build: lint commits on Chromium roller branches (#49655 )

* build: lint commits on Chromium roller branches Assisted-By: Claude Opus 4.5 * chore: add ability to skip linting CLs by adding #nolint * chore: only exit with non-zero exit code in CI
docs: note required windows in 'new-window-for-tab' event (#49851 )
2026-02-19 03:14:51 -05:00 · 2026-02-18 20:45:44 -08:00 · 2026-02-18 19:30:43 -08:00 · 2026-02-18 14:14:00 -08:00 · 2026-02-18 15:00:30 -05:00 · 2026-02-18 14:22:25 -05:00
506 changed files with 12171 additions and 4755 deletions
--- a/.claude/skills/electron-chromium-upgrade/SKILL.md
+++ b/.claude/skills/electron-chromium-upgrade/SKILL.md
@@ -7,14 +7,13 @@ description: Guide for performing Chromium version upgrades in the Electron proj

 ## Summary

-Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then run `e patches all` and commit changes atomically.
+Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then export patches and commit changes atomically.

 ## Success Criteria

 Phase One is complete when:
 - `e sync --3` exits with code 0 (no patch failures)
- `e patches all` has been run to export all changes
- All changes are committed per the commit guidelines below
+- All changes are committed per the commit guidelines

 Do not stop until these criteria are met.

@@ -30,12 +29,18 @@ The `roller/chromium/main` branch is created by automation to update Electron's
 - `patches/`: Patch files organized by target
 - `docs/development/patches.md`: Patch system documentation

+## Pre-flight Checks
+
+Run these once at the start of each upgrade session:
+
+1. **Clear rerere cache** (if enabled): `git rerere clear` in both the electron and `..` repos. Stale recorded resolutions from a prior attempt can silently apply wrong merges.
+2. **Ensure pre-commit hooks are installed**: Check that `.git/hooks/pre-commit` exists. If not, run `yarn husky` to install it. The hook runs `lint-staged` which handles clang-format for C++ files.
+
 ## Workflow

-1. Delete the `.git/rr-cache` in both the `electron` and `..` folder to ensure no accidental rerere replays occur from before this upgrade phase attempt started
-2. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
-3. If succeeds → skip to step 6
-4. If patch fails:
+1. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
+2. If succeeds → skip to step 5
+3. If patch fails:
   - Identify target repo and patch from error output
   - Analyze failure (see references/patch-analysis.md)
   - Fix conflict in target repo's working directory
@@ -43,10 +48,8 @@ The `roller/chromium/main` branch is created by automation to update Electron's
   - Repeat until all patches for that repo apply
   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches {target}` to export fixes
   - Return to step 1
-5. When `e sync --3` succeeds, run `e patches all`
-6. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-
-Before committing any Phase One changes, you MUST read `references/phase-one-commit-guidelines.md` and follow its instructions exactly.
+4. When `e sync --3` succeeds, run `e patches all`
+5. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.

 ## Commands Reference

@@ -56,6 +59,7 @@ Before committing any Phase One changes, you MUST read `references/phase-one-com
 | `git am --continue` | Continue after resolving conflict (run in target repo) |
 | `e patches {target}` | Export commits from target repo to patch files |
 | `e patches all` | Export all patches from all targets |
+| `e patches {target} --commit-updates` | Export patches and auto-commit trivial changes |
 | `e patches --list-targets` | List targets and config paths |

 ## Patch System Mental Model
@@ -81,24 +85,20 @@ Fix existing patches 99% of the time rather than creating new ones.
 2. **Never change TODO assignees**: `TODO(name)` must retain original name
 3. **Update descriptions**: If upstream changed (e.g., `DCHECK` → `CHECK_IS_TEST`), update patch commit message to reflect current state

-## Final Deliverable
-
-After Phase One, write a summary of every change: what was fixed, why, reasoning, and Chromium CL links.
-
 # Electron Chromium Upgrade: Phase Two

 ## Summary

-Run `e build -k 999` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
+Run `e build -k 999 -- --quiet` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.

 Run Phase Two immediately after Phase One is complete.

 ## Success Criteria

 Phase Two is complete when:
- `e build -k 999` exits with code 0 (no build failures)
+- `e build -k 999 -- --quiet` exits with code 0 (no build failures)
 - `e start --version` has been run to check Electron launches
- All changes are committed per the commit guidelines below
+- All changes are committed per the commit guidelines

 Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.

@@ -112,8 +112,7 @@ The `roller/chromium/main` branch is created by automation to update Electron's

 ## Workflow

-1. Run `e build -k 999` (the `-k 999` flag is a flag to ninja to say "do not stop until you find that many errors" it is an attempt to get as much error
-  context as possible for each time we run build)
+1. Run `e build -k 999 -- --quiet` (the `--quiet` flag suppresses per-target status lines, showing only errors and the final result)
 2. If succeeds → skip to step 6
 3. If build fails:
    - Identify underlying file in "electron" from the compilation error message
@@ -126,27 +125,17 @@ The `roller/chromium/main` branch is created by automation to update Electron's
 4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
    - Look for other modified `.patch` files that only have index/hunk header changes
    - These are dependent patches affected by your fix
-    - Commit them immediately with: `git commit -am "chore: update patch hunk headers"`
-    - This prevents losing track of necessary updates
+    - Commit them immediately with: `git commit -am "chore: update patches (trivial only)"`
 5. Return to step 1
 6. When `e build` succeeds, run `e start --version`
 7. Check if you have any pending changes in the Chromium repo by running `git status`
    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file

-Before committing any Phase Two changes, you MUST read `references/phase-two-commit-guidelines.md` and follow its instructions exactly.
-
-## Build Error Detection
-
-When monitoring `e build -k 999` output, filter for errors using this regex pattern:
-error:|FAILED:|fatal:|subcommand failed|build finished
-
-The build output is extremely verbose. Filtering is essential to catch errors quickly.
-
 ## Commands Reference

 | Command | Purpose |
 |---------|---------|
-| `e build -k 999` | Builds Electron and won't stop until either all targets attempted or 999 errors found |
+| `e build -k 999 -- --quiet` | Build Electron, continue on errors, suppress status lines |
 | `e build -t {target}.o` | Build just one specific target to verify a fix |
 | `e start --version` | Validate Electron launches after successful build |

@@ -163,28 +152,21 @@ When the error is in a file that Electron patches (check with `grep -l "filename
    git add <modified-file>
    git commit --fixup=<original-patch-commit-hash>
    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-3. Export the updated patch: e patches chromium
-4. Commit the updated patch file in the electron repo following the `references/phase-one-commit-guidelines.md`, then commit changes following those instructions exactly. **READ THESE GUIDELINES BEFORE COMMITTING THESE CHANGES**
+    ```
+3. Export the updated patch: `e patches chromium`
+4. Commit the updated patch file following `references/phase-one-commit-guidelines.md`.

 To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`

 The base commit for rebase is the Chromium commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.

-B. Electron Code Fixes (for files in shell/, electron/, etc.)
+### B. Electron Code Fixes (for files in shell/, electron/, etc.)

 When the error is in Electron's own source code:

 1. Edit files directly in the electron repo
 2. Commit directly (no patch export needed)

-Dependent Patch Updates
-
-IMPORTANT: When you modify a patch, other patches that apply to the same file may have their hunk headers invalidated. After committing a patch fix:
-
-1. Run git status in the electron repo
-2. Look for other modified .patch files with just index/hunk header changes
-3. Commit these with: git commit -m "chore: update patch hunk headers"
-
 # Critical: Read Before Committing

 - Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
@@ -196,4 +178,4 @@ This skill has additional reference files in `references/`:
 - phase-one-commit-guidelines.md - Commit format for Phase One
 - phase-two-commit-guidelines.md - Commit format for Phase Two

-Read these when referenced in the workflow steps.
+Read these when referenced in the workflow steps.
--- a/.claude/skills/electron-chromium-upgrade/references/patch-analysis.md
+++ b/.claude/skills/electron-chromium-upgrade/references/patch-analysis.md
@@ -17,6 +17,56 @@
   Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/{CL_NUMBER}
   ```

