build: add v8_toolchain to darwin/x64

* build: add Linux GHA test step

* Switch to medium AKS runners

* Add missing BUILD_TYPE to restore-artifact

* Fix untar to current dir

* Remove known hosts logic

* Add missing Node.js headers step

* Fix for active SSH sessions

* Fix storing artifacts

* Build on x64 for test

.github/actions/checkout/action.yml

@@ -0,0 +1,154 @@
+name: 'Checkout'
+description: 'Checks out Electron and stores it in the AKS Cache'
+inputs:
+  generate-sas-token:
+    description: 'Whether to generate and persist a SAS token for the item in the cache'
+    required: false
+    default: 'false'
+runs:
+  using: "composite"
+  steps:
+  - name: Set GIT_CACHE_PATH to make gclient to use the cache
+    shell: bash
+    run: |
+      echo "GIT_CACHE_PATH=$(pwd)/git-cache" >> $GITHUB_ENV
+  - name: Install Dependencies
+    shell: bash
+    run: |
+      cd src/electron
+      node script/yarn install
+  - name: Get Depot Tools
+    shell: bash
+    run: |
+      git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
+
+      sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+      # Remove swift-format dep from cipd on macOS until we send a patch upstream.
+      cd depot_tools
+      git apply --3way ../src/electron/.github/workflows/config/gclient.diff
+
+      # Ensure depot_tools does not update.
+      test -d depot_tools && cd depot_tools
+      touch .disable_auto_update
+  - name: Add Depot Tools to PATH
+    shell: bash
+    run: echo "$(pwd)/depot_tools" >> $GITHUB_PATH
+  - name: Generate DEPS Hash
+    shell: bash
+    run: |
+      node src/electron/script/generate-deps-hash.js && cat src/electron/.depshash-target
+      echo "DEPSHASH=v1-src-cache-$(shasum src/electron/.depshash | cut -f1 -d' ')" >> $GITHUB_ENV
+  - name: Generate SAS Key
+    if: ${{ inputs.generate-sas-token == 'true' }}
+    shell: bash
+    run: |
+      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$DEPSHASH.tar" > sas-token
+  - name: Save SAS Key
+    if: ${{ inputs.generate-sas-token == 'true' }}
+    uses: actions/cache/save@v4
+    with:
+      path: |
+        sas-token
+      key: sas-key-${{ github.run_number }}-${{ github.run_attempt }}
+  - name: Check If Cache Exists
+    id: check-cache
+    shell: bash
+    run: |
+      cache_path=/mnt/cross-instance-cache/$DEPSHASH.tar
+      echo "Using cache key: $DEPSHASH"
+      echo "Checking for cache in: $cache_path"
+      if [ ! -f "$cache_path" ]; then
+        echo "cache_exists=false" >> $GITHUB_OUTPUT
+        echo "Cache Does Not Exist for $DEPSHASH"
+      else
+        echo "cache_exists=true" >> $GITHUB_OUTPUT
+        echo "Cache Already Exists for $DEPSHASH, Skipping.."
+      fi
+  - name: Gclient Sync
+    if: steps.check-cache.outputs.cache_exists == 'false'
+    shell: bash
+    run: |
+      gclient config \
+        --name "src/electron" \
+        --unmanaged \
+        ${GCLIENT_EXTRA_ARGS} \
+        "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
+
+      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 gclient sync --with_branch_heads --with_tags -vvvvv
+      if [ "${{ inputs.is-release }}" != "true" ]; then
+        # Re-export all the patches to check if there were changes.
+        python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
+        cd src/electron
+        git update-index --refresh || true
+        if ! git diff-index --quiet HEAD --; then
+          # There are changes to the patches. Make a git commit with the updated patches
+          git add patches
+          GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
+          # Export it
+          mkdir -p ../../patches
+          git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
+          if (node ./script/push-patch.js 2> /dev/null > /dev/null); then
+            echo
+            echo "======================================================================"
+            echo "Changes to the patches when applying, we have auto-pushed the diff to the current branch"
+            echo "A new CI job will kick off shortly"
+            echo "======================================================================"
+            exit 1
+          else
+            echo
+            echo "======================================================================"
+            echo "There were changes to the patches when applying."
+            echo "Check the CI artifacts for a patch you can apply to fix it."
+            echo "======================================================================"
+            exit 1
+          fi
+        fi
+      fi
+
+  # delete all .git directories under src/ except for
+  # third_party/angle/ and third_party/dawn/ because of build time generation of files
+  # gen/angle/commit.h depends on third_party/angle/.git/HEAD
+  # https://chromium-review.googlesource.com/c/angle/angle/+/2074924
+  # and dawn/common/Version_autogen.h depends on  third_party/dawn/.git/HEAD
+  # https://dawn-review.googlesource.com/c/dawn/+/83901
+  # TODO: maybe better to always leave out */.git/HEAD file for all targets ?
+  - name: Delete .git directories under src to free space
+    if: steps.check-cache.outputs.cache_exists == 'false'
+    shell: bash
+    run: |
+      cd src
+      ( find . -type d -name ".git" -not -path "./third_party/angle/*" -not -path "./third_party/dawn/*" -not -path "./electron/*" ) | xargs rm -rf
+  - name: Minimize Cache Size for Upload
+    if: steps.check-cache.outputs.cache_exists == 'false'
+    shell: bash
+    run: |
+      rm -rf src/android_webview
+      rm -rf src/ios/chrome
+      rm -rf src/third_party/blink/web_tests
+      rm -rf src/third_party/blink/perf_tests
+      rm -rf src/chrome/test/data/xr/webvr_info
+      rm -rf src/third_party/angle/third_party/VK-GL-CTS/src
+      rm -rf src/third_party/swift-toolchain
+      rm -rf src/third_party/swiftshader/tests/regres/testlists
+      rm -rf src/electron
+  - name: Compress Src Directory
+    if: steps.check-cache.outputs.cache_exists == 'false'
+    shell: bash
+    run: |
+      echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
+      tar -cf $DEPSHASH.tar src
+      echo "Compressed src to $(du -sh $DEPSHASH.tar | cut -f1 -d' ')"
+      cp ./$DEPSHASH.tar /mnt/cross-instance-cache/
+  - name: Persist Src Cache
+    if: steps.check-cache.outputs.cache_exists == 'false'
+    shell: bash
+    run: |
+      final_cache_path=/mnt/cross-instance-cache/$DEPSHASH.tar
+      echo "Using cache key: $DEPSHASH"
+      echo "Checking path: $final_cache_path"
+      if [ ! -f "$final_cache_path" ]; then
+        echo "Cache key not found"
+        exit 1
+      else
+        echo "Cache key persisted in $final_cache_path"
+      fi

.github/workflows/config/release/arm64/evm.mas.json

@@ -1,26 +0,0 @@
-{
-  "root": "/Users/runner/work/electron/electron/",
-  "remotes": {
-    "electron": {
-      "origin": "https://github.com/electron/electron.git"
-    }
-  },
-  "gen": {
-    "args": [
-      "import(\"//electron/build/args/release.gn\")",
-      "use_remoteexec = true",
-      "target_cpu = \"arm64\"",
-      "is_mas_build = true"
-    ],
-    "out": "Default"
-  },
-  "env": {
-    "CHROMIUM_BUILDTOOLS_PATH": "/Users/runner/work/electron/electron/src/buildtools",
-    "GIT_CACHE_PATH": "/Users/runner/work/electron/electron/.git-cache"
-  },
-  "$schema": "file:///home/builduser/.electron_build_tools/evm-config.schema.json",
-  "configValidationLevel": "strict",
-  "reclient": "remote_exec",
-  "goma": "none",
-  "preserveXcode": 5
-}

.github/workflows/config/release/x64/evm.mas.json

@@ -1,26 +0,0 @@
-{
-  "root": "/Users/runner/work/electron/electron/",
-  "remotes": {
-    "electron": {
-      "origin": "https://github.com/electron/electron.git"
-    }
-  },
-  "gen": {
-    "args": [
-      "import(\"//electron/build/args/release.gn\")",
-      "use_remoteexec = true",
-      "target_cpu = \"x64\"",
-      "is_mas_build = true"
-    ],
-    "out": "Default"
-  },
-  "env": {
-    "CHROMIUM_BUILDTOOLS_PATH": "/Users/runner/work/electron/electron/src/buildtools",
-    "GIT_CACHE_PATH": "/Users/runner/work/electron/electron/.git-cache"
-  },
-  "$schema": "file:///home/builduser/.electron_build_tools/evm-config.schema.json",
-  "configValidationLevel": "strict",
-  "reclient": "remote_exec",
-  "goma": "none",
-  "preserveXcode": 5
-}

.github/workflows/config/testing/arm64/evm.mas.json

@@ -1,25 +0,0 @@
-{
-  "root": "/Users/runner/work/electron/electron/",
-  "remotes": {
-    "electron": {
-      "origin": "https://github.com/electron/electron.git"
-    }
-  },
-  "gen": {
-    "args": [
-      "import(\"//electron/build/args/testing.gn\")",
-      "use_remoteexec = true",
-      "is_mas_build = true"
-    ],
-    "out": "Default"
-  },
-  "env": {
-    "CHROMIUM_BUILDTOOLS_PATH": "/Users/runner/work/electron/electron/src/buildtools",
-    "GIT_CACHE_PATH": "/Users/runner/work/electron/electron/.git-cache"
-  },
-  "$schema": "file:///home/builduser/.electron_build_tools/evm-config.schema.json",
-  "configValidationLevel": "strict",
-  "reclient": "remote_exec",
-  "goma": "none",
-  "preserveXcode": 5
-}

