electron itself.

-* [Building on macOS](build-instructions-macos.md)
-* [Building on Linux](build-instructions-linux.md)
-* [Building on Windows](build-instructions-windows.md)
+```sh
+# Install build-tools package globally:
+npm install -g @electron/build-tools
+# Run the init script where you want to clone the project and point it to your fork:
+e init --fork my-org/electron --bootstrap testing
+```
+
+This will create a new `electron` folder in your working directory and initialize the project.
+Once the build completes, navigate to `electron/src/electron`, where your fork is actually cloned.
+
+> [!IMPORTANT]
+> Your Electron project has a complex folder structure with nested repositories.
+> See the [Build Instructions](./build-instructions-gn.md) docs for detailed Build Tools
+> usage instructions (e.g. how to sync dependencies or how to recompile the binary)
+> and platform-specific notices.
+
+There, you should have two `remote` URLs in git:
+
+* `origin` will point to `electron/electron`
+* `fork` will point to your fork (`my-org/electron`)

 Once you've built the project locally, you're ready to start making changes!

@@ -48,7 +57,7 @@ To keep your development environment organized, create local branches to
 hold your work. These should be branched directly off of the `main` branch.

 ```sh
-$ git checkout -b my-branch -t upstream/main
+git checkout -b my-branch
 ```

 ## Making Changes
@@ -60,7 +69,7 @@ changes to either the C/C++ code in the `shell/` folder,
 the JavaScript code in the `lib/` folder, the documentation in `docs/api/`
 or tests in the `spec/` folder.

-Please be sure to run `npm run lint` from time to time on any code changes
+Please be sure to run `yarn lint` from time to time on any code changes
 to ensure that they follow the project's code style.

 See [coding style](coding-style.md) for
@@ -75,8 +84,8 @@ across multiple commits. There is no limit to the number of commits in a
 pull request.

 ```sh
-$ git add my/changed/files
-$ git commit
+git add my/changed/files
+git commit
 ```

 Note that multiple commits get squashed when they are landed.
@@ -138,8 +147,8 @@ Once you have committed your changes, it is a good idea to use `git rebase`
 (not `git merge`) to synchronize your work with the main repository.

 ```sh
-$ git fetch upstream
-$ git rebase upstream/main
+git fetch origin
+git rebase origin/main
 ```

 This ensures that your working branch has the latest changes from `electron/electron`
@@ -156,7 +165,7 @@ Before submitting your changes in a pull request, always run the full
 test suite. To run the tests:

 ```sh
-$ npm run test
+yarn test
 ```

 Make sure the linter does not report any issues and that all tests pass.
@@ -165,7 +174,7 @@ Please do not submit patches that fail either check.
 If you are updating tests and want to run a single spec to check it:

 ```sh
-$ npm run test -match=menu
+yarn test -match=menu
 ```

 The above would only run spec modules matching `menu`, which is useful for
@@ -179,13 +188,13 @@ begin the process of opening a pull request by pushing your working branch
 to your fork on GitHub.

 ```sh
-$ git push origin my-branch
+git push fork my-branch
 ```

 ### Step 9: Opening the Pull Request

 From within GitHub, opening a new pull request will present you with a template
-that should be filled out. It can be found [here](https://github.com/electron/electron/blob/main/.github/PULL_REQUEST_TEMPLATE.md).
+that should be filled out. It can be found [here](../../.github/PULL_REQUEST_TEMPLATE.md).

 If you do not adequately complete this template, your PR may be delayed in being merged as maintainers
 seek more information or clarify ambiguities.
@@ -203,9 +212,9 @@ branch, add a new commit with those changes, and push those to your fork.
 GitHub will automatically update the pull request.

 ```sh
-$ git add my/changed/files
-$ git commit
-$ git push origin my-branch
+git add my/changed/files
+git commit
+git push fork my-branch
 ```

 There are a number of more advanced mechanisms for managing commits using
@@ -213,13 +222,12 @@ There are a number of more advanced mechanisms for managing commits using

 Feel free to post a comment in the pull request to ping reviewers if you are
 awaiting an answer on something. If you encounter words or acronyms that
-seem unfamiliar, refer to this
-[glossary](https://sites.google.com/a/chromium.org/dev/glossary).
+seem unfamiliar, refer to the
+[Chromium glossary](https://sites.google.com/a/chromium.org/dev/glossary).

 #### Approval and Request Changes Workflow

-All pull requests require approval from a
-[Code Owner](https://github.com/electron/electron/blob/main/.github/CODEOWNERS)
+All pull requests require approval from a [Code Owner](../../.github/CODEOWNERS)
 of the area you modified in order to land. Whenever a maintainer reviews a pull
 request they may request changes. These may be small, such as fixing a typo, or
 may involve substantive changes. Such requests are intended to be helpful, but
--- a/docs/development/source-code-directory-structure.md
+++ b/docs/development/source-code-directory-structure.md
@@ -10,11 +10,11 @@ to understand the source code better.
 ## Project structure

 Electron is a complex project containing multiple upstream dependencies, which are tracked in source
-control via the [`DEPS`](https://github.com/electron/electron/blob/main/DEPS) file. When
+control via the [`DEPS`](../../DEPS) file. When
 [initializing a local Electron checkout](./build-instructions-gn.md), Electron's source code is just one
 of many nested folders within the project root.

-The project contains a single `src` folder that corresponds a specific git checkout of
+The project contains a single `src` folder that corresponds to a specific git checkout of
 [Chromium's `src` folder](https://source.chromium.org/chromium/chromium/src). In addition, Electron's
 repository code is contained in `src/electron` (with its own nested git repository), and other
 Electron-specific third-party dependencies (e.g. [nan](https://github.com/nodejs/nan) or
--- a/docs/development/testing.md
+++ b/docs/development/testing.md
@@ -17,7 +17,7 @@ style, run `npm run lint`, which will run a variety of linting checks
 against your changes depending on which areas of the code they touch.