+## Critical: Resolve by Intent, Not by Mechanical Merge
+
+When resolving a patch conflict, do NOT blindly preserve the patch's old code. Instead:
+
+1. **Understand the upstream CL's full scope** — not just the conflicting hunk.
+   Run `git show <commit> --stat` and read diffs for all affected files.
+   Upstream may have removed structs, members, or methods that the patch
+   references in other hunks or files.
+
+2. **Re-read the patch commit message** to understand its *intent* — what
+   behavior does it need to preserve or add?
+
+3. **Implement the intent against the new upstream code.** If the patch's
+   purpose is "add a feature flag guard", add only the guard — don't also
+   restore old code inside the guard that upstream separately removed.
+
+### Lesson: Upstream Removals Break Patch References
+
+- **Trigger:** Patch conflict involves an upstream refactor (not just context drift)
+- **Strategy:** After identifying the upstream CL, check its full diff for
+  removed types, members, and methods. If the patch's old code references
+  something removed, the resolution must use the new upstream mechanism.
+- **Evidence:** An upstream CL removed a `HeadlessModeWindow` struct from a
+  header, but the conflict was only in a `.mm` file. Mechanically keeping the
+  patch's old line (`headless_mode_window_ = ...`) produced code referencing
+  a nonexistent type — caught only on review, not at patch-apply time.
+
+### Lesson: Separate Patch Purpose from Patch Implementation
+
+- **Trigger:** Conflict between "upstream simplified code" vs "patch has older code"
+- **Strategy:** Identify the *minimal* change the patch needs. If the patch
+  wraps code in a conditional, only add the conditional — don't restore old
+  code that was inside the conditional but was separately cleaned up upstream.
+- **Evidence:** An occlusion patch needed only a feature flag check, but the
+  old patch also contained a version check that upstream intentionally removed.
+  Mechanically preserving the old patch code re-added the removed check.
+
+### Lesson: Finish the Adaptation at Conflict Time
+
+- **Trigger:** A patch conflict involves an upstream API removal or replacement
+- **Strategy:** When resolving the conflict, fully adapt the patch to use the
+  new API in the same commit. Don't remove the old code and leave behind stale
+  references that will "be fixed in Phase Two." Each patch fix commit should be
+  a complete resolution.
+- **Evidence:** A safestorage patch conflicted because Chromium removed Keychain V1.
+  The conflict was resolved by removing V1 hunks, but the remaining code still
+  called V1 methods (`FindGenericPassword` with 3 args, `ItemDelete` with
+  `SecKeychainItemRef`). These should have been adapted to V2 APIs in the same
+  commit, not deferred.
+
 ## Common Failure Patterns

 | Pattern | Cause | Solution |
--- a/.claude/skills/electron-chromium-upgrade/references/phase-one-commit-guidelines.md
+++ b/.claude/skills/electron-chromium-upgrade/references/phase-one-commit-guidelines.md
@@ -4,19 +4,65 @@ Only follow these instructions if there are uncommitted changes to `patches/` af

 Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.

-## Atomic Commits
+## Each Commit Must Be Complete

-For each fix made to a patch, create a separate commit:
+When resolving a patch conflict, fully adapt the patch to the new upstream code in the same commit. If the upstream change removes an API the patch uses, update the patch to use the replacement API now — don't leave stale references knowing they'll need fixing later. The goal is that each commit represents a finished resolution, not a partial one that defers known work to a future phase.
+
+## Commit Message Style
+
+**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
+
+Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
+
+### Patch conflict fixes
+
+Use `fix(patch):` prefix. The title should name the upstream change, not your response to it:

 ```
-fix(patch-conflict): {concise title}
-
-{Brief explanation, 1-2 paragraphs max}
+fix(patch): {topic headline}

 Ref: {Chromium CL link}
+
+Co-Authored-By: <AI model attribution>
 ```

-IMPORTANT: Ensure that any changes made to patch content as a result of a change in Chromium is committed individually. Each change should have it's own commit message and it's own REF.
+Only add a description body if it provides clarity beyond the title. For straightforward context drift or simple API renames, the title + Ref is sufficient.
+
+Examples:
+- `fix(patch): constant moved to header`
+- `fix(patch): headless mode refactor upstream`
+- `fix(patch): V1 Keychain removal`
+
+### Upstreamed patch removal
+
+When patches are no longer needed (applied cleanly with "already applied" or confirmed upstreamed), group ALL removals into a single commit:
+
+```
+chore: remove upstreamed patch
+```
+
+or (if multiple):
+
+```
+chore: remove upstreamed patches
+```
+
+If the patch file did NOT contain a `Reviewed-on: https://chromium-review.googlesource.com/c/chromium/...` link, add a `Ref:` in the commit. If it did (i.e. cherry-picks), no `Ref:` is needed.
+
+### Trivial patch updates
+
+After all fix commits, stage remaining trivial changes (index, line numbers, context only):
+
+```bash
+git add patches
+git commit -m "chore: update patches (trivial only)"
+```
+
+**Conflict resolution can produce trivial results.** A `git am` conflict doesn't always mean the patch content changed — context drift alone can cause a conflict. After resolving and exporting, inspect the patch diff: if only index hashes, line numbers, and context lines changed (not the patch's own `+`/`-` lines), it's trivial and belongs here, not in a `fix(patch):` commit.
+
+## Atomic Commits
+
+Each patch conflict fix gets its own commit with its own Ref.

 IMPORTANT: Try really hard to find the CL reference per the instructions below. Each change you made should in theory have been in response to a change made in Chromium that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.

@@ -30,23 +76,27 @@ Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX

 If no CL found after searching: `Ref: Unable to locate CL`

-## Final Cleanup
+## Example Commits

-After all fix commits, stage remaining changes:
-
-```bash
-git add patches
-git commit -m "chore: update patch hunk headers"
-```
-
-## Example Commit
+### Patch conflict fix (simple — title is sufficient)

 ```
-fix(patch-conflict): update web_contents_impl.cc context for navigation refactor
+fix(patch): constant moved to header

-The upstream navigation code was refactored to use NavigationRequest directly
-instead of going through NavigationController. Updated surrounding context
-to match new code structure.
+Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7536483

-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/1234567
-```
+Co-Authored-By: <AI model attribution>
+```
+
+### Patch conflict fix (complex — description adds value)
+
+```
+fix(patch): V1 Keychain removal
+
+Upstream deleted the V1 Keychain API. Removed V1 hunks and adapted
+keychain_password_mac.mm to use KeychainV2 APIs.
+
+Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7540447
+
+Co-Authored-By: <AI model attribution>
+```
--- a/.claude/skills/electron-chromium-upgrade/references/phase-two-commit-guidelines.md
+++ b/.claude/skills/electron-chromium-upgrade/references/phase-two-commit-guidelines.md
@@ -4,41 +4,37 @@ Only follow these instructions if there are uncommitted changes in the Electron

 Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.

+## Commit Message Style
+
+**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters. Exception: upstream Chromium CL titles are used verbatim even if longer.
+
+Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
+
 ## Two Commit Types

 ### For Electron Source Changes (shell/, electron/, etc.)

 ```
-{CL-Number}: {concise description of API change}
-
-{Brief explanation of what upstream changed and how Electron was adapted}
+{CL-Number}: {upstream CL's original title}

 Ref: {Chromium CL link}
+
+Co-Authored-By: <AI model attribution>
 ```

-IMPORTANT: Ensure that any change made to electron as a result of a change in Chromium is committed individually. Each change should have it's own commit message and it's own REF. Logically grouped into commits that make sense rather than one giant commit.
+Use the **upstream CL's original commit title** — do not paraphrase or rewrite it. To find it: `git log -1 --format=%s <chromium-commit-hash>`.

-IMPORTANT: Try really hard to find the CL reference per the instructions below. Each change you made should in theory have been in response to a change made in Chromium that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
+Only add a description body if it provides clarity beyond what the title already says (e.g., when Electron's adaptation is non-obvious). For simple renames, method additions, or straightforward API updates, the title + Ref link is sufficient.

-You may include multiple "Ref" links if required.
+Each change should have its own commit and its own Ref. Logically group into commits that make sense rather than one giant commit. You may include multiple "Ref" links if required.

-For a CL link in the format `https://chromium-review.googlesource.com/c/chromium/src/+/2958369` the "CL-Number" is `2958369`
+For a CL link in the format `https://chromium-review.googlesource.com/c/chromium/src/+/2958369` the "CL-Number" is `2958369`.
+
+IMPORTANT: Try really hard to find the CL reference. Each change you made should in theory have been in response to a change in Chromium. Do not give up easily.

 ### For Patch Updates (patches/chromium/*.patch)

-Use the same fixup workflow as Phase One:
-1. Fix in Chromium source tree
-2. Fixup commit + rebase
-3. Export with `e patches chromium`
-4. Commit the patch file:
-
-```
-fix(patch-update): {concise description}
-
-{Brief explanation}
-
-Ref: {Chromium CL link}
-```
+Use the same fixup workflow as Phase One and follow `references/phase-one-commit-guidelines.md` for the commit message format (`fix(patch):` prefix, topic style).

 ## Dependent Patch Header Updates

@@ -46,37 +42,43 @@ After any patch modification, check for other affected patches:

 ```bash
 git status
-# If other .patch files show as modified with only hunk header changes:
+# If other .patch files show as modified with only index, line number, and context changes:
 git add patches/
-git commit -m "chore: update patch hunk headers"
+git commit -m "chore: update patches (trivial only)"
 ```

 ## Finding CL References

 Use git log or git blame on Chromium source files. Look for:

+```
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX
+```

-If no CL found after searching: Ref: Unable to locate CL
+If no CL found after searching: `Ref: Unable to locate CL`

 ## Example Commits

-### Electron Source Fix
+### Electron Source Fix (simple — title is self-explanatory)

-fix: update GetPlugins to GetPluginsAsync for API change
+```
+7535923: Rename ozone buildflags

-The upstream Chromium API changed:
- Old: GetPlugins(callback) - took a callback
- New: GetPluginsAsync(callback) - async version takes a callback
+Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7535923

-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/1234567
+Co-Authored-By: <AI model attribution>
+```

-### Patch Fix
+### Electron Source Fix (complex — description adds value)

-fix(patch-conflict): update picture-in-picture for gesture handling refactor
+```
+7534194: Convert some functions in ui::Clipboard to async

-Upstream added new gesture handling code that accesses live caption dialog.
-The live caption functionality is disabled in Electron's patch, so wrapped
-the new code in #if 0 guards to match existing pattern.
+Adapted ExtractCustomPlatformNames calls to use RunLoop pattern
+consistent with existing ReadImage implementation, since upstream
+converted the API from synchronous return to callback-based.

-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7654321
+Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7534194
+
+Co-Authored-By: <AI model attribution>
+```
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -11,6 +11,7 @@ Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->

 - [ ] PR description included
+- [ ] I have built and tested this PR
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -26,6 +26,9 @@ inputs:
  is-asan:
    description: 'The ASan Linux build'
    required: false
+  upload-out-gen-artifacts:
+    description: 'Whether to upload the out/${dir}/gen artifacts'
+    required: false
 runs:
  using: "composite"
  steps:
@@ -95,7 +98,7 @@ runs:
        # Upload build stats to Datadog
        if ($env:DD_API_KEY) {
          try {
-            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats
+            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats ; $LASTEXITCODE = 0
          } catch {
            Write-Host "Build stats upload failed, continuing..."
          }
@@ -216,6 +219,7 @@ runs:
    - name: Publish Electron Dist ${{ inputs.step-suffix }}
      if: ${{ inputs.is-release == 'true' }}
      shell: bash
+      id: github-upload
      run: |
        rm -rf src/out/Default/obj
        cd src/electron
@@ -226,6 +230,11 @@ runs:
          echo 'Uploading Electron release distribution to GitHub releases'
          script/release/uploaders/upload.py --verbose
        fi
+    - name: Generate artifact attestation
+      if: ${{ inputs.is-release == 'true' }}
+      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+      with:
+        subject-path: ${{ steps.github-upload.outputs.UPLOADED_PATHS }}
    - name: Generate siso report
      if: ${{ inputs.target-platform != 'win' && !cancelled() }}
      shell: bash
@@ -274,3 +283,9 @@ runs:
      with:
        name: src_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
+    - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
+      if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      with:
+        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
+        path: ./src/out/Default/gen
--- a/.github/actions/install-build-tools/action.yml
+++ b/.github/actions/install-build-tools/action.yml
@@ -15,7 +15,7 @@ runs:
        git config --global core.preloadindex true
        git config --global core.longpaths true
      fi
-      export BUILD_TOOLS_SHA=4430e4a505e0f4fa2a41b707a10a36f780bbdd26
+      export BUILD_TOOLS_SHA=a0cc95a1884a631559bcca0c948465b725d9295a
      npm i -g @electron/build-tools
      # Update depot_tools to ensure python
      e d update_depot_tools
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,122 @@
+# Copilot Instructions for Electron
+
+## Build System
+
+Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
+
+```bash
+e sync              # Fetch sources and apply patches
+e build             # Build Electron (GN + Ninja)
+e build -k 999      # Build, continuing through errors
+e start             # Run built Electron
+e start --version   # Verify Electron launches
+e test              # Run full test suite
+e debug             # Run in debugger (lldb on macOS, gdb on Linux)
+```
+
+### Linting
+
+```bash
+npm run lint              # Run all linters (JS, C++, Python, GN, docs)
+npm run lint:js           # JavaScript/TypeScript only
+npm run lint:clang-format # C++ formatting only
+npm run lint:cpp          # C++ linting only
+npm run lint:docs         # Documentation only
+```
+
+### Running a Single Test
+
+```bash
+npm run test -- -g "pattern"   # Run tests matching a regex pattern
+# Example: npm run test -- -g "ipc"
+```
+
+### Running a Single Node.js Test
+
+```bash
+node script/node-spec-runner.js parallel/test-crypto-keygen
+```
+
+## Architecture
+
+Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
+
+### Process Model
+
+Electron has two primary process types, mirroring Chromium:
+
+- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
+- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
+
+### Native ↔ JavaScript Bridge
+
+Each API is implemented as a C++/JS pair:
+
+- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
+- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
+- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
+- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
+
+### Patches System
+
+Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
+
+```text
+patches/{target}/*.patch  →  [e sync]   →  target repo commits
+                          ←  [e patches] ←
+```
+
+Key rules:
+
+- Fix existing patches rather than creating new ones
+- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
+- Each patch commit message must explain why the patch exists
+- After modifying patches, run `e patches {target}` to export
+
+When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
+
+## Conventions
+
+### File Naming
+
+- JS/TS files: kebab-case (`file-name.ts`)
+- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
+- Test files: `api-{module-name}-spec.ts` in `spec/`
+- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
+
+### JavaScript/TypeScript
+
+- Semicolons required (`"semi": ["error", "always"]`)
+- `const` and `let` only (no `var`)
+- Arrow functions preferred
+- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
+- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
+- Prefer getters/setters over jQuery-style `.text([text])` patterns
+
+### C++
+
+- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
+- Uses Chromium abstractions (`base::`, `content::`, etc.)
+- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
+- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
+
+### Testing
+
+- Framework: Mocha + Chai + Sinon
+- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
+- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
+- Tests import from `electron/main` or `electron/renderer`
+
+### Documentation
+
+- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
+- API history tracked via YAML blocks in HTML comments within doc files
+- Docs must pass `npm run lint:docs`
+
+### Build Configuration
+
+- `BUILD.gn`: Main GN build config
+- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
+- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
+- `DEPS`: Dependency versions and checkout paths
+- `chromium_src/`: Chromium source file overrides (compiled instead of originals)
--- a/.github/problem-matchers/markdownlint.json
+++ b/.github/problem-matchers/markdownlint.json
@@ -0,0 +1,16 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "markdownlint",
+      "pattern": [
+        {
+          "regexp": "^(.+):(\\d+):(\\d+)\\s+(.*)$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4
+        }
+      ]
+    }
+  ]
+}
--- a/.github/workflows/apply-patches.yml
+++ b/.github/workflows/apply-patches.yml
@@ -0,0 +1,73 @@
+name: Apply Patches
+
+on:
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: apply-patches-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  setup:
+    if: github.repository == 'electron/electron'
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      has-patches: ${{ steps.filter.outputs.patches }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        persist-credentials: false
+        ref: ${{ github.event.pull_request.head.sha }}
+    # Use dorny/paths-filter instead of the path filter under the on: pull_request: block
+    # so that the output can be used to conditionally run the apply-patches job, which lets
+    # the job be marked as a required status check (conditional skip counts as a success).
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      id: filter
+      with:
+        filters: |
+          patches:
+            - DEPS
+            - 'patches/**'
+
+  apply-patches:
+    needs: setup
+    if: ${{ needs.setup.outputs.has-patches == 'true' }}
+    runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
+    container:
+      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
+        - /var/run/sas:/var/run/sas
+    env:
+      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
+      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
+    steps:
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        persist-credentials: false
+        ref: ${{ github.event.pull_request.base.ref }}
+    - name: Merge PR HEAD
+      working-directory: src/electron
+      env:
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+      run: |
+        git config user.email "electron@github.com"
+        git config user.name "Electron Bot"
+        git fetch origin refs/pull/${PR_NUMBER}/head
+        git merge --squash FETCH_HEAD
+        git commit -n -m "Squashed commits"
+    - name: Checkout & Sync & Save
+      uses: ./src/electron/.github/actions/checkout
+      with:
+        target-platform: linux
--- a/.github/workflows/archaeologist-dig.yml
+++ b/.github/workflows/archaeologist-dig.yml
@@ -13,11 +13,11 @@ jobs:
      contents: read
    steps:
      - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          fetch-depth: 0
      - name: Setup Node.js/npm
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.12.x
      - name: Setting Up Dig Site
--- a/.github/workflows/audit-branch-ci.yml
+++ b/.github/workflows/audit-branch-ci.yml