.github/workflows/config/testing/x64/evm.mas.json

@@ -1,26 +0,0 @@
-{
-  "root": "/Users/runner/work/electron/electron/",
-  "remotes": {
-    "electron": {
-      "origin": "https://github.com/electron/electron.git"
-    }
-  },
-  "gen": {
-    "args": [
-      "import(\"//electron/build/args/testing.gn\")",
-      "use_remoteexec = true",
-      "target_cpu = \"x64\"",
-      "is_mas_build = true"
-    ],
-    "out": "Default"
-  },
-  "env": {
-    "CHROMIUM_BUILDTOOLS_PATH": "/Users/runner/work/electron/electron/src/buildtools",
-    "GIT_CACHE_PATH": "/Users/runner/work/electron/electron/.git-cache"
-  },
-  "$schema": "file:///home/builduser/.electron_build_tools/evm-config.schema.json",
-  "configValidationLevel": "strict",
-  "reclient": "remote_exec",
-  "goma": "none",
-  "preserveXcode": 5
-}

.github/workflows/linux-build.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   build:
-    uses: electron/electron/.github/workflows/linux-pipeline.yml@main
+    uses: ./.github/workflows/linux-pipeline.yml
     with:
       is-release: false
       gn-config: //electron/build/args/testing.gn

.github/workflows/linux-pipeline.yml

@@ -1,4 +1,4 @@
-name: Pipeline Linux
+name: Linux Pipeline
 
 on:
   workflow_call:
@@ -34,54 +34,81 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-  AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
-  AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
   ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
   ELECTRON_GITHUB_TOKEN: ${{ secrets.ELECTRON_GITHUB_TOKEN }}
   GN_CONFIG: ${{ inputs.gn-config }}
   # Disable pre-compiled headers to reduce out size - only useful for rebuilds
   GN_BUILDFLAG_ARGS: 'enable_precompiled_headers = false'
-  GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
-  CHECK_DIST_MANIFEST: '1'
+  GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
+  # Only disable this in the Asan build
+  CHECK_DIST_MANIFEST: true
   IS_GHA_RELEASE: true
   ELECTRON_OUT_DIR: Default
 
 jobs:
   checkout:
-    runs-on: LargeLinuxRunner
+    runs-on: aks-linux-large
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
     steps:
     - name: Checkout Electron
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       with:
         path: src/electron
-    - name: Set GIT_CACHE_PATH to make gclient to use the cache
+        fetch-depth: 0
+    - name: Checkout & Sync & Save
+      uses: ./src/electron/.github/actions/checkout
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        build-arch: [ x64 ] # arm64, arm 
+    env: 
+      TARGET_ARCH: ${{ matrix.build-arch }}
+    runs-on: aks-linux-large
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
+    needs: checkout
+    steps:
+    - name: Load Build Tools
       run: |
-        echo "GIT_CACHE_PATH=$(pwd)/git-cache" >> $GITHUB_ENV
-    - name: Setup Node.js/npm
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
+        npm i -g @electron/build-tools
+        e auto-update disable
+        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ matrix.build-arch }}
+    - name: Checkout Electron
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       with:
-        node-version: 20.11.x
-        cache: yarn
-        cache-dependency-path: src/electron/yarn.lock
+        path: src/electron
+        fetch-depth: 0
     - name: Install Dependencies
       run: |
         cd src/electron
         node script/yarn install
+    - name: Set GN_EXTRA_ARGS
+      run: |
+        if [ "${{ matrix.build-arch  }}" = "arm" ]; then
+          GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false'
+        elif [ "${{ matrix.build-arch }}" = "arm64" ]; then
+          GN_EXTRA_ARGS='target_cpu="arm64" fatal_linker_warnings=false enable_linux_installer=false'
+        fi
+        echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
     - name: Get Depot Tools
       timeout-minutes: 5
       run: |
         git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
-        if [ "`uname`" == "Darwin" ]; then
-          # remove ninjalog_uploader_wrapper.py from autoninja since we don't use it and it causes problems
-          sed -i '' '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-        else
-          sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-          # Remove swift-format dep from cipd on macOS until we send a patch upstream.
-          cd depot_tools
-          git apply --3way ../src/electron/.github/workflows/config/gclient.diff
-        fi
+
+        sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+        cd depot_tools
+        git apply --3way ../src/electron/.github/workflows/config/gclient.diff
+
         # Ensure depot_tools does not update.
         test -d depot_tools && cd depot_tools
         touch .disable_auto_update
@@ -91,100 +118,388 @@ jobs:
       run: |
         node src/electron/script/generate-deps-hash.js && cat src/electron/.depshash-target
         echo "DEPSHASH=v1-src-cache-$(shasum src/electron/.depshash | cut -f1 -d' ')" >> $GITHUB_ENV
-    - name: Check If Cache Exists
-      id: check-cache
+    - name: Restore and Ensure Src Cache
       run: |
-        exists_json=$(az storage blob exists \
-          --account-name $AZURE_STORAGE_ACCOUNT \
-          --account-key $AZURE_STORAGE_KEY \
-          --container-name $AZURE_STORAGE_CONTAINER_NAME \
-          --name $DEPSHASH)
-
-        cache_exists=$(echo $exists_json | jq -r '.exists')
-        echo "cache_exists=$cache_exists" >> $GITHUB_OUTPUT
-
-        if (test "$cache_exists" = "true"); then
-          echo "Cache Exists for $DEPSHASH"
+        cache_path=/mnt/cross-instance-cache/$DEPSHASH.tar
+        echo "Using cache key: $DEPSHASH"
+        echo "Checking for cache in: $cache_path"
+        if [ ! -f "$cache_path" ]; then
+          echo "Cache Does Not Exist for $DEPSHASH - exiting"
+          exit 1
         else
-          echo "Cache Does Not Exist for $DEPSHASH"
+          echo "Found Cache for $DEPSHASH at $cache_path"
         fi
-    - name: Gclient Sync
-      if: steps.check-cache.outputs.cache_exists == 'false'
+
+        echo "Persisted cache is $(du -sh $cache_path | cut -f1)"
+        mkdir temp-cache
+        tar -xf $cache_path -C temp-cache
+        echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
+
+        if [ -d "temp-cache/src" ]; then
+          echo "Relocating Cache"
+          rm -rf src
+          mv temp-cache/src src
+        fi
+
+        if [ ! -d "src/third_party/blink" ]; then
+          echo "Cache was not correctly restored - exiting"
+          exit 1
+        fi
+
+        echo "Wiping Electron Directory"
+        rm -rf src/electron
+    - name: Checkout Electron
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      with:
+        path: src/electron
+        fetch-depth: 0
+    - name: Run Electron Only Hooks
       run: |
-        gclient config \
-          --name "src/electron" \
-          --unmanaged \
-          ${GCLIENT_EXTRA_ARGS} \
-          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
+        echo "Running Electron Only Hooks"
+        gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
+    - name: Regenerate DEPS Hash
+      run: |
+        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js && cat src/electron/.depshash-target
+        echo "DEPSHASH=$(shasum src/electron/.depshash | cut -f1 -d' ')" >> $GITHUB_ENV
+    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
+      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+    - name: Install build-tools & Setup RBE
+      run: |
+        echo "NUMBER_OF_NINJA_PROCESSES=300" >> $GITHUB_ENV
+        cd ~/.electron_build_tools
+        npx yarn --ignore-engines
 
-        ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 gclient sync --with_branch_heads --with_tags -vvvvv
-        if [ ${{ inputs.is-release != true }} ]; then
-          # Re-export all the patches to check if there were changes.
-          python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
-          cd src/electron
-          git update-index --refresh || true
-          if ! git diff-index --quiet HEAD --; then
-            # There are changes to the patches. Make a git commit with the updated patches
-            git add patches
-            GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
-            # Export it
-            mkdir -p ../../patches
-            git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
-            if (node ./script/push-patch.js 2> /dev/null > /dev/null); then
-              echo
-              echo "======================================================================"
-              echo "Changes to the patches when applying, we have auto-pushed the diff to the current branch"
-              echo "A new CI job will kick off shortly"
-              echo "======================================================================"
-              exit 1
-            else
-              echo
-              echo "======================================================================"
-              echo "There were changes to the patches when applying."
-              echo "Check the CI artifacts for a patch you can apply to fix it."
-              echo "======================================================================"
-              exit 1
-            fi
-          fi
-        fi
+        # Pull down credential helper and print status
+        node -e "require('./src/utils/reclient.js').downloadAndPrepare({})"
+        HELPER=$(node -p "require('./src/utils/reclient.js').helperPath({})")
+        $HELPER login
 