 Many of these checks are included as precommit hooks, so it's likely
-you error would be caught at commit time.
+your error would be caught at commit time.

 ## Unit Tests

--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -14,7 +14,7 @@ dependency tree from `node_modules`).

 ### ASAR integrity

-ASAR integrity is an security feature that validates the contents of your app's
+ASAR integrity is a security feature that validates the contents of your app's
 ASAR archives at runtime. When enabled, your Electron app will verify the
 header hash of its ASAR archive on runtime. If no hash is present or if there is a mismatch in the
 hashes, the app will forcefully terminate.
@@ -137,9 +137,9 @@ See also: [code signing](#code-signing)

 ### OSR

-OSR (offscreen rendering) can be used for loading heavy page in
+OSR (offscreen rendering) can be used for loading a heavy page in
 background and then displaying it after (it will be much faster).
-It allows you to render page without showing it on screen.
+It allows you to render a page without showing it on screen.

 For more information, read the [Offscreen Rendering][] tutorial.

--- a/docs/tutorial/asar-archives.md
+++ b/docs/tutorial/asar-archives.md
@@ -6,7 +6,7 @@ hide_title: false
 ---

 After creating an [application distribution](application-distribution.md), the
-app's source code are usually bundled into an [ASAR archive](https://github.com/electron/asar),
+app's source code is usually bundled into an [ASAR archive](https://github.com/electron/asar),
 which is a simple extensive archive format designed for Electron apps. By bundling the app
 we can mitigate issues around long path names on Windows, speed up `require` and conceal your source
 code from cursory inspection.
@@ -134,7 +134,7 @@ underlying system calls, Electron will extract the needed file into a
 temporary file and pass the path of the temporary file to the APIs to make them
 work. This adds a little overhead for those APIs.

-APIs that requires extra unpacking are:
+APIs that require extra unpacking are:

 * `child_process.execFile`
 * `child_process.execFileSync`
--- a/docs/tutorial/asar-integrity.md
+++ b/docs/tutorial/asar-integrity.md
@@ -15,6 +15,14 @@ Currently, ASAR integrity checking is supported on:
 * macOS as of `electron>=16.0.0`
 * Windows as of `electron>=30.0.0`

+> [!NOTE]
+> ASAR integrity is fully supported in Mac App Store (MAS) builds and is recommended
+> as a best practice. While MAS-installed applications have their `Resources/` folder
+> protected by the system (owned by root), ASAR integrity still provides an additional
+> layer of security. It is especially important if you use Electron's MAS build but
+> distribute your app through channels other than the Mac App Store (such as direct
+> download), since those installations won't have the system-level read-only protections.
+
 In order to enable ASAR integrity checking, you also need to ensure that your `app.asar` file
 was generated by a version of the `@electron/asar` npm package that supports ASAR integrity.

@@ -24,7 +32,7 @@ All versions of `@electron/asar` support ASAR integrity.
 ## How it works

 Each ASAR archive contains a JSON string header. The header format includes an `integrity` object
-that contain a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
+that contains a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
 block of `blockSize` bytes.

 ```json
--- a/docs/tutorial/automated-testing.md
+++ b/docs/tutorial/automated-testing.md
@@ -203,7 +203,7 @@ test('launch app', async () => {
 })
 ```

-After that, you will access to an instance of Playwright's `ElectronApp` class. This
+After that, you will have access to an instance of Playwright's `ElectronApp` class. This
 is a powerful class that has access to main process modules for example:

 ```js {5-10} @ts-nocheck
@@ -237,7 +237,7 @@ test('save screenshot', async () => {
 })
 ```

-Putting all this together using the Playwright test-runner, let's create a `example.spec.js`
+Putting all this together using the Playwright test-runner, let's create an `example.spec.js`
 test file with a single test and assertion:

 ```js title='example.spec.js' @ts-nocheck
@@ -377,7 +377,7 @@ class TestDriver {
 module.exports = { TestDriver }
 ```

-In your app code, can then write a simple handler to receive RPC calls:
+In your app code, you can then write a simple handler to receive RPC calls:

 ```js title='main.js'
 const METHODS = {
--- a/docs/tutorial/code-signing.md
+++ b/docs/tutorial/code-signing.md
@@ -17,7 +17,7 @@ run them, users need to go through multiple advanced and manual steps.

 If you are building an Electron app that you intend to package and distribute,
 it should be code signed. The Electron ecosystem tooling makes codesigning your
-apps straightforward - this documentation explains how sign your apps on both
+apps straightforward - this documentation explains how to sign your apps on both
 Windows and macOS.

 ## Signing & notarizing macOS builds
@@ -210,7 +210,7 @@ const msiCreator = new MSICreator({
 const supportBinaries = await msiCreator.create()

 // 🆕 Step 2a: optionally sign support binaries if you
-// sign you binaries as part of of your packaging script
+// sign your binaries as part of your packaging script
 for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
--- a/docs/tutorial/custom-title-bar.md
+++ b/docs/tutorial/custom-title-bar.md
@@ -110,7 +110,7 @@ const win = new BrowserWindow({
 #### Show and hide the traffic lights programmatically _macOS_

 You can also show and hide the traffic lights programmatically from the main process.
-The `win.setWindowButtonVisibility` forces traffic lights to be show or hidden depending
+The `win.setWindowButtonVisibility` forces traffic lights to be shown or hidden depending
 on the value of its boolean parameter.

 ```js title='main.js'
--- a/Show More
+++ b/Show More