@@ -11,16 +11,17 @@ permissions: {}
 jobs:
  audit_branch_ci:
    name: Audit CI on Branches
+    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: 22.17.x
      - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            .
--- a/.github/workflows/branch-created.yml
+++ b/.github/workflows/branch-created.yml
@@ -14,7 +14,7 @@ permissions: {}
 jobs:
  release-branch-created:
    name: Release Branch Created
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller')) }}
+    if: ${{ github.repository == 'electron/electron' && (github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller'))) }}
    permissions:
      contents: read
      pull-requests: write
@@ -68,7 +68,7 @@ jobs:
          done
      - name: Generate GitHub App token
        if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
--- a/.github/workflows/build-git-cache.yml
+++ b/.github/workflows/build-git-cache.yml
@@ -10,6 +10,7 @@ permissions: {}

 jobs:
  build-git-cache-linux:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -23,7 +24,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -33,6 +34,7 @@ jobs:
        target-platform: linux

  build-git-cache-windows:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -47,7 +49,7 @@ jobs:
      TARGET_OS: 'win'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -57,6 +59,7 @@ jobs:
        target-platform: win

  build-git-cache-macos:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -72,7 +75,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,6 +47,7 @@ permissions: {}

 jobs:
  setup:
+    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -57,7 +58,7 @@ jobs:
        build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
        docs-only: ${{ steps.set-output.outputs.docs-only }}
    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        ref: ${{ github.event.pull_request.head.sha }}
    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -124,7 +125,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -156,7 +157,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -188,7 +189,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -283,13 +284,15 @@ jobs:
      contents: read
      issues: read
      pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
    needs: checkout-linux
    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
      build-runs-on: electron-arc-centralus-linux-amd64-32core
+      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
      test-runs-on: electron-arc-centralus-linux-amd64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
      target-platform: linux
      target-arch: x64
@@ -426,7 +429,7 @@ jobs:
    permissions:
      contents: read
    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
-    if: always() && !contains(needs.*.result, 'failure')
+    if: always() && github.repository == 'electron/electron' && !contains(needs.*.result, 'failure')
    steps: 
    - name: GitHub Actions Jobs Done
      run: |
--- a/.github/workflows/clean-src-cache.yml
+++ b/.github/workflows/clean-src-cache.yml
@@ -12,6 +12,7 @@ permissions: {}

 jobs:
  clean-src-cache:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
--- a/.github/workflows/issue-commented.yml
+++ b/.github/workflows/issue-commented.yml
@@ -21,7 +21,7 @@ jobs:
          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
        id: generate-token
        with:
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -15,7 +15,7 @@ jobs:
      contents: read
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -36,7 +36,7 @@ jobs:
      contents: read
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -69,13 +69,13 @@ jobs:
          fi
      - name: Generate GitHub App token
        if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
      - name: Create comment
        if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
+        uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
        with:
          actions: 'create-comment'
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -14,7 +14,7 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -32,13 +32,13 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
          org: electron
      - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            .
@@ -146,7 +146,7 @@ jobs:
            }
      - name: Create unsupported major comment
        if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
+        uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
        with:
          actions: 'create-comment'
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/issue-transferred.yml
+++ b/.github/workflows/issue-transferred.yml
@@ -14,7 +14,7 @@ jobs:
    if: ${{ !github.event.changes.new_repository.private }}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/issue-unlabeled.yml
+++ b/.github/workflows/issue-unlabeled.yml
@@ -24,7 +24,7 @@ jobs:
          fi
      - name: Generate GitHub App token
        if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/linux-publish.yml
+++ b/.github/workflows/linux-publish.yml
@@ -21,6 +21,7 @@ permissions: {}

 jobs:
  checkout-linux:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -35,7 +36,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -43,9 +44,12 @@ jobs:
      uses: ./src/electron/.github/actions/checkout

  publish-x64:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-linux
    with:
      environment: production-release
@@ -60,9 +64,12 @@ jobs:
    secrets: inherit

  publish-arm:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-linux
    with:
      environment: production-release
@@ -77,9 +84,12 @@ jobs:
    secrets: inherit

  publish-arm64:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-linux
    with:
      environment: production-release
--- a/.github/workflows/macos-disk-cleanup.yml
+++ b/.github/workflows/macos-disk-cleanup.yml
@@ -13,6 +13,7 @@ permissions: {}

 jobs:
  macos-disk-cleanup:
+    if: github.repository == 'electron/electron'
    strategy:
      fail-fast: false
      matrix:
@@ -25,7 +26,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            .github/actions/free-space-macos
--- a/.github/workflows/macos-publish.yml
+++ b/.github/workflows/macos-publish.yml
@@ -22,6 +22,7 @@ permissions: {}

 jobs:
  checkout-macos:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -36,7 +37,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -47,9 +48,12 @@ jobs:
        target-platform: macos

  publish-x64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-macos
    with:
      environment: production-release
@@ -64,9 +68,12 @@ jobs:
    secrets: inherit

  publish-x64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-macos
    with:
      environment: production-release
@@ -81,9 +88,12 @@ jobs:
    secrets: inherit

  publish-arm64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-macos
    with:
      environment: production-release
@@ -98,9 +108,12 @@ jobs:
    secrets: inherit

  publish-arm64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-macos
    with:
      environment: production-release
--- a/.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
+++ b/.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
@@ -0,0 +1,124 @@
+name: Electron Build & Clang Tidy & Test (+ Node + NaN) Pipeline
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux.'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      build-runs-on:
+        type: string
+        description: 'What host to run the build'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      test-runs-on:
+        type: string
+        description: 'What host to run the tests on'
+        required: true
+      build-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information to run clang-tidy on'
+        required: false
+        default: '{"image":null}'
+      test-container:
+        type: string
+        description: 'JSON container information for testing'
+        required: false
+        default: '{"image":null}'
+      is-release:
+        description: 'Whether this build job is a release job'
+        required: true
+        type: boolean
+        default: false
+      gn-build-type:
+        description: 'The gn build type - testing or release'
+        required: true
+        type: string
+        default: testing
+      generate-symbols: 
+        description: 'Whether or not to generate symbols'
+        required: true
+        type: boolean
+        default: false
+      upload-to-storage: 
+        description: 'Whether or not to upload build artifacts to external storage'
+        required: true
+        type: string
+        default: '0'
+      is-asan: 
+        description: 'Building the Address Sanitizer (ASan) Linux build'
+        required: false
+        type: boolean
+        default: false
+
+permissions: {}
+
+concurrency:
+  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+
+jobs:
+  build:
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
+    with:
+      build-runs-on: ${{ inputs.build-runs-on }}
+      build-container: ${{ inputs.build-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+      is-release: ${{ inputs.is-release }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+      generate-symbols: ${{ inputs.generate-symbols }}
+      upload-to-storage: ${{ inputs.upload-to-storage }}
+      upload-out-gen-artifacts: true
+    secrets: inherit
+  clang-tidy:
+    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
+      clang-tidy-container: ${{ inputs.clang-tidy-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+    secrets: inherit
+  test:
+    uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+    secrets: inherit
+  nn-test:
+    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+    secrets: inherit
--- a/.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
+++ b/.github/workflows/pipeline-electron-build-and-tidy-and-test.yml
@@ -0,0 +1,121 @@
+name: Electron Build & Clang Tidy & Test Pipeline
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      build-runs-on:
+        type: string
+        description: 'What host to run the build'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      test-runs-on:
+        type: string
+        description: 'What host to run the tests on'
+        required: true
+      build-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information to run clang-tidy on'
+        required: false
+        default: '{"image":null}'
+      test-container:
+        type: string
+        description: 'JSON container information for testing'
+        required: false
+        default: '{"image":null}'
+      is-release:
+        description: 'Whether this build job is a release job'
+        required: true
+        type: boolean
+        default: false
+      gn-build-type:
+        description: 'The gn build type - testing or release'
+        required: true
+        type: string
+        default: testing
+      generate-symbols: 
+        description: 'Whether or not to generate symbols'
+        required: true