-    # delete all .git directories under src/ except for
-    # third_party/angle/ and third_party/dawn/ because of build time generation of files
-    # gen/angle/commit.h depends on third_party/angle/.git/HEAD
-    # https://chromium-review.googlesource.com/c/angle/angle/+/2074924
-    # and dawn/common/Version_autogen.h depends on  third_party/dawn/.git/HEAD
-    # https://dawn-review.googlesource.com/c/dawn/+/83901
-    # TODO: maybe better to always leave out */.git/HEAD file for all targets ?
-    - name: Delete .git directories under src to free space
-      if: steps.check-cache.outputs.cache_exists == 'false'
+        echo 'RBE_service='`node -e "console.log(require('./src/utils/reclient.js').serviceAddress)"` >> $GITHUB_ENV
+        echo 'RBE_experimental_credentials_helper='`node -e "console.log(require('./src/utils/reclient.js').helperPath({}))"` >> $GITHUB_ENV
+        echo 'RBE_experimental_credentials_helper_args=print' >> $GITHUB_ENV
+    - name: Build Electron
+      run: |
+        cd src/electron
+        # TODO(codebytere): remove this once we figure out why .git/packed-refs is initially missing
+        git pack-refs
+        cd ..
+
+        NINJA_SUMMARIZE_BUILD=1 e build -j $NUMBER_OF_NINJA_PROCESSES
+        cp out/Default/.ninja_log out/electron_ninja_log
+        node electron/script/check-symlinks.js
+    - name: Build Electron dist.zip
       run: |
         cd src
-        ( find . -type d -name ".git" -not -path "./third_party/angle/*" -not -path "./third_party/dawn/*" -not -path "./electron/*" ) | xargs rm -rf
-    - name: Minimize Cache Size for Upload
-      if: steps.check-cache.outputs.cache_exists == 'false'
+        e build electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES
+        if [ "${{ env.CHECK_DIST_MANIFEST }}" = "true" ]; then
+          target_os=linux
+          target_cpu=${{ matrix.build-arch }}
+          electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ matrix.build-arch }}.manifest
+        fi
+    - name: Build Mksnapshot
       run: |
-        rm -rf src/android_webview
-        rm -rf src/ios/chrome
-        rm -rf src/third_party/blink/web_tests
-        rm -rf src/third_party/blink/perf_tests
-        rm -rf src/chrome/test/data/xr/webvr_info
-        rm -rf src/third_party/angle/third_party/VK-GL-CTS/src
-        rm -rf src/third_party/swift-toolchain
-        rm -rf src/third_party/swiftshader/tests/regres/testlists
-        rm -rf src/electron
-    - name: Compress Src Directory
-      if: steps.check-cache.outputs.cache_exists == 'false'
+        cd src
+        e build electron:electron_mksnapshot -j $NUMBER_OF_NINJA_PROCESSES
+        gn desc out/Default v8:run_mksnapshot_default args > out/Default/mksnapshot_args
+
+        # Remove unused args from mksnapshot_args
+        SEDOPTION="-i"
+        sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/The gn arg use_goma=true .*/d' out/Default/mksnapshot_args
+
+        if [ "${{ matrix.build-arch }}" = "arm" ]; then
+          electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/mksnapshot
+          electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/v8_context_snapshot_generator
+        elif [ "${{ matrix.build-arch }}" = "arm64" ]; then
+          electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/mksnapshot
+          electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/v8_context_snapshot_generator
+        else
+          electron/script/strip-binaries.py --file $PWD/out/Default/mksnapshot
+          electron/script/strip-binaries.py --file $PWD/out/Default/v8_context_snapshot_generator
+        fi
+
+        e build electron:electron_mksnapshot_zip -j $NUMBER_OF_NINJA_PROCESSES
+        (cd out/Default; zip mksnapshot.zip mksnapshot_args gen/v8/embedded.S)
+    - name: Generate Cross-Arch Snapshot (arm/arm64)
+      if: ${{ matrix.build-arch == 'arm' || matrix.build-arch == 'arm64' }}
       run: |
-        echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-        tar -cvf $DEPSHASH.tar src
-        echo "Compressed src to $(du -sh $DEPSHASH.tar | cut -f1 -d' ')"
-    - name: Upload Compressed Src Cache to Azure
-      if: steps.check-cache.outputs.cache_exists == 'false'
+        cd src
+        if [ "${{ matrix.build-arch }}" = "arm" ]; then
+          MKSNAPSHOT_PATH="clang_x86_v8_arm"
+        elif [ "${{ matrix.build-arch }}" = "arm64" ]; then
+          MKSNAPSHOT_PATH="clang_x64_v8_arm64"
+        fi
+
+        cp "out/Default/$MKSNAPSHOT_PATH/mksnapshot" out/Default
+        cp "out/Default/$MKSNAPSHOT_PATH/v8_context_snapshot_generator" out/Default
+        cp "out/Default/$MKSNAPSHOT_PATH/libffmpeg.so" out/Default
+
+        python3 electron/script/verify-mksnapshot.py --source-root "$PWD" --build-dir out/Default --create-snapshot-only
+        mkdir cross-arch-snapshots
+        cp out/Default-mksnapshot-test/*.bin cross-arch-snapshots
+        # Clean up so that ninja does not get confused
+        rm -f out/Default/libffmpeg.so
+    - name: Build Chromedriver
       run: |
-        az storage blob upload \
-          --account-name $AZURE_STORAGE_ACCOUNT \
-          --account-key $AZURE_STORAGE_KEY \
-          --container-name $AZURE_STORAGE_CONTAINER_NAME \
-          --file $DEPSHASH.tar \
-          --name $DEPSHASH \
-          --debug
+        cd src
+        e build electron:electron_chromedriver -j $NUMBER_OF_NINJA_PROCESSES
+        e build electron:electron_chromedriver_zip
+    - name: Build Node.js headers
+      run: |
+        cd src
+        e build electron:node_headers
+    - name: Generate & Zip Symbols
+      run: |
+        # Generate breakpad symbols on release builds
+        if [ "${{ inputs.generate-symbols }}" = "true" ]; then
+          e build electron:electron_symbols
+        fi
+        cd src
+        export BUILD_PATH="$(pwd)/out/Default"
+        e build electron:licenses
+        e build electron:electron_version_file
+        if [ "${{ inputs.is-release }}" = "true" ]; then
+          DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
+        else
+          electron/script/zip-symbols.py -b $BUILD_PATH
+        fi
+    - name: Generate FFMpeg
+      if: ${{ inputs.is-release }}
+      run: |
+        cd src
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
+        autoninja -C out/ffmpeg electron:electron_ffmpeg_zip -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Hunspell Dictionaries
+      if: ${{ inputs.is-release }}
+      run: |
+        cd src
+        autoninja -C out/Default electron:hunspell_dictionaries_zip -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Libcxx
+      if: ${{ inputs.is-release }}
+      run: |
+        cd src
+        autoninja -C out/Default electron:libcxx_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        autoninja -C out/Default electron:libcxxabi_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        autoninja -C out/Default electron:libcxx_objects_zip -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Publish Electron Dist
+      if: ${{ inputs.is-release }}
+      run: |
+        rm -rf src/out/Default/obj
+        cd src/electron
+        if [ "${{ inputs.upload-to-storage }}" = "1" ]; then
+          echo 'Uploading Electron release distribution to Azure'
+          script/release/uploaders/upload.py --verbose --upload_to_storage
+        else
+          echo 'Uploading Electron release distribution to GitHub releases'
+          script/release/uploaders/upload.py --verbose
+        fi
+    - name: Move all Generated Artifacts to Upload Folder
+      run: ./src/electron/script/actions/move-artifacts.sh
+    - name: Upload Generated Artifacts
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      with:
+        name: generated_artifacts_linux_${{ matrix.build-arch }}
+        path: ./generated_artifacts_linux_${{ matrix.build-arch }}
+  test:
+    if: ${{ inputs.is-release == false }}
+    runs-on: aks-linux-medium
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        build-arch: [ arm64 ] # x64, arm 
+    env:
+      TARGET_ARCH: ${{ matrix.build-arch }}
+    steps:
+    - name: Load Build Tools
+      run: |
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
+        npm i -g @electron/build-tools
+        e auto-update disable
+        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
+    - name: Checkout Electron
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      with:
+        path: src/electron
+        fetch-depth: 0
+    - name: Install Dependencies
+      run: |
+        cd src/electron
+        node script/yarn install
+    - name: Get Depot Tools
+      timeout-minutes: 5
+      run: |
+        git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
+
+        sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+        cd depot_tools
+        git apply --3way ../src/electron/.github/workflows/config/gclient.diff
+
+        # Ensure depot_tools does not update.
+        test -d depot_tools && cd depot_tools
+        touch .disable_auto_update
+    - name: Add Depot Tools to PATH
+      run: echo "$(pwd)/depot_tools" >> $GITHUB_PATH
+    - name: Download Generated Artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+      with:
+        name: generated_artifacts_linux_${{ matrix.build-arch }}
+        path: ./generated_artifacts_linux_${{ matrix.build-arch }}
+    - name: Restore Generated Artifacts
+      run: ./src/electron/script/actions/restore-artifacts.sh
+    - name: Unzip Dist, Mksnapshot & Chromedriver
+      run: |
+        cd src/out/Default
+        unzip -:o dist.zip
+        unzip -:o chromedriver.zip
+        unzip -:o mksnapshot.zip
+    - name: Setup for headless testing
+      run: sh -e /etc/init.d/xvfb start
+    - name: Run Electron Tests
+      env:
+        MOCHA_REPORTER: mocha-multi-reporters
+        ELECTRON_TEST_RESULTS_DIR: junit
+        MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
+        ELECTRON_DISABLE_SECURITY_WARNINGS: 1
+        ELECTRON_SKIP_NATIVE_MODULE_TESTS: true
+      run: |
+        cd src/electron
+        node script/yarn test --runners=main --trace-uncaught --enable-logging
+    - name: Wait for active SSH sessions
+      if: always() && !cancelled()
+      run: |
+        while [ -f /var/.ssh-lock ]
+        do
+          sleep 60
+        done
+  node-tests:
+    name: Run Node.js Tests
+    if: ${{ inputs.is-release == false }}
+    runs-on: aks-linux-medium
+    needs: build
+    timeout-minutes: 20
+    env: 
+      TARGET_ARCH: x64
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+    steps:
+    - name: Load Build Tools
+      run: |
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
+        npm i -g @electron/build-tools
+        e auto-update disable
+        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
+    - name: Checkout Electron
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      with:
+        path: src/electron
+        fetch-depth: 0
+    - name: Install Dependencies
+      run: |
+        cd src/electron
+        node script/yarn install
+    - name: Get Depot Tools
+      timeout-minutes: 5
+      run: |
+        git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
+        sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+        cd depot_tools
+        git apply --3way ../src/electron/.github/workflows/config/gclient.diff
+        # Ensure depot_tools does not update.
+        test -d depot_tools && cd depot_tools
+        touch .disable_auto_update
+    - name: Add Depot Tools to PATH
+      run: echo "$(pwd)/depot_tools" >> $GITHUB_PATH
+    - name: Download Generated Artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+      with:
+        name: generated_artifacts_linux_${{ env.TARGET_ARCH }}
+        path: ./generated_artifacts_linux_${{ env.TARGET_ARCH }}
+    - name: Restore Generated Artifacts
+      run: ./src/electron/script/actions/restore-artifacts.sh
+    - name: Unzip Dist
+      run: |
+        cd src/out/Default
+        unzip -:o dist.zip
+    - name: Setup Linux for Headless Testing
+      run: sh -e /etc/init.d/xvfb start
+    - name: Run Node.js Tests
+      run: |
+        cd src
+        node electron/script/node-spec-runner.js --default --jUnitDir=junit
+    - name: Wait for active SSH sessions
+      if: always() && !cancelled()
+      run: |
+        while [ -f /var/.ssh-lock ]
+        do
+          sleep 60
+        done
+  nan-tests:
+    name: Run Nan Tests
+    if: ${{ inputs.is-release == false }}
+    runs-on: aks-linux-medium
+    needs: build
+    timeout-minutes: 20
+    env: 
+      TARGET_ARCH: x64
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+    steps:
+    - name: Load Build Tools
+      run: |
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
+        npm i -g @electron/build-tools
+        e auto-update disable
+        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
+    - name: Checkout Electron
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+      with:
+        path: src/electron
+        fetch-depth: 0
+    - name: Install Dependencies
+      run: |
+        cd src/electron
+        node script/yarn install
+    - name: Get Depot Tools
+      timeout-minutes: 5
+      run: |
+        git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
+        sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+        cd depot_tools
+        git apply --3way ../src/electron/.github/workflows/config/gclient.diff
+        # Ensure depot_tools does not update.
+        test -d depot_tools && cd depot_tools
+        touch .disable_auto_update
+    - name: Add Depot Tools to PATH
+      run: echo "$(pwd)/depot_tools" >> $GITHUB_PATH
+    - name: Download Generated Artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
+      with:
+        name: generated_artifacts_linux_${{ env.TARGET_ARCH }}
+        path: ./generated_artifacts_linux_${{ env.TARGET_ARCH }}
+    - name: Restore Generated Artifacts
+      run: ./src/electron/script/actions/restore-artifacts.sh
+    - name: Unzip Dist
+      run: |
+        cd src/out/Default
+        unzip -:o dist.zip
+    - name: Setup Linux for Headless Testing
+      run: sh -e /etc/init.d/xvfb start
+    - name: Run Node.js Tests
+      run: |
+        cd src
+        node electron/script/nan-spec-runner.js
+    - name: Wait for active SSH sessions
+      if: always() && !cancelled()
+      run: |
+        while [ -f /var/.ssh-lock ]
+        do
+          sleep 60
+        done
+

.github/workflows/linux-publish.yml

@@ -8,14 +8,14 @@ on:
         required: false
         default: '1'
         type: string
-      run-macos-publish:
+      run-linux-publish:
         description: 'Run the publish jobs vs just the build jobs'
         type: boolean
         default: false
 
 jobs:
   publish:
-    uses: electron/electron/.github/workflows/linux-pipeline.yml@main
+    uses: ./.github/workflows/linux-pipeline.yml
     with:
       is-release: true
       gn-config: //electron/build/args/release.gn

.github/workflows/macos-build.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   build:
-    uses: electron/electron/.github/workflows/macos-pipeline.yml@main
+    uses: ./.github/workflows/macos-pipeline.yml
     with:
       is-release: false
       gn-config: //electron/build/args/testing.gn

.github/workflows/macos-pipeline.yml

@@ -1,4 +1,4 @@
-name: Build MacOS
+name: MacOS Pipeline
 
 on:
   workflow_call:
@@ -34,161 +34,39 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-  AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
-  AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
+  AZURE_AKS_CACHE_STORAGE_ACCOUNT: ${{ secrets.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}
+  AZURE_AKS_CACHE_SHARE_NAME: ${{ secrets.AZURE_AKS_CACHE_SHARE_NAME }}
   ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
   ELECTRON_GITHUB_TOKEN: ${{ secrets.ELECTRON_GITHUB_TOKEN }}
   GN_CONFIG: ${{ inputs.gn-config }}
   # Disable pre-compiled headers to reduce out size - only useful for rebuilds
-  GN_BUILDFLAG_ARGS: 'enable_precompiled_headers = false'
+  GN_BUILDFLAG_ARGS: 'enable_precompiled_headers=false'
   GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
-  CHECK_DIST_MANIFEST: '1'
+  # Only disable this in the Asan build
+  CHECK_DIST_MANIFEST: true
   IS_GHA_RELEASE: true
   ELECTRON_OUT_DIR: Default
 