+        type: boolean
+        default: false
+      upload-to-storage: 
+        description: 'Whether or not to upload build artifacts to external storage'
+        required: true
+        type: string
+        default: '0'
+      is-asan: 
+        description: 'Building the Address Sanitizer (ASan) Linux build'
+        required: false
+        type: boolean
+        default: false
+      enable-ssh:
+        description: 'Enable SSH debugging'
+        required: false
+        type: boolean
+        default: false
+
+concurrency:
+  group: electron-build-and-tidy-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+
+permissions: {}
+
+jobs:
+  build:
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
+    with:
+      build-runs-on: ${{ inputs.build-runs-on }}
+      build-container: ${{ inputs.build-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+      is-release: ${{ inputs.is-release }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+      generate-symbols: ${{ inputs.generate-symbols }}
+      upload-to-storage: ${{ inputs.upload-to-storage }}
+      is-asan: ${{ inputs.is-asan }}
+      enable-ssh: ${{ inputs.enable-ssh }}
+      upload-out-gen-artifacts: true
+    secrets: inherit
+  clang-tidy:
+    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
+      clang-tidy-container: ${{ inputs.clang-tidy-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+    secrets: inherit
+  test:
+    uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+      is-asan: ${{ inputs.is-asan }}
+      enable-ssh: ${{ inputs.enable-ssh }}
+    secrets: inherit
--- a/.github/workflows/pipeline-electron-docs-only.yml
+++ b/.github/workflows/pipeline-electron-docs-only.yml
@@ -27,7 +27,7 @@ jobs:
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -43,7 +43,7 @@ jobs:
      with:
        target-platform: linux
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-electron-lint.yml
+++ b/.github/workflows/pipeline-electron-lint.yml
@@ -27,7 +27,7 @@ jobs:
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -65,9 +65,11 @@ jobs:
        curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS

        gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
-    - name: Add ESLint problem matcher
+    - name: Add problem matchers
      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
+      run: |
+        echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
+        echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
    - name: Run Lint
      shell: bash
      run: |
@@ -85,4 +87,8 @@ jobs:
      run: |
        cd src/electron
        node script/yarn.js tsc -p tsconfig.script.json
-    
+    - name: Check GHA Workflows
+      shell: bash
+      run: |
+        cd src/electron
+        node script/copy-pipeline-segment-publish.js --check
--- a/.github/workflows/pipeline-segment-electron-build.yml
+++ b/.github/workflows/pipeline-segment-electron-build.yml
@@ -53,6 +53,11 @@ on:
        required: false
        type: boolean
        default: false
+      upload-out-gen-artifacts:
+        description: 'Whether to upload the src/gen artifacts'
+        required: false
+        type: boolean
+        default: false
      enable-ssh:
        description: 'Enable SSH debugging'
        required: false
@@ -95,7 +100,7 @@ jobs:
      run: |
        mkdir src
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -119,7 +124,7 @@ jobs:
      run: df -h
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
      with:
        node-version: 22.21.x
        cache: yarn
@@ -163,7 +168,7 @@ jobs:
      if: ${{ inputs.target-platform == 'linux' }}
      uses: ./src/electron/.github/actions/restore-cache-aks
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -201,6 +206,7 @@ jobs:
        generate-symbols: '${{ inputs.generate-symbols }}'
        upload-to-storage: '${{ inputs.upload-to-storage }}'
        is-asan: '${{ inputs.is-asan }}'
+        upload-out-gen-artifacts: '${{ inputs.upload-out-gen-artifacts }}'
    - name: Set GN_EXTRA_ARGS for MAS Build
      if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' || inputs.target-variant == 'mas') }}
      run: |
--- a/.github/workflows/pipeline-segment-electron-clang-tidy.yml
+++ b/.github/workflows/pipeline-segment-electron-clang-tidy.yml
@@ -0,0 +1,159 @@
+name: Pipeline Segment - Electron Clang-Tidy
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+
+permissions: {}
+
+concurrency:
+  group: electron-clang-tidy-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || (inputs.target-platform == 'linux' && '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' || '--custom-var=checkout_win=True') }}
+  ELECTRON_OUT_DIR: Default
+
+jobs:
+  clang-tidy:
+    defaults:
+      run:
+        shell: bash
+    runs-on: ${{ inputs.clang-tidy-runs-on }}
+    permissions:
+      contents: read
+    container: ${{ fromJSON(inputs.clang-tidy-container) }}
+    env:
+      BUILD_TYPE: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
+      TARGET_ARCH: ${{ inputs.target-arch }}
+      TARGET_PLATFORM: ${{ inputs.target-platform }}
+      ARTIFACT_KEY: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}_${{ inputs.target-arch }}
+    steps:
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Cleanup disk space on macOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      shell: bash
+      run: |   
+        sudo mkdir -p $TMPDIR/del-target
+
+        tmpify() {
+          if [ -d "$1" ]; then
+            sudo mv "$1" $TMPDIR/del-target/$(echo $1|shasum -a 256|head -n1|cut -d " " -f1)
+          fi
+        }   
+        tmpify /Library/Developer/CoreSimulator
+        tmpify ~/Library/Developer/CoreSimulator
+        sudo rm -rf $TMPDIR/del-target
+    - name: Check disk space after freeing up space
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: df -h
+    - name: Set Chromium Git Cookie
+      uses: ./src/electron/.github/actions/set-chromium-cookie
+    - name: Install Build Tools
+      uses: ./src/electron/.github/actions/install-build-tools
+    - name: Enable windows toolchain
+      if: ${{ inputs.target-platform == 'win' }}
+      run: |
+        echo "ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=1" >> $GITHUB_ENV
+    - name: Generate DEPS Hash
+      run: |
+        node src/electron/script/generate-deps-hash.js
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
+        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
+    - name: Restore src cache via AZCopy
+      if: ${{ inputs.target-platform == 'macos' }}
+      uses: ./src/electron/.github/actions/restore-cache-azcopy
+      with:
+        target-platform: ${{ inputs.target-platform }}      
+    - name: Restore src cache via AKS
+      if: ${{ inputs.target-platform == 'linux' || inputs.target-platform == 'win' }}
+      uses: ./src/electron/.github/actions/restore-cache-aks
+      with:
+        target-platform: ${{ inputs.target-platform }}
+    - name: Run Electron Only Hooks
+      run: |
+        echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]" > tmpgclient
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False,'install_sysroot':False,'checkout_win':True},'managed':False}]" > tmpgclient
+          echo "target_os=['win']" >> tmpgclient
+        fi
+        e d gclient runhooks --gclientfile=tmpgclient
+
+        # Fix VS Toolchain
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          rm -rf src/third_party/depot_tools/win_toolchain/vs_files
+          e d python3 src/build/vs_toolchain.py update --force
+        fi
+    - name: Regenerate DEPS Hash
+      run: |
+        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js
+        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
+    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
+      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Install Dependencies
+      uses: ./src/electron/.github/actions/install-dependencies
+    - name: Default GN gen
+      run: |
+        cd src/electron
+        git pack-refs
+    - name: Download Out Gen Artifacts
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      with:
+        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
+        path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen
+    - name: Add Clang problem matcher
+      shell: bash
+      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
+    - name: Run Clang-Tidy
+      run: |
+        e init -f --root=$(pwd) --out=${ELECTRON_OUT_DIR} testing --target-cpu ${TARGET_ARCH}
+
+        export GN_EXTRA_ARGS="target_cpu=\"${TARGET_ARCH}\""
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          export GN_EXTRA_ARGS="$GN_EXTRA_ARGS use_v8_context_snapshot=true target_os=\"win\""
+        fi
+
+        e build --only-gen
+
+        cd src/electron
+        node script/yarn.js lint:clang-tidy --jobs 8 --out-dir ../out/${ELECTRON_OUT_DIR}
+    - name: Remove Clang problem matcher
+      shell: bash
+      run: echo "::remove-matcher owner=clang::"
+    - name: Wait for active SSH sessions
+      if: always() && !cancelled()
+      shell: bash
+      run: |
+        while [ -f /var/.ssh-lock ]
+        do
+          sleep 60
+        done
--- a/.github/workflows/pipeline-segment-electron-gn-check.yml
+++ b/.github/workflows/pipeline-segment-electron-gn-check.yml
@@ -48,7 +48,7 @@ jobs:
    container: ${{ fromJSON(inputs.check-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -115,7 +115,7 @@ jobs:
    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-segment-electron-publish.yml
+++ b/.github/workflows/pipeline-segment-electron-publish.yml
@@ -0,0 +1,243 @@
+# AUTOGENERATED FILE - DO NOT EDIT MANUALLY
+# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml
+
+name: Pipeline Segment - Electron Build
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: using the production or testing environment
+        required: false
+        type: string
+      target-platform:
+        type: string
+        description: Platform to run on, can be macos, win or linux
+        required: true
+      target-arch:
+        type: string
+        description: Arch to build for, can be x64, arm64, ia32 or arm
+        required: true
+      target-variant:
+        type: string
+        description: Variant to build for, no effect on non-macOS target platforms. Can
+          be darwin, mas or all.
+        default: all
+      build-runs-on:
+        type: string
+        description: What host to run the build
+        required: true
+      build-container:
+        type: string
+        description: JSON container information for aks runs-on
+        required: false
+        default: '{"image":null}'
+      is-release:
+        description: Whether this build job is a release job
+        required: true
+        type: boolean
+        default: false
+      gn-build-type:
+        description: The gn build type - testing or release
+        required: true
+        type: string
+        default: testing
+      generate-symbols:
+        description: Whether or not to generate symbols
+        required: true
+        type: boolean
+        default: false
+      upload-to-storage:
+        description: Whether or not to upload build artifacts to external storage
+        required: true
+        type: string
+        default: "0"
+      is-asan:
+        description: Building the Address Sanitizer (ASan) Linux build
+        required: false
+        type: boolean
+        default: false
+      upload-out-gen-artifacts:
+        description: Whether to upload the src/gen artifacts
+        required: false
+        type: boolean
+        default: false
+      enable-ssh:
+        description: Enable SSH debugging
+        required: false
+        type: boolean
+        default: false
+permissions: {}
+concurrency:
+  group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch
+    }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{
+    github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+env:
+  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
+  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
+  DD_API_KEY: ${{ secrets.DD_API_KEY }}
+  ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
+  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
+  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
+  SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
+  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' &&
+    '--custom-var=checkout_mac=True --custom-var=host_os=mac' ||
+    inputs.target-platform == 'win' && '--custom-var=checkout_win=True' ||
+    '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
+  ELECTRON_OUT_DIR: Default
+  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
+jobs:
+  build:
+    defaults:
+      run:
+        shell: bash
+    runs-on: ${{ inputs.build-runs-on }}
+    permissions:
+      artifact-metadata: write
+      attestations: write
+      contents: read
+      id-token: write
+    container: ${{ fromJSON(inputs.build-container) }}
+    environment: ${{ inputs.environment }}
+    env:
+      TARGET_ARCH: ${{ inputs.target-arch }}
+      TARGET_PLATFORM: ${{ inputs.target-platform }}
+    steps:
+      - name: Create src dir
+        run: |
+          mkdir src
+      - name: Checkout Electron
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          path: src/electron
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Setup SSH Debugging
+        if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh ||
+          env.ACTIONS_STEP_DEBUG == 'true') }}
+        uses: ./src/electron/.github/actions/ssh-debug
+        with:
+          tunnel: "true"
+        env:
+          CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
+          CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
+          CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
+          AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Free up space (macOS)
+        if: ${{ inputs.target-platform == 'macos' }}
+        uses: ./src/electron/.github/actions/free-space-macos
+      - name: Check disk space after freeing up space
+        if: ${{ inputs.target-platform == 'macos' }}
+        run: df -h
+      - name: Setup Node.js/npm
+        if: ${{ inputs.target-platform == 'macos' }}
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        with:
+          node-version: 22.21.x
+          cache: yarn
+          cache-dependency-path: src/electron/yarn.lock
+      - name: Install Dependencies
+        uses: ./src/electron/.github/actions/install-dependencies
+      - name: Install AZCopy
+        if: ${{ inputs.target-platform == 'macos' }}
+        run: brew install azcopy
+      - name: Set GN_EXTRA_ARGS for Linux
+        if: ${{ inputs.target-platform == 'linux' }}
+        run: >
+          if [ "${{ inputs.target-arch  }}" = "arm" ]; then
+            if [ "${{ inputs.is-release  }}" = true ]; then
+              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false symbol_level=1'
+            else
+              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false'
+            fi
+          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
+            GN_EXTRA_ARGS='target_cpu="arm64" fatal_linker_warnings=false enable_linux_installer=false'
+          elif [ "${{ inputs.is-asan }}" = true ]; then
+            GN_EXTRA_ARGS='is_asan=true'
+          fi
+
+          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
+      - name: Set Chromium Git Cookie
+        uses: ./src/electron/.github/actions/set-chromium-cookie
+      - name: Install Build Tools
+        uses: ./src/electron/.github/actions/install-build-tools
+      - name: Generate DEPS Hash
+        run: |
+          node src/electron/script/generate-deps-hash.js
+          DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+          echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
+          echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
+      - name: Restore src cache via AZCopy
+        if: ${{ inputs.target-platform != 'linux' }}
+        uses: ./src/electron/.github/actions/restore-cache-azcopy
+        with:
+          target-platform: ${{ inputs.target-platform }}
+      - name: Restore src cache via AKS
+        if: ${{ inputs.target-platform == 'linux' }}
+        uses: ./src/electron/.github/actions/restore-cache-aks
+      - name: Checkout Electron
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          path: src/electron
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Fix Sync
+        if: ${{ inputs.target-platform != 'linux' }}
+        uses: ./src/electron/.github/actions/fix-sync
+        with:
+          target-platform: ${{ inputs.target-platform }}
+        env:
+          ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
+      - name: Init Build Tools
+        run: >
+          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
+          --import ${{ inputs.gn-build-type }} --target-cpu ${{
+          inputs.target-arch }} --remote-build siso
+      - name: Run Electron Only Hooks
+        run: |
+          e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
+      - name: Regenerate DEPS Hash
+        run: >
+          (cd src/electron && git checkout .) && node
+          src/electron/script/generate-deps-hash.js
+
+          echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
+      - name: Add CHROMIUM_BUILDTOOLS_PATH to env
+        run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+      - name: Free up space (macOS)
+        if: ${{ inputs.target-platform == 'macos' }}
+        uses: ./src/electron/.github/actions/free-space-macos
+      - name: Build Electron
+        if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' ||
+          inputs.target-variant == 'darwin') }}
+        uses: ./src/electron/.github/actions/build-electron
+        with:
+          target-arch: ${{ inputs.target-arch }}
+          target-platform: ${{ inputs.target-platform }}
+          artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' ||
+            inputs.target-platform }}
+          is-release: ${{ inputs.is-release }}
+          generate-symbols: ${{ inputs.generate-symbols }}
+          upload-to-storage: ${{ inputs.upload-to-storage }}
+          is-asan: ${{ inputs.is-asan }}
+          upload-out-gen-artifacts: ${{ inputs.upload-out-gen-artifacts }}
+      - name: Set GN_EXTRA_ARGS for MAS Build
+        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
+          inputs.target-variant == 'mas') }}
+        run: |
+          echo "MAS_BUILD=true" >> $GITHUB_ENV
+          GN_EXTRA_ARGS='is_mas_build=true'
+          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
+      - name: Build Electron (MAS)
+        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
+          inputs.target-variant == 'mas') }}
+        uses: ./src/electron/.github/actions/build-electron
+        with:
+          target-arch: ${{ inputs.target-arch }}
+          target-platform: ${{ inputs.target-platform }}
+          artifact-platform: mas
+          is-release: ${{ inputs.is-release }}
+          generate-symbols: ${{ inputs.generate-symbols }}
+          upload-to-storage: ${{ inputs.upload-to-storage }}
+          step-suffix: (mas)
--- a/.github/workflows/pipeline-segment-electron-test.yml
+++ b/.github/workflows/pipeline-segment-electron-test.yml
@@ -72,7 +72,7 @@ jobs:
        cp $(which node) /mnt/runner-externals/node24/bin/
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
      with:
        node-version: 22.21.x
    - name: Add TCC permissions on macOS
@@ -119,7 +119,7 @@ jobs:
      if: ${{ inputs.target-platform == 'macos' }}
      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-segment-node-nan-test.yml
+++ b/.github/workflows/pipeline-segment-node-nan-test.yml
@@ -50,7 +50,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -106,7 +106,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pull-request-labeled.yml
+++ b/.github/workflows/pull-request-labeled.yml
@@ -32,7 +32,7 @@ jobs:
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
@@ -44,3 +44,35 @@ jobs:
          project-number: 94
          field: Status
          field-value: ✅ Reviewed
+  pull-request-labeled-ai-pr:
+    name: ai-pr label added
+    if: github.event.label.name == 'ai-pr'
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - name: Generate GitHub App token
+      uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+      id: generate-token
+      with:
+        creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
+    - name: Create comment
+      uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
+      with:
+        actions: 'create-comment'
+        token: ${{ steps.generate-token.outputs.token }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body: |
+          <!-- ai-pr -->
+
+          *AI PR Detected*
+
+          Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
+
+          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](http://contributing.md/) carefully before reopening. Thanks for your contribution.
+    - name: Close the pull request
+      env:
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GH_REPO: electron/electron
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+      run: |
+        gh pr close "$PR_NUMBER"
--- a/.github/workflows/rerun-apply-patches.yml
+++ b/.github/workflows/rerun-apply-patches.yml
@@ -0,0 +1,71 @@
+name: Rerun PR Apply Patches
+
+on:
+  push:
+    branches:
+      - main
+      - '[1-9][0-9]-x-y'
+    paths:
+      - 'DEPS'
+      - 'patches/**'
+
+permissions: {}
+
+jobs:
+  rerun-apply-patches:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      checks: read
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Find PRs and Rerun Apply Patches
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BRANCH="${GITHUB_REF#refs/heads/}"
+
+          # Find all open PRs targeting this branch
+          PRS=$(gh pr list --base "$BRANCH" --state open --limit 250 --json number)