 jobs:
   checkout:
-    runs-on: LargeLinuxRunner
+    runs-on: aks-linux-large
+    container:
+      image: ghcr.io/electron/build:latest
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
+        - /var/run/sas:/var/run/sas
     steps:
     - name: Checkout Electron
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       with:
         path: src/electron
         fetch-depth: 0
-    - name: Set GIT_CACHE_PATH to make gclient to use the cache
-      run: |
-        echo "GIT_CACHE_PATH=$(pwd)/git-cache" >> $GITHUB_ENV
-    - name: Setup Node.js/npm
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
+    - name: Checkout & Sync & Save
+      uses: ./src/electron/.github/actions/checkout
       with:
-        node-version: 20.11.x
-        cache: yarn
-        cache-dependency-path: src/electron/yarn.lock
-    - name: Install Dependencies
-      run: |
-        cd src/electron
-        node script/yarn install
-    - name: Get Depot Tools
-      timeout-minutes: 5
-      run: |
-        git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
-        if [ "`uname`" == "Darwin" ]; then
-          # remove ninjalog_uploader_wrapper.py from autoninja since we don't use it and it causes problems
-          sed -i '' '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-        else
-          sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-          # Remove swift-format dep from cipd on macOS until we send a patch upstream.
-          cd depot_tools
-          git apply --3way ../src/electron/.github/workflows/config/gclient.diff
-        fi
-        # Ensure depot_tools does not update.
-        test -d depot_tools && cd depot_tools
-        touch .disable_auto_update
-    - name: Add Depot Tools to PATH
-      run: echo "$(pwd)/depot_tools" >> $GITHUB_PATH
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js && cat src/electron/.depshash-target
-        echo "DEPSHASH=v1-src-cache-$(shasum src/electron/.depshash | cut -f1 -d' ')" >> $GITHUB_ENV
-    - name: Check If Cache Exists
-      id: check-cache
-      run: |
-        exists_json=$(az storage blob exists \
-          --account-name $AZURE_STORAGE_ACCOUNT \
-          --account-key $AZURE_STORAGE_KEY \
-          --container-name $AZURE_STORAGE_CONTAINER_NAME \
-          --name $DEPSHASH)
-
-        cache_exists=$(echo $exists_json | jq -r '.exists')
-        echo "cache_exists=$cache_exists" >> $GITHUB_OUTPUT
-
-        if (test "$cache_exists" = "true"); then
-          echo "Cache Exists for $DEPSHASH"
-        else
-          echo "Cache Does Not Exist for $DEPSHASH"
-        fi
-    - name: Gclient Sync
-      if: steps.check-cache.outputs.cache_exists == 'false'
-      run: |
-        gclient config \
-          --name "src/electron" \
-          --unmanaged \
-          ${GCLIENT_EXTRA_ARGS} \
-          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
-
-        ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 gclient sync --with_branch_heads --with_tags -vvvvv
-        if [ ${{ inputs.is-release != true }}]; then
-          # Re-export all the patches to check if there were changes.
-          python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
-          cd src/electron
-          git update-index --refresh || true
-          if ! git diff-index --quiet HEAD --; then
-            # There are changes to the patches. Make a git commit with the updated patches
-            git add patches
-            GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
-            # Export it
-            mkdir -p ../../patches
-            git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
-            if (node ./script/push-patch.js 2> /dev/null > /dev/null); then
-              echo
-              echo "======================================================================"
-              echo "Changes to the patches when applying, we have auto-pushed the diff to the current branch"
-              echo "A new CI job will kick off shortly"
-              echo "======================================================================"
-              exit 1
-            else
-              echo
-              echo "======================================================================"
-              echo "There were changes to the patches when applying."
-              echo "Check the CI artifacts for a patch you can apply to fix it."
-              echo "======================================================================"
-              exit 1
-            fi
-          fi
-        fi
-
-    # delete all .git directories under src/ except for
-    # third_party/angle/ and third_party/dawn/ because of build time generation of files
-    # gen/angle/commit.h depends on third_party/angle/.git/HEAD
-    # https://chromium-review.googlesource.com/c/angle/angle/+/2074924
-    # and dawn/common/Version_autogen.h depends on  third_party/dawn/.git/HEAD
-    # https://dawn-review.googlesource.com/c/dawn/+/83901
-    # TODO: maybe better to always leave out */.git/HEAD file for all targets ?
-    - name: Delete .git directories under src to free space
-      if: steps.check-cache.outputs.cache_exists == 'false'
-      run: |
-        cd src
-        ( find . -type d -name ".git" -not -path "./third_party/angle/*" -not -path "./third_party/dawn/*" -not -path "./electron/*" ) | xargs rm -rf
-    - name: Minimize Cache Size for Upload
-      if: steps.check-cache.outputs.cache_exists == 'false'
-      run: |
-        rm -rf src/android_webview
-        rm -rf src/ios/chrome
-        rm -rf src/third_party/blink/web_tests
-        rm -rf src/third_party/blink/perf_tests
-        rm -rf src/chrome/test/data/xr/webvr_info
-        rm -rf src/third_party/angle/third_party/VK-GL-CTS/src
-        rm -rf src/third_party/swift-toolchain
-        rm -rf src/third_party/swiftshader/tests/regres/testlists
-        rm -rf src/electron
-    - name: Compress Src Directory
-      if: steps.check-cache.outputs.cache_exists == 'false'
-      run: |
-        echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-        tar -cvf $DEPSHASH.tar src
-        echo "Compressed src to $(du -sh $DEPSHASH.tar | cut -f1 -d' ')"
-    - name: Upload Compressed Src Cache to Azure
-      if: steps.check-cache.outputs.cache_exists == 'false'
-      run: |
-        az storage blob upload \
-          --account-name $AZURE_STORAGE_ACCOUNT \
-          --account-key $AZURE_STORAGE_KEY \
-          --container-name $AZURE_STORAGE_CONTAINER_NAME \
-          --file $DEPSHASH.tar \
-          --name $DEPSHASH \
-          --debug
+        generate-sas-token: 'true'
   build:
     strategy:
       fail-fast: false
@@ -198,14 +76,15 @@ jobs:
     # More runner information: https://github.com/actions/runner-images/blob/main/README.md#available-images
     runs-on: macos-14-xlarge
     needs: checkout
+    env:
+      TARGET_ARCH: ${{ matrix.build-arch }}
     steps:
     - name: Load Build Tools
       run: |
-        export BUILD_TOOLS_SHA=2bb63e2e7877491b52f972532b52adc979a6ec2f
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
         npm i -g @electron/build-tools
         e auto-update disable
         e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ matrix.build-arch }}
-        e use ${{ inputs.gn-build-type }}
     - name: Checkout Electron
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       with:
@@ -221,24 +100,19 @@ jobs:
       run: |
         cd src/electron
         node script/yarn install
+        brew install azcopy
     - name: Load Target Arch & CPU
       run: |
-        echo "TARGET_ARCH=${{ matrix.build-arch }}" >> $GITHUB_ENV
         echo "target_cpu=${{ matrix.build-arch }}" >> $GITHUB_ENV
         echo "host_cpu=${{ matrix.build-arch }}" >> $GITHUB_ENV
     - name: Get Depot Tools
       timeout-minutes: 5
       run: |
         git clone --depth=1 https://chromium.googlesource.com/chromium/tools/depot_tools.git
-        if [ "`uname`" == "Darwin" ]; then
-          # remove ninjalog_uploader_wrapper.py from autoninja since we don't use it and it causes problems
-          sed -i '' '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-        else
-          sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
-          # Remove swift-format dep from cipd on macOS until we send a patch upstream.
-          cd depot_tools
-          git apply --3way ../src/electron/.github/workflows/config/gclient.diff
-        fi
+
+        # remove ninjalog_uploader_wrapper.py from autoninja since we don't use it and it causes problems
+        sed -i '' '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
+
         # Ensure depot_tools does not update.
         test -d depot_tools && cd depot_tools
         touch .disable_auto_update
@@ -247,8 +121,16 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js && cat src/electron/.depshash-target
-        echo "DEPSHASH=v1-src-cache-$(shasum src/electron/.depshash | cut -f1 -d' ')" >> $GITHUB_ENV
-    - name: Download Src Cache
+        DEPSHASH=v1-src-cache-$(shasum src/electron/.depshash | cut -f1 -d' ')
+        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
+        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
+    - name: Obtain SAS Key
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          sas-token
+        key: sas-key-${{ github.run_number }}-${{ github.run_attempt }}
+    - name: Download Src Cache from AKS
       # The cache will always exist here as a result of the checkout job
       # Either it was uploaded to Azure in the checkout job for this commit
       # or it was uploaded in the checkout job for a previous commit.
@@ -258,17 +140,16 @@ jobs:
         max_attempts: 3
         retry_on: error
         command: |
-          az storage blob download \
-            --account-name $AZURE_STORAGE_ACCOUNT \
-            --account-key $AZURE_STORAGE_KEY \
-            --container-name $AZURE_STORAGE_CONTAINER_NAME \
-            --name $DEPSHASH \
-            --file $DEPSHASH.tar \
+          sas_token=$(cat sas-token)
+          azcopy copy \
+            "https://${{ env.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}.file.core.windows.net/${{ env.AZURE_AKS_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
+    - name: Clean SAS Key
+      run: rm -f sas-token
     - name: Unzip and Ensure Src Cache
       run: |
         echo "Downloaded cache is $(du -sh $DEPSHASH.tar | cut -f1)"
         mkdir temp-cache
-        tar -xvf $DEPSHASH.tar -C temp-cache
+        tar -xf $DEPSHASH.tar -C temp-cache
         echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
 
         if [ -d "temp-cache/src" ]; then
@@ -294,7 +175,6 @@ jobs:
         fetch-depth: 0
     - name: Run Electron Only Hooks
       run: |
-        echo "Running Electron Only Hooks"
         gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
     - name: Regenerate DEPS Hash
       run: |
@@ -337,7 +217,7 @@ jobs:
         cipd ensure --root src/buildtools/reclient -ensure-file gn_ensure_file
         python3 src/buildtools/reclient_cfgs/configure_reclient_cfgs.py --rbe_instance "projects/rbe-chrome-untrusted/instances/default_instance" --reproxy_cfg_template reproxy.cfg.template --rewrapper_cfg_project "" --skip_remoteexec_cfg_fetch
 