+
+          echo "$PRS" | jq -c '.[]' | while read -r pr; do
+            PR_NUMBER=$(echo "$pr" | jq -r '.number')
+            echo "Processing PR #${PR_NUMBER}"
+
+            # Find the Apply Patches workflow check for this PR
+            CHECK=$(gh pr view "$PR_NUMBER" --json statusCheckRollup --jq '[.statusCheckRollup[] | select(.workflowName == "Apply Patches" and .name == "apply-patches")] | first')
+
+            if [ -z "$CHECK" ] || [ "$CHECK" = "null" ]; then
+              echo "  No Apply Patches workflow found for PR #${PR_NUMBER}"
+              continue
+            fi
+
+            CONCLUSION=$(echo "$CHECK" | jq -r '.conclusion')
+            if [ "$CONCLUSION" = "SKIPPED" ]; then
+              echo "  apply-patches job was skipped for PR #${PR_NUMBER} (no patches)"
+              continue
+            fi
+
+            LINK=$(echo "$CHECK" | jq -r '.detailsUrl')
+
+            # Extract the run ID from the link (format: .../runs/RUN_ID/job/JOB_ID)
+            RUN_ID=$(echo "$LINK" | grep -oE 'runs/[0-9]+' | cut -d'/' -f2)
+
+            if [ -z "$RUN_ID" ]; then
+              echo "  Could not extract run ID from link: ${LINK}"
+              continue
+            fi
+
+            # Check if the workflow is currently in progress
+            RUN_STATUS=$(gh run view "$RUN_ID" --json status --jq '.status')
+
+            if [ "$RUN_STATUS" = "in_progress" ] || [ "$RUN_STATUS" = "queued" ] || [ "$RUN_STATUS" = "waiting" ]; then
+              echo "  Workflow run ${RUN_ID} is ${RUN_STATUS}, cancelling..."
+              gh run cancel "$RUN_ID" --force
+              gh run watch "$RUN_ID"
+            fi
+
+            gh run rerun "$RUN_ID"
+          done
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -13,6 +13,7 @@ permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
+    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
@@ -22,7 +23,7 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -50,6 +51,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.29.5
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v3.29.5
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stable-prep-items.yml
+++ b/.github/workflows/stable-prep-items.yml
@@ -10,11 +10,12 @@ permissions: {}
 jobs:
  check-stable-prep-items:
    name: Check Stable Prep Items
+    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,11 +9,12 @@ permissions: {}

 jobs:
  stale:
+    if: github.repository == 'electron/electron'
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -33,11 +34,11 @@ jobs:
  pending-repro:
    runs-on: ubuntu-latest
    permissions: {}
-    if: ${{ always() }}
+    if: ${{ always() && github.repository == 'electron/electron' }}
    needs: stale
    steps:
      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
--- a/.github/workflows/update-website-docs.yml
+++ b/.github/workflows/update-website-docs.yml
@@ -0,0 +1,39 @@
+name: Update Website Docs
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  update-website-docs:
+    name: Update Website Docs
+    runs-on: ubuntu-latest
+    environment: website-docs-updater
+    permissions:
+      contents: read
+      id-token: write # needed for secret-service-action
+    steps:
+      - name: Get GitHub App token
+        id: secret-service
+        uses: electron/secret-service-action@3476425e8b30555aac15b1b7096938e254b0e155 # v1.0.0
+      - name: Check if this release is the latest
+        id: check-if-latest-release
+        env:
+          GH_REPO: electron/electron
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          LATEST_RELEASE_TAG="$(gh release view --json tagName --jq '.tagName')"
+          if [ "$LATEST_RELEASE_TAG" = "${GITHUB_REF#refs/tags/}" ]; then
+            echo "isLatestRelease=true" >> $GITHUB_OUTPUT
+          else
+            echo "isLatestRelease=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Trigger website docs update
+        if: ${{ steps.check-if-latest-release.outputs.isLatestRelease }}
+        env:
+          GH_REPO: electron/website
+          GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).WEBSITE_DOCS_UPDATER_APP_TOKEN }}
+        run: |
+          gh workflow run update-docs.yml -f sha=$GITHUB_SHA
--- a/.github/workflows/windows-publish.yml
+++ b/.github/workflows/windows-publish.yml
@@ -22,6 +22,7 @@ permissions: {}

 jobs:
  checkout-windows:
+    if: github.repository == 'electron/electron'
    runs-on: electron-arc-centralus-linux-amd64-32core
    permissions:
      contents: read
@@ -40,7 +41,7 @@ jobs:
      build-image-sha: ${{ inputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      with:
        path: src/electron
        fetch-depth: 0
@@ -51,9 +52,12 @@ jobs:
        target-platform: win

  publish-x64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-windows
    with:
      environment: production-release
@@ -67,9 +71,12 @@ jobs:
    secrets: inherit

  publish-arm64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-windows
    with:
      environment: production-release
@@ -83,9 +90,12 @@ jobs:
    secrets: inherit

  publish-x86-win:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
    permissions:
+      artifact-metadata: write
+      attestations: write
      contents: read
+      id-token: write
    needs: checkout-windows
    with:
      environment: production-release
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -502,6 +502,7 @@ source_set("electron_lib") {
    "//third_party/blink/public/platform/media",
    "//third_party/boringssl",
    "//third_party/electron_node:libnode",
+    "//third_party/highway:libhwy",
    "//third_party/inspector_protocol:crdtp",
    "//third_party/leveldatabase",
    "//third_party/libyuv",
@@ -595,6 +596,7 @@ source_set("electron_lib") {
    use_libcxx_modules = false

    deps += [
+      "//components/os_crypt/async/browser:keychain_key_provider",
      "//components/os_crypt/common:keychain_password_mac",
      "//components/remote_cocoa/app_shim",
      "//components/remote_cocoa/browser",
@@ -657,6 +659,9 @@ source_set("electron_lib") {
      ":libnotify_loader",
      "//build/config/linux/gtk",
      "//components/crash/content/browser",
+      "//components/os_crypt/async/browser:freedesktop_secret_key_provider",
+      "//components/os_crypt/async/browser:posix_key_provider",
+      "//components/os_crypt/async/browser:secret_portal_key_provider",
      "//dbus",
      "//device/bluetooth",
      "//third_party/crashpad/crashpad/client",
@@ -697,6 +702,7 @@ source_set("electron_lib") {
    deps += [
      "//components/app_launch_prefetch",
      "//components/crash/core/app:crash_export_thunks",
+      "//components/os_crypt/async/browser:dpapi_key_provider",
      "//third_party/libxml:xml_writer",
      "//ui/wm",
      "//ui/wm/public",
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -155,6 +155,10 @@ e test                    # Run full test suite

 When working on the `roller/chromium/main` branch to upgrade Chromium activate the "Electron Chromium Upgrade" skill.

+## Pull Requests
+
+PR bodies must always include a `Notes:` section as the **last line** of the body. This is a consumer-facing release note for Electron app developers — describe the user-visible fix or change, not internal implementation details. Use `Notes: none` if there is no user-facing change.
+
 ## Code Style

 **C++:** Follows Chromium style, enforced by clang-format
--- a/4
+++ b/4
@@ -2,9 +2,9 @@ gclient_gn_args_from = 'src'

 vars = {
  'chromium_version':
-    '146.0.7635.0',
+    '147.0.7687.0',
  'node_version':
-    'v24.13.0',
+    'v24.13.1',
  'nan_version':
    '675cefebca42410733da8a454c8d9391fcebfbc2',
  'squirrel.mac_version':
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@@ -9,5 +9,6 @@
  "embedded_asar_integrity_validation": "0",
  "only_load_app_from_asar": "0",
  "load_browser_process_specific_v8_snapshot": "0",
-  "grant_file_protocol_extra_privileges": "1"
+  "grant_file_protocol_extra_privileges": "1",
+  "wasm_trap_handlers": "1"
 }
--- a/build/siso/backend.star
+++ b/build/siso/backend.star
@@ -1,21 +0,0 @@
-# -*- bazel-starlark -*-
-
-load("@builtin//struct.star", "module")
-
-def __platform_properties(ctx):
-    container_image = "docker://gcr.io/chops-public-images-prod/rbe/siso-chromium/linux@sha256:d7cb1ab14a0f20aa669c23f22c15a9dead761dcac19f43985bf9dd5f41fbef3a"
-    return {
-        "default": {
-            "OSFamily": "Linux",
-            "container-image": container_image,
-        },
-        "large": {
-            "OSFamily": "Linux",
-            "container-image": container_image,
-        },
-    }
-
-backend = module(
-    "backend",
-    platform_properties = __platform_properties,
-)
--- a/build/siso/main.star
+++ b/build/siso/main.star
@@ -1,66 +0,0 @@
-load("@builtin//encoding.star", "json")
-load("@builtin//path.star", "path")
-load("@builtin//runtime.star", "runtime")
-load("@builtin//struct.star", "module")
-load("@config//main.star", upstream_init = "init")
-load("@config//win_sdk.star", "win_sdk")
-load("@config//gn_logs.star", "gn_logs")
-
-def init(ctx):
-    mod = upstream_init(ctx)
-    step_config = json.decode(mod.step_config)
-
-    # Buildbarn doesn't support input_root_absolute_path so disable that
-    for rule in step_config["rules"]:    
-      input_root_absolute_path = rule.get("input_root_absolute_path", False)
-      if input_root_absolute_path:
-        rule.pop("input_root_absolute_path", None)
-
-    # Only wrap clang rules with a remote wrapper if not on Linux. These are currently only
-    # needed for X-Compile builds, which run on Windows and Mac.
-    if runtime.os != "linux":
-      for rule in step_config["rules"]:
-        if rule["name"].startswith("clang/") or rule["name"].startswith("clang-cl/"):
-          rule["remote_wrapper"] = "../../buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper"
-          if "inputs" not in rule:
-            rule["inputs"] = []
-          rule["inputs"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
-          rule["inputs"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
-
-      if "executables" not in step_config:
-        step_config["executables"] = []
-      step_config["executables"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
-      step_config["executables"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
-
-    if runtime.os == "darwin":
-      # Update platforms to match our default siso config instead of reclient configs.
-      step_config["platforms"].update({
-          "clang": step_config["platforms"]["default"],
-          "clang_large": step_config["platforms"]["default"],          
-      })      
-
-    if runtime.os == "windows":
-      # Add additional Windows SDK headers needed by Electron      
-      win_toolchain_dir = win_sdk.toolchain_dir(ctx)
-      if win_toolchain_dir:
-        sdk_version = gn_logs.read(ctx).get("windows_sdk_version")
-        step_config["input_deps"][win_toolchain_dir + ":headers"].extend([