-        if  [ "$TARGET_ARCH" == "arm64" ]; then
+        if  [ "${{ env.TARGET_ARCH }}" == "arm64" ]; then
           DSYM_SHA_FILE=src/tools/clang/dsymutil/bin/dsymutil.arm64.sha1
         else
           DSYM_SHA_FILE=src/tools/clang/dsymutil/bin/dsymutil.x64.sha1
@@ -454,6 +334,11 @@ jobs:
         # lipo off some huge binaries arm64 versions to save space
         strip_universal_deep $(xcode-select -p)/../SharedFrameworks
         # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
+    - name: Set GN_EXTRA_ARGS for x64 Build
+      if: ${{ env.TARGET_ARCH == 'x64' }}
+      run: |
+        GN_APPENDED_ARGS="$GN_EXTRA_ARGS v8_snapshot_toolchain=\"//build/toolchain/mac:clang_x64\""
+        echo "GN_EXTRA_ARGS=$GN_APPENDED_ARGS" >> $GITHUB_ENV
     - name: Build Electron (darwin)
       run: |
         cd src/electron
@@ -470,7 +355,7 @@ jobs:
       run: |
         cd src
         e build electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES
-        if [ "$CHECK_DIST_MANIFEST" == "1" ]; then
+        if [ "${{ env.CHECK_DIST_MANIFEST }}" == "true" ]; then
           target_os=mac
           electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ env.TARGET_ARCH }}.manifest
         fi
@@ -495,29 +380,24 @@ jobs:
     - name: Generate & Zip Symbols (darwin)
       run: |
         # Generate breakpad symbols on release builds
-        if [ ${{ inputs.generate-symbols }} ]; then
+        if [ "${{ inputs.generate-symbols }}" == "true" ]; then
           e build electron:electron_symbols
         fi
         cd src
         export BUILD_PATH="$(pwd)/out/Default"
         e build electron:licenses
         e build electron:electron_version_file
-        if [ ${{ inputs.is-release }} ]; then
+        if [ "${{ inputs.is-release }}" == "true" ]; then
           DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
         else
           electron/script/zip-symbols.py -b $BUILD_PATH
         fi
-    - name: Generate FFMpeg
+    - name: Generate FFMpeg (darwin)
       if: ${{ inputs.is-release }}
       run: |
         cd src
         gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
         autoninja -C out/ffmpeg electron:electron_ffmpeg_zip -j $NUMBER_OF_NINJA_PROCESSES
-    - name: Generate Hunspell Dictionaries
-      if: ${{ inputs.is-release }}
-      run: |
-        cd src
-        autoninja -C out/Default electron:hunspell_dictionaries_zip -j $NUMBER_OF_NINJA_PROCESSES
     - name: Generate TypeScript Definitions
       if: ${{ inputs.is-release }}
       run: |
@@ -529,7 +409,7 @@ jobs:
       run: |
         rm -rf src/out/Default/obj
         cd src/electron
-        if [ ${{ inputs.upload-to-storage == '1' }} ]; then
+        if [ "${{ inputs.upload-to-storage }}" == "1" ]; then
           echo 'Uploading Electron release distribution to Azure'
           script/release/uploaders/upload.py --verbose --upload_to_storage
         else
@@ -545,31 +425,11 @@ jobs:
       with:
         name: generated_artifacts_darwin_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_darwin_${{ env.TARGET_ARCH }}
-    - name: Persist Build Artifacts
-      uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
-      with:
-        path: |
-          src/out/Default/gen/node_headers
-          src/out/Default/overlapped-checker
-          src/electron
-          src/third_party/electron_node
-          src/third_party/nan
-          src/cross-arch-snapshots
-          src/third_party/llvm-build
-          src/build/linux
-          src/buildtools/mac
-          src/buildtools/third_party/libc++
-          src/buildtools/third_party/libc++abi
-          src/third_party/libc++
-          src/third_party/libc++abi
-          src/out/Default/obj/buildtools/third_party
-          src/v8/tools/builtins-pgo
-        key: ${{ runner.os }}-build-artifacts-darwin-${{ env.TARGET_ARCH }}-${{ github.sha }}
-    - name: Create MAS Config
+    - name: Set GN_EXTRA_ARGS for MAS Build
       run: |
-        mv src/electron/.github/workflows/config/${{ inputs.gn-build-type }}/${{ matrix.build-arch }}/evm.mas.json $HOME/.electron_build_tools/configs/evm.mas.json
         echo "MAS_BUILD=true" >> $GITHUB_ENV
-        e use mas
+        GN_EXTRA_ARGS='is_mas_build=true'
+        echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
     - name: Build Electron (mas)
       run: |
         rm -rf "src/out/Default/Electron Framework.framework"
@@ -589,7 +449,7 @@ jobs:
       run: |
         cd src
         e build electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES
-        if [ "$CHECK_DIST_MANIFEST" == "1" ]; then
+        if [ "${{ env.CHECK_DIST_MANIFEST }}" == "true" ]; then
           target_os=mac_mas
           electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ env.TARGET_ARCH }}.manifest
         fi
@@ -616,25 +476,31 @@ jobs:
         e build electron:node_headers
     - name: Generate & Zip Symbols (mas)
       run: |
-        if [ ${{ inputs.generate-symbols }} ]; then
+        if [ "${{ inputs.generate-symbols }}" == "true" ]; then
           e build electron:electron_symbols
         fi
         cd src
         export BUILD_PATH="$(pwd)/out/Default"
         e build electron:licenses
         e build electron:electron_version_file
-        if [ ${{ inputs.is-release }}]; then
+        if [ "${{ inputs.is-release }}" == "true" ]; then
           DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
         else
           electron/script/zip-symbols.py -b $BUILD_PATH
         fi
+    - name: Generate FFMpeg (mas)
+      if: ${{ inputs.is-release }}
+      run: |
+        cd src
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
+        autoninja -C out/ffmpeg electron:electron_ffmpeg_zip -j $NUMBER_OF_NINJA_PROCESSES
     # TODO(vertedinde): These uploads currently point to a different Azure bucket & GitHub Repo
     - name: Publish Electron Dist
       if: ${{ inputs.is-release }}
       run: |
         rm -rf src/out/Default/obj
         cd src/electron
-        if [ ${{ inputs.upload-to-storage == '1' }} ]; then
+        if [ "${{ inputs.upload-to-storage }}" == "1" ]; then
           echo 'Uploading Electron release distribution to Azure'
           script/release/uploaders/upload.py --verbose --upload_to_storage
         else
@@ -648,29 +514,8 @@ jobs:
       with:
         name: generated_artifacts_mas_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_mas_${{ env.TARGET_ARCH }}
-    - name: Persist Build Artifacts
-      uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
-      with:
-        path: |
-          src/out/Default/gen/node_headers
-          src/out/Default/overlapped-checker
-          src/out/Default/ffmpeg
-          src/out/Default/hunspell_dictionaries
-          src/electron
-          src/third_party/electron_node
-          src/third_party/nan
-          src/cross-arch-snapshots
-          src/third_party/llvm-build
-          src/build/linux
-          src/buildtools/mac
-          src/buildtools/third_party/libc++
-          src/buildtools/third_party/libc++abi
-          src/third_party/libc++
-          src/third_party/libc++abi
-          src/out/Default/obj/buildtools/third_party
-          src/v8/tools/builtins-pgo
-        key: ${{ runner.os }}-build-artifacts-mas-${{ env.TARGET_ARCH }}-${{ github.sha }}
   test:
+    name: Run Electron Tests
     if: ${{ inputs.is-release == false }}
     runs-on: macos-14-xlarge
     needs: build
@@ -678,26 +523,22 @@ jobs:
       fail-fast: false
       matrix:
         build-type: [ darwin, mas ]
+        target-arch: [ x64, arm64 ]
     env:
       BUILD_TYPE: ${{ matrix.build-type }}
+      TARGET_ARCH: ${{ matrix.target-arch }}
     steps:
     - name: Load Build Tools
       run: |
-        export BUILD_TOOLS_SHA=2bb63e2e7877491b52f972532b52adc979a6ec2f
+        export BUILD_TOOLS_SHA=ef894bc3cfa99d84a3b731252da0f83f500e4032
         npm i -g @electron/build-tools
         e auto-update disable
-        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
+        e init --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ matrix.target-arch }}
     - name: Checkout Electron
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       with:
         path: src/electron
         fetch-depth: 0
-    - name: Setup Node.js/npm
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
-      with:
-        node-version: 20.11.x
-        cache: yarn
-        cache-dependency-path: src/electron/yarn.lock
     - name: Install Dependencies
       run: |
         cd src/electron
@@ -723,28 +564,8 @@ jobs:
     - name: Download Generated Artifacts
       uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
       with:
-        name: generated_artifacts_${{ matrix.build-type }}
-        path: ./generated_artifacts_${{ matrix.build-type }}
-    - name: Restore Persisted Build Artifacts
-      uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
-      with:
-        path: |
-          src/out/Default/gen/node_headers
-          src/out/Default/overlapped-checker
-          src/electron
-          src/third_party/electron_node
-          src/third_party/nan
-          src/cross-arch-snapshots
-          src/third_party/llvm-build
-          src/build/linux
-          src/buildtools/mac
-          src/buildtools/third_party/libc++
-          src/buildtools/third_party/libc++abi
-          src/third_party/libc++
-          src/third_party/libc++abi
-          src/out/Default/obj/buildtools/third_party
-          src/v8/tools/builtins-pgo
-        key: ${{ runner.os }}-build-artifacts-${{ matrix.build-type }}-${{ github.sha }}
+        name: generated_artifacts_${{ matrix.build-type }}_${{ matrix.target-arch }}
+        path: ./generated_artifacts_${{ matrix.build-type }}_${{ matrix.target-arch }}
     - name: Restore Generated Artifacts
       run: ./src/electron/script/actions/restore-artifacts.sh
     - name: Unzip Dist, Mksnapshot & Chromedriver
@@ -753,11 +574,11 @@ jobs:
         unzip -:o dist.zip
         unzip -:o chromedriver.zip
         unzip -:o mksnapshot.zip
-    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      run: |
-        sudo security authorizationdb write com.apple.trust-settings.admin allow
-        cd src/electron
-        ./script/codesign/generate-identity.sh
+    # - name: Import & Trust Self-Signed Codesigning Cert on MacOS
+    #   run: |
+    #     sudo security authorizationdb write com.apple.trust-settings.admin allow
+    #     cd src/electron
+    #     ./script/codesign/generate-identity.sh
     - name: Run Electron Tests
       env:
         MOCHA_REPORTER: mocha-multi-reporters
@@ -768,3 +589,11 @@ jobs:
       run: |
         cd src/electron
         node script/yarn test --runners=main --trace-uncaught --enable-logging
+    - name: Verify mksnapshot
+      run: |
+        cd src
+        python3 electron/script/verify-mksnapshot.py --source-root "$PWD" --build-dir out/Default
+    - name: Verify ChromeDriver
+      run: |
+        cd src
+        python3 electron/script/verify-chromedriver.py --source-root "$PWD" --build-dir out/Default

.github/workflows/macos-publish.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   publish:
-    uses: electron/electron/.github/workflows/macos-pipeline.yml@main
+    uses: ./.github/workflows/macos-pipeline.yml
     with:
       is-release: true
       gn-config: //electron/build/args/release.gn

docs/tutorial/electron-timelines.md

@@ -9,10 +9,11 @@ check out our [Electron Versioning](./electron-versioning.md) doc.
 
 | Electron | Alpha | Beta | Stable | EOL | Chrome | Node | Supported |
 | ------- | ----- | ------- | ------ | ------ | ---- | ---- | ---- |
-| 31.0.0 |  2024-Apr-18 | 2024-May-15 | 2024-Jun-11 | 2025-Jan-07 | M126 | TBD | ✅ |
+| 32.0.0 |  2024-Jun-14 | 2024-Jul-24 | 2024-Aug-20 | 2025-Mar-04 | M128 | TBD | ✅ |
+| 31.0.0 |  2024-Apr-18 | 2024-May-15 | 2024-Jun-11 | 2025-Jan-07 | M126 | v20.14 | ✅ |
 | 30.0.0 |  2024-Feb-22 | 2024-Mar-20 | 2024-Apr-16 | 2024-Oct-15 | M124 | v20.11 | ✅ |
 | 29.0.0 |  2023-Dec-07 | 2024-Jan-24 | 2024-Feb-20 | 2024-Aug-20 | M122 | v20.9 | ✅ |
-| 28.0.0 |  2023-Oct-11 | 2023-Nov-06 | 2023-Dec-05 | 2024-Jun-11 | M120 | v18.18 | ✅ |
+| 28.0.0 |  2023-Oct-11 | 2023-Nov-06 | 2023-Dec-05 | 2024-Jun-11 | M120 | v18.18 | 🚫 |
 | 27.0.0 |  2023-Aug-17 | 2023-Sep-13 | 2023-Oct-10 | 2024-Apr-16 | M118 | v18.17 | 🚫 |
 | 26.0.0 | 2023-Jun-01 | 2023-Jun-27 | 2023-Aug-15 | 2024-Feb-20 | M116 | v18.16 | 🚫 |
 | 25.0.0 | 2023-Apr-10 | 2023-May-02 | 2023-May-30 | 2023-Dec-05 | M114 | v18.15 | 🚫 |

docs/tutorial/mac-app-store-submission-guide.md

@@ -20,7 +20,7 @@ You also have to register an Apple Developer account and join the
 
 Electron apps can be distributed through Mac App Store or outside it. Each way
 requires different ways of signing and testing. This guide focuses on
-distribution via Mac App Store, but will also mention other methods.
+distribution via Mac App Store.
 
 The following steps describe how to get the certificates from Apple, how to sign
 Electron apps, and how to test them.
@@ -104,26 +104,15 @@ the App Sandbox. The standard darwin build of Electron will fail to launch
 when run under App Sandbox.
 
 When signing the app with `@electron/osx-sign`, it will automatically add the
-necessary entitlements to your app's entitlements, but if you are using custom
-entitlements, you must ensure App Sandbox capacity is added:
+necessary entitlements to your app's entitlements.
 
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>com.apple.security.app-sandbox</key>
-    <true/>
-  </dict>
-</plist>
-```
-
-#### Extra steps without `electron-osx-sign`
+<details>
+<summary>Extra steps without `electron-osx-sign`</summary>
 
 If you are signing your app without using `@electron/osx-sign`, you must ensure
 the app bundle's entitlements have at least following keys:
 
-```xml
+```xml title='entitlements.plist'
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -174,6 +163,7 @@ When using `@electron/osx-sign` the `ElectronTeamID` key will be added
 automatically by extracting the Team ID from the certificate's name. You may
 need to manually add this key if `@electron/osx-sign` could not find the correct
 Team ID.
+</details>
 
 ### Sign apps for development
 
@@ -181,8 +171,14 @@ To sign an app that can run on your development machine, you must sign it with
 the "Apple Development" certificate and pass the provisioning profile to
 `@electron/osx-sign`.
 
-```bash
-electron-osx-sign YourApp.app --identity='Apple Development' --provisioning-profile=/path/to/yourapp.provisionprofile
+```js @ts-nocheck
+const { signAsync } = require('@electron/osx-sign')
+
+signAsync({
+  app: '/path/to/your.app',
+  identity: 'Apple Development',
+  provisioningProfile: '/path/to/your.provisionprofile'
+})
 ```
 
 If you are signing without `@electron/osx-sign`, you must place the provisioning
@@ -198,30 +194,16 @@ To sign an app that will be submitted to Mac App Store, you must sign it with
 the "Apple Distribution" certificate. Note that apps signed with this
 certificate will not run anywhere, unless it is downloaded from Mac App Store.
 
-```bash
-electron-osx-sign YourApp.app --identity='Apple Distribution'
+```js @ts-nocheck
+const { signAsync } = require('@electron/osx-sign')
+
+signAsync({
+  app: 'path/to/your.app',
+  identity: 'Apple Distribution'
+})
 ```
 
-### Sign apps for distribution outside the Mac App Store
-
-If you don't plan to submit the app to Mac App Store, you can sign it the
-"Developer ID Application" certificate. In this way there is no requirement on
-App Sandbox, and you should use the normal darwin build of Electron if you don't
-use App Sandbox.
-
-```bash
-electron-osx-sign YourApp.app --identity='Developer ID Application' --no-gatekeeper-assess
-```
-
-By passing `--no-gatekeeper-assess`, `@electron/osx-sign` will skip the macOS
-GateKeeper check as your app usually has not been notarized yet by this step.
-
-<!-- TODO(zcbenz): Add a chapter about App Notarization -->
-This guide does not cover [App Notarization][app-notarization], but you might
-want to do it otherwise Apple may prevent users from using your app outside Mac
-App Store.
-
-## Submit Apps to the Mac App Store
+## Submit apps to the Mac App Store
 
 After signing the app with the "Apple Distribution" certificate, you can
 continue to submit it to Mac App Store.
@@ -263,10 +245,43 @@ more information.
 
 ### Additional entitlements
 
+Every app running under the App Sandbox will run under a limited set of permissions,
+which limits potential damage from malicious code.
 Depending on which Electron APIs your app uses, you may need to add additional
 entitlements to your app's entitlements file. Otherwise, the App Sandbox may
 prevent you from using them.
 
+Entitlements are specified using a file with format like
+property list (`.plist`) or XML. You must provide an entitlement file for the
+application bundle itself and a child entitlement file which basically describes
+an inheritance of properties, specified for all other enclosing executable files
+like binaries, frameworks (`.framework`), and dynamically linked libraries (`.dylib`).
+
+A full list of entitlements is available in the [App Sandbox][app-sandboxing]
+documentation, but below are a few entitlements you might need for your
+MAS app.
+
+With `@electron/osx-sign`, you can set custom entitlements per file as such:
+
+```js @ts-nocheck
+const { signAsync } = require('@electron/osx-sign')
+
+function getEntitlementsForFile (filePath) {
+  if (filePath.startsWith('my-path-1')) {
+    return './my-path-1.plist'
+  } else {
+    return './alternate.plist'
+  }
+}
+
+signAsync({
+  optionsForFile: (filePath) => ({
+    // Ensure you return the right entitlements path here based on the file being signed.
+    entitlements: getEntitlementsForFile(filePath)
+  })
+})
+```
+
 #### Network access
 
 Enable outgoing network connections to allow your app to connect to a server:
@@ -342,12 +357,11 @@ Electron uses following cryptographic algorithms:
 
 [developer-program]: https://developer.apple.com/support/compare-memberships/
 [@electron/osx-sign]: https://github.com/electron/osx-sign
-[app-sandboxing]: https://developer.apple.com/app-sandboxing/
-[app-notarization]: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution
-[submitting-your-app]: https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/SubmittingYourApp/SubmittingYourApp.html
-[create-record]: https://help.apple.com/app-store-connect/#/dev2cd126805
+[app-sandboxing]: https://developer.apple.com/documentation/security/app_sandbox
+[submitting-your-app]: https://help.apple.com/xcode/mac/current/#/dev067853c94
+[create-record]: https://developer.apple.com/help/app-store-connect/create-an-app-record/add-a-new-app
 [apple-transporter]: https://help.apple.com/itc/transporteruserguide/en.lproj/static.html
-[submit-for-review]: https://developer.apple.com/library/ios/documentation/LanguagesUtilities/Conceptual/iTunesConnect_Guide/Chapters/SubmittingTheApp.html
+[submit-for-review]: https://developer.apple.com/help/app-store-connect/manage-submissions-to-app-review/submit-for-review
 [export-compliance]: https://help.apple.com/app-store-connect/#/devc3f64248f
 [user-selected]: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW6
 [network-access]: https://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW9

docs/tutorial/security.md

@@ -246,7 +246,7 @@ and prevent the use of Node primitives `contextIsolation` **must** also be used.
 :::info
 For more information on what `contextIsolation` is and how to enable it please
 see our dedicated [Context Isolation](context-isolation.md) document.
-:::info
+:::
 
 ### 4. Enable process sandboxing
 
@@ -259,7 +259,7 @@ content in an unsandboxed process, including the main process, is not advised.
 :::info
 For more information on what Process Sandboxing is and how to enable it please
 see our dedicated [Process Sandboxing](sandbox.md) document.
-:::info
+:::
 
 ### 5. Handle session permission requests from remote content
 

docs/tutorial/web-embeds.md

@@ -23,8 +23,8 @@ and only allow the capabilities you want to support.
 [we do not recommend you to use WebViews](../api/webview-tag.md#warning),
 as this tag undergoes dramatic architectural changes that may affect stability
 of your application. Consider switching to alternatives, like `iframe` and
-Electron's `BrowserView`, or an architecture that avoids embedded content
-by design.
+Electron's [`WebContentsView`](../api/web-contents-view.md), or an architecture
+that avoids embedded content by design.
 
 [WebViews](../api/webview-tag.md) are based on Chromium's WebViews and are not
 explicitly supported by Electron. We do not guarantee that the WebView API will

lib/node/init.ts

@@ -3,8 +3,11 @@ import { wrapFsWithAsar } from './asar-fs-wrapper';
 wrapFsWithAsar(require('fs'));
 
 // See ElectronRendererClient::DidCreateScriptContext.
-if ((globalThis as any).blinkFetch) {
-  globalThis.fetch = (globalThis as any).blinkFetch;
+if ((globalThis as any).blinkfetch) {
+  const keys = ['fetch', 'Response', 'FormData', 'Request', 'Headers'];
+  for (const key of keys) {
+    (globalThis as any)[key] = (globalThis as any)[`blink${key}`];
+  }
 }
 
 // Hook child_process.fork.

script/actions/move-artifacts.sh

@@ -1,34 +1,76 @@
-#!/bin/sh
+#!/bin/bash
 
-set -eo pipefail
-
-if [ -z "$MAS_BUILD" ]; then
-  BUILD_TYPE="darwin"
+if [ "`uname`" == "Darwin" ]; then
+  if [ -z "$MAS_BUILD" ]; then
+    BUILD_TYPE="darwin"
+  else
+    BUILD_TYPE="mas"
+  fi
+elif [ "`uname`" == "Linux" ]; then
+  BUILD_TYPE="linux"
 else
-  BUILD_TYPE="mas"
+  echo "Unsupported platform"
+  exit 1
 fi
 
-echo Creating generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}...
-rm -rf generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}
-mkdir generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}
+GENERATED_ARTIFACTS="generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}"
+
+echo Creating $GENERATED_ARTIFACTS...
+rm -rf $GENERATED_ARTIFACTS
+mkdir $GENERATED_ARTIFACTS
 
 mv_if_exist() {
   if [ -f "$1" ] || [ -d "$1" ]; then
     echo Storing $1
-    mv $1 generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}
-  else
-    echo Skipping $1 - It is not present on disk
-  fi
-}
-cp_if_exist() {
-  if [ -f "$1" ] || [ -d "$1" ]; then
-    echo Storing $1
-    cp $1 generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}
+    mv $1 $GENERATED_ARTIFACTS
   else
     echo Skipping $1 - It is not present on disk
   fi
 }
 
+cp_if_exist() {
+  if [ -f "$1" ] || [ -d "$1" ]; then
+    echo Storing $1
+    cp $1 $GENERATED_ARTIFACTS
+  else
+    echo Skipping $1 - It is not present on disk
+  fi
+}
+
+tar_src_dirs_if_exist() {
+  mkdir build_artifacts
+
+  for dir in \
+    src/out/Default/gen/node_headers \
+    src/out/Default/overlapped-checker \
+    src/out/Default/ffmpeg \
+    src/out/Default/hunspell_dictionaries \
+    src/electron \
+    src/third_party/electron_node \
+    src/third_party/nan \
+    src/cross-arch-snapshots \
+    src/third_party/llvm-build \
+    src/build/linux \
+    src/buildtools/mac \
+    src/buildtools/third_party/libc++ \
+    src/buildtools/third_party/libc++abi \
+    src/third_party/libc++ \
+    src/third_party/libc++abi \
+    src/out/Default/obj/buildtools/third_party \
+    src/v8/tools/builtins-pgo
+  do
+    if [ -d "$dir" ]; then
+      mkdir -p build_artifacts/$(dirname $dir)
+      cp -r $dir/ build_artifacts/$dir
+    fi      
+  done
+
+  tar -C build_artifacts -cf build_artifacts.tar ./
+
+  mv_if_exist build_artifacts.tar
+}
+
+# Generated Artifacts
 mv_if_exist src/out/Default/dist.zip
 mv_if_exist src/out/Default/gen/node_headers.tar.gz
 mv_if_exist src/out/Default/symbols.zip
@@ -39,3 +81,5 @@ mv_if_exist src/out/Default/hunspell_dictionaries.zip
 mv_if_exist src/cross-arch-snapshots
 cp_if_exist src/out/electron_ninja_log
 cp_if_exist src/out/Default/.ninja_log
+
+tar_src_dirs_if_exist

script/actions/restore-artifacts.sh

@@ -1,17 +1,42 @@
 #!/bin/bash
 
-set -eo pipefail
+if [ "`uname`" == "Darwin" ]; then
+  if [ -z "$MAS_BUILD" ]; then
+    BUILD_TYPE="darwin"
+  else
+    BUILD_TYPE="mas"
+  fi
+elif [ "`uname`" == "Linux" ]; then
+  BUILD_TYPE="linux"
+else
+  echo "Unsupported platform"
+  exit 1
+fi
+
+GENERATED_ARTIFACTS="generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}"
 
 mv_if_exist() {
-  if [ -f "generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}/$1" ] || [ -d "generated_artifacts_${BUILD_TYPE}_${TARGET_ARCH}/$1" ]; then
+  if [ -f "${GENERATED_ARTIFACTS}/$1" ] || [ -d "${GENERATED_ARTIFACTS}/$1" ]; then
     echo Restoring $1 to $2
     mkdir -p $2
-    mv generated_artifacts_${BUILD_TYPE_${TARGET_ARCH}}/$1 $2
+    mv $GENERATED_ARTIFACTS/$1 $2
   else
     echo Skipping $1 - It is not present on disk
   fi
 }
 
+untar_if_exist() {
+  if [ -f "${GENERATED_ARTIFACTS}/$1" ] || [ -d "${GENERATED_ARTIFACTS}/$1" ]; then
+    echo Restoring $1 to current directory
+    tar -xf ${GENERATED_ARTIFACTS}/$1
+  else
+    echo Skipping $1 - It is not present on disk
+  fi
+}
+
+echo Restoring artifacts from $GENERATED_ARTIFACTS
+
+# Restore generated artifacts
 mv_if_exist dist.zip src/out/Default
 mv_if_exist node_headers.tar.gz src/out/Default/gen
 mv_if_exist symbols.zip src/out/Default
@@ -19,4 +44,7 @@ mv_if_exist mksnapshot.zip src/out/Default
 mv_if_exist chromedriver.zip src/out/Default
 mv_if_exist ffmpeg.zip src/out/ffmpeg
 mv_if_exist hunspell_dictionaries.zip src/out/Default
-mv_if_exist cross-arch-snapshots src
+mv_if_exist cross-arch-snapshots src
+
+# Restore build artifacts
+untar_if_exist build_artifacts.tar

script/generate-deps-hash.js

@@ -36,12 +36,10 @@ addAllFiles(path.resolve(__dirname, '../patches'));
 // Create Hash
 const hasher = crypto.createHash('SHA256');
 const addToHashAndLog = (s) => {
-  console.log('Hashing:', s);
   return hasher.update(s);
 };
 addToHashAndLog(`HASH_VERSION:${HASH_VERSIONS[process.platform] || FALLBACK_HASH_VERSION}`);
 for (const file of filesToHash) {
-  console.log('Hashing Content:', file, crypto.createHash('SHA256').update(fs.readFileSync(file)).digest('hex'));
   hasher.update(fs.readFileSync(file));
 }
 

script/nan-spec-runner.js

@@ -90,16 +90,16 @@ async function main () {
     env.LDFLAGS = ldflags;
   }
 
-  const { status: buildStatus } = cp.spawnSync(NPX_CMD, ['node-gyp', 'rebuild', '--verbose', '--directory', 'test', '-j', 'max'], {
+  const { status: buildStatus, signal } = cp.spawnSync(NPX_CMD, ['node-gyp', 'rebuild', '--verbose', '--directory', 'test', '-j', 'max'], {
     env,
     cwd: NAN_DIR,
     stdio: 'inherit',
     shell: process.platform === 'win32'
   });
 
-  if (buildStatus !== 0) {
+  if (buildStatus !== 0 || signal != null) {
     console.error('Failed to build nan test modules');
-    return process.exit(buildStatus);
+    return process.exit(buildStatus !== 0 ? buildStatus : signal);
   }
 
   const { status: installStatus } = cp.spawnSync(NPX_CMD, [`yarn@${YARN_VERSION}`, 'install'], {
@@ -108,9 +108,10 @@ async function main () {
     stdio: 'inherit',
     shell: process.platform === 'win32'
   });
-  if (installStatus !== 0) {
+
+  if (installStatus !== 0 || signal != null) {
     console.error('Failed to install nan node_modules');
-    return process.exit(installStatus);
+    return process.exit(installStatus !== 0 ? installStatus : signal);
   }
 
   const onlyTests = args.only && args.only.split(',');

script/node-disabled-tests.json

@@ -4,6 +4,7 @@
   "parallel/test-bootstrap-modules",
   "parallel/test-child-process-fork-exec-path",
   "parallel/test-code-cache",
+  "parallel/test-cluster-primary-error",
   "parallel/test-crypto-aes-wrap",
   "parallel/test-crypto-authenticated-stream",
   "parallel/test-crypto-des3-wrap",

script/release/ci-release-build.js

@@ -33,6 +33,7 @@ const circleCIPublishIndividualArches = {
 };
 
 const ghActionsPublishWorkflows = [
+  'linux-publish',
   'macos-publish'
 ];
 

shell/browser/hid/electron_hid_delegate.cc

@@ -46,8 +46,8 @@ class ElectronHidDelegate::ContextObservation
   ContextObservation(ElectronHidDelegate* parent,
                      content::BrowserContext* browser_context)
       : parent_(parent), browser_context_(browser_context) {
-    auto* chooser_context = GetChooserContext(browser_context_);
-    device_observation_.Observe(chooser_context);
+    if (auto* chooser_context = GetChooserContext(browser_context_))
+      device_observation_.Observe(chooser_context);
   }
 
   ContextObservation(ContextObservation&) = delete;

shell/browser/usb/electron_usb_delegate.cc

@@ -94,7 +94,8 @@ class ElectronUsbDelegate::ContextObservation
                      content::BrowserContext* browser_context)
       : parent_(parent), browser_context_(browser_context) {
     auto* chooser_context = GetChooserContext(browser_context_);
-    device_observation_.Observe(chooser_context);
+    if (chooser_context)
+      device_observation_.Observe(chooser_context);
   }
   ContextObservation(ContextObservation&) = delete;
   ContextObservation& operator=(ContextObservation&) = delete;

shell/renderer/electron_renderer_client.cc

@@ -110,19 +110,25 @@ void ElectronRendererClient::DidCreateScriptContext(
       base::BindRepeating(&ElectronRendererClient::UndeferLoad,
                           base::Unretained(this), render_frame));
 
-  v8::Local<v8::Object> global = renderer_context->Global();
-  v8::MaybeLocal<v8::Value> fetch =
-      global->Get(renderer_context, gin::StringToV8(env->isolate(), "fetch"));
-
   // We need to use the Blink implementation of fetch in the renderer process
   // Node.js deletes the global fetch function when their fetch implementation
   // is disabled, so we need to save and re-add it after the Node.js environment
   // is loaded. See corresponding change in node/init.ts.
-  if (!fetch.IsEmpty()) {
-    global
-        ->Set(renderer_context, gin::StringToV8(env->isolate(), "blinkFetch"),
-              fetch.ToLocalChecked())
-        .Check();
+  v8::Isolate* isolate = env->isolate();
+  v8::Local<v8::Object> global = renderer_context->Global();
+
+  std::vector<std::string> keys = {"fetch", "Response", "FormData", "Request",
+                                   "Headers"};
+  for (const auto& key : keys) {
+    v8::MaybeLocal<v8::Value> value =
+        global->Get(renderer_context, gin::StringToV8(isolate, key.c_str()));
+    if (!value.IsEmpty()) {
+      std::string blink_key = "blink" + key;
+      global
+          ->Set(renderer_context, gin::StringToV8(isolate, blink_key.c_str()),
+                value.ToLocalChecked())
+          .Check();
+    }
   }
 
   // If we have disabled the site instance overrides we should prevent loading