-          # third_party/electron_node/deps/uv/include/uv/win.h includes mswsock.h
-          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/mswsock.h"),
-          # third_party/electron_node/src/debug_utils.cc includes lm.h
-          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/Lm.h"),          
-        ])
-      
-      # Update platforms to match our default siso config instead of reclient configs.
-      step_config["platforms"].update({
-          "clang-cl": step_config["platforms"]["default"],
-          "clang-cl_large": step_config["platforms"]["default"],
-          "lld-link": step_config["platforms"]["default"],
-      })
-
-    return module(
-      "config",
-      step_config = json.encode(step_config),
-      filegroups = mod.filegroups,
-      handlers = mod.handlers,
-    )
--- a/docs/api/app.md
+++ b/docs/api/app.md
@@ -250,7 +250,9 @@ Returns:

 Emitted when the user clicks the native macOS new tab button. The new
 tab button is only visible if the current `BrowserWindow` has a
-`tabbingIdentifier`
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 ### Event: 'browser-window-blur'

@@ -633,7 +635,7 @@ Returns `string` - The current application directory.
 Returns `string` - A path to a special directory or file associated with `name`. On
 failure, an `Error` is thrown.

-If `app.getPath('logs')` is called without called `app.setAppLogsPath()` being called first, a default log directory will be created equivalent to calling `app.setAppLogsPath()` without a `path` parameter.
+If `app.getPath('logs')` is called without calling `app.setAppLogsPath()` being called first, a default log directory will be created equivalent to calling `app.setAppLogsPath()` without a `path` parameter.

 ### `app.getFileIcon(path[, options])`

@@ -648,7 +650,7 @@ Returns `Promise<NativeImage>` - fulfilled with the app's icon, which is a [Nati

 Fetches a path's associated icon.

-On _Windows_, there a 2 kinds of icons:
+On _Windows_, there are 2 kinds of icons:

 * Icons associated with certain file extensions, like `.mp3`, `.png`, etc.
 * Icons inside the file itself, like `.exe`, `.dll`, `.ico`.
@@ -764,7 +766,7 @@ app.getPreferredSystemLanguages() // ['fr-CA', 'en-US', 'zh-Hans-FI', 'es-419']

 Both the available languages and regions and the possible return values differ between the two operating systems.

-As can be seen with the example above, on Windows, it is possible that a preferred system language has no country code, and that one of the preferred system languages corresponds with the language used for the regional format. On macOS, the region serves more as a default country code: the user doesn't need to have Finnish as a preferred language to use Finland as the region,and the country code `FI` is used as the country code for preferred system languages that do not have associated countries in the language name.
+As can be seen with the example above, on Windows, it is possible that a preferred system language has no country code, and that one of the preferred system languages corresponds with the language used for the regional format. On macOS, the region serves more as a default country code: the user doesn't need to have Finnish as a preferred language to use Finland as the region, and the country code `FI` is used as the country code for preferred system languages that do not have associated countries in the language name.

 ### `app.addRecentDocument(path)` _macOS_ _Windows_

@@ -1122,6 +1124,19 @@ Updates the current activity if its type matches `type`, merging the entries fro

 Changes the [Application User Model ID][app-user-model-id] to `id`.

+### `app.setToastActivatorCLSID(id)` _Windows_
+
+* `id` string
+
+Changes the [Toast Activator CLSID][toast-activator-clsid] to `id`. If one is not set via this method, it will be randomly generated for the app.
+
+* The value must be a valid GUID/CLSID in one of the following forms:
+  * Canonical brace-wrapped: `{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}` (preferred)
+  * Canonical without braces: `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (braces will be added automatically)
+* Hex digits are case-insensitive.
+
+This method should be called early (before showing notifications) so the value is baked into the registration/shortcut. Supplying an empty string or an unparsable value throws and leaves the existing (or generated) CLSID unchanged. If this method is never called, a random CLSID is generated once per run and exposed via `app.toastActivatorCLSID`.
+
 ### `app.setActivationPolicy(policy)` _macOS_

 * `policy` string - Can be 'regular', 'accessory', or 'prohibited'.
@@ -1226,7 +1241,7 @@ Returns `boolean` - whether hardware acceleration is currently enabled.
 ### `app.disableDomainBlockingFor3DAPIs()`

 By default, Chromium disables 3D APIs (e.g. WebGL) until restart on a per
-domain basis if the GPU processes crashes too frequently. This function
+domain basis if the GPU process crashes too frequently. This function
 disables that behavior.

 This method can only be called before app is ready.
@@ -1285,6 +1300,8 @@ For `infoType` equal to `basic`:

 Using `basic` should be preferred if only basic information like `vendorId` or `deviceId` is needed.

+Promise is rejected if the GPU is completely disabled, i.e. no hardware and software implementations are available.
+
 ### `app.setBadgeCount([count])` _Linux_ _macOS_

 * `count` Integer (optional) - If a value is provided, set the badge to the provided value otherwise, on macOS, display a plain white dot (e.g. unknown number of notifications). On Linux, if a value is not provided the badge will not display.
@@ -1702,8 +1719,13 @@ platforms) that allows you to perform actions on your app icon in the user's doc

 A `boolean` property that returns  `true` if the app is packaged, `false` otherwise. For many apps, this property can be used to distinguish development and production environments.

+### `app.toastActivatorCLSID` _Windows_ _Readonly_
+
+A `string` property that returns the app's [Toast Activator CLSID][toast-activator-clsid].
+
 [tasks]:https://learn.microsoft.com/en-us/windows/win32/shell/taskbar-extensions#tasks
 [app-user-model-id]: https://learn.microsoft.com/en-us/windows/win32/shell/appids
+[toast-activator-clsid]: https://learn.microsoft.com/en-us/windows/win32/properties/props-system-appusermodel-toastactivatorclsid
 [electron-forge]: https://www.electronforge.io/
 [electron-packager]: https://github.com/electron/packager
 [CFBundleURLTypes]: https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html#//apple_ref/doc/uid/TP40009249-102207-TPXREF115
--- a/docs/api/auto-updater.md
+++ b/docs/api/auto-updater.md
@@ -32,9 +32,19 @@ update process. Apps that need to disable ATS can add the

 ### Windows

-On Windows, you have to install your app into a user's machine before you can
-use the `autoUpdater`, so it is recommended that you use
-[electron-winstaller][installer-lib] or [Electron Forge's Squirrel.Windows maker][electron-forge-lib] to generate a Windows installer.
+On Windows, the `autoUpdater` module automatically selects the appropriate update mechanism
+based on how your app is packaged:
+
+* **MSIX packages**: If your app is running as an MSIX package (created with [electron-windows-msix][msix-lib] and detected via [`process.windowsStore`](process.md#processwindowsstore-readonly)),
+  the module uses the MSIX updater, which supports direct MSIX file links and JSON update feeds.
+* **Squirrel.Windows**: For apps installed via traditional installers (created with
+  [electron-winstaller][installer-lib] or [Electron Forge's Squirrel.Windows maker][electron-forge-lib]),
+  the module uses Squirrel.Windows for updates.
+
+You don't need to configure which updater to use; Electron automatically detects the packaging
+format and uses the appropriate one.
+
+#### Squirrel.Windows

 Apps built with Squirrel.Windows will trigger [custom launch events](https://github.com/Squirrel/Squirrel.Windows/blob/51f5e2cb01add79280a53d51e8d0cfa20f8c9f9f/docs/using/custom-squirrel-events-non-cs.md#application-startup-commands)
 that must be handled by your Electron application to ensure proper setup and teardown.
@@ -55,6 +65,14 @@ The installer generated with Squirrel.Windows will create a shortcut icon with a
 same ID for your app with `app.setAppUserModelId` API, otherwise Windows will
 not be able to pin your app properly in task bar.

+#### MSIX Packages
+
+When your app is packaged as an MSIX, the `autoUpdater` module provides additional
+functionality:
+
+* Use the `allowAnyVersion` option in `setFeedURL()` to allow updates to older versions (downgrades)
+* Support for direct MSIX file links or JSON update feeds (similar to Squirrel.Mac format)
+
 ## Events

 The `autoUpdater` object emits the following events:
@@ -92,7 +110,7 @@ Returns:

 Emitted when an update has been downloaded.

-On Windows only `releaseName` is available.
+With Squirrel.Windows only `releaseName` is available.

 > [!NOTE]
 > It is not strictly necessary to handle this event. A successfully
@@ -100,6 +118,13 @@ On Windows only `releaseName` is available.

 ### Event: 'before-quit-for-update'

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/12619
+```
+-->
+
 This event is emitted after a user calls `quitAndInstall()`.

 When this API is called, the `before-quit` event is not emitted before all windows are closed. As a result you should listen to this event if you wish to perform actions before the windows are closed while a process is quitting, as well as listening to `before-quit`.
@@ -110,11 +135,23 @@ The `autoUpdater` object has the following methods:

 ### `autoUpdater.setFeedURL(options)`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/5879
+    description: "Added `headers` as a second parameter."
+  - pr-url: https://github.com/electron/electron/pull/11925
+    description: "Changed API to accept a single `options` argument (contains `url`, `headers`, and `serverType` properties)."
+```
+-->
+
 * `options` Object
-  * `url` string
+  * `url` string - The update server URL. For _Windows_ MSIX, this can be either a direct link to an MSIX file (e.g., `https://example.com/update.msix`) or a JSON endpoint that returns update information (see the [Squirrel.Mac][squirrel-mac] README for more information).
  * `headers` Record\<string, string\> (optional) _macOS_ - HTTP request headers.
  * `serverType` string (optional) _macOS_ - Can be `json` or `default`, see the [Squirrel.Mac][squirrel-mac]
    README for more information.
+  * `allowAnyVersion` boolean (optional) _Windows_ - If `true`, allows downgrades to older versions for MSIX packages.
+    Defaults to `false`.

 Sets the `url` and initialize the auto updater.

@@ -151,3 +188,4 @@ closed.
 [electron-forge-lib]: https://www.electronforge.io/config/makers/squirrel.windows
 [app-user-model-id]: https://learn.microsoft.com/en-us/windows/win32/shell/appids
 [event-emitter]: https://nodejs.org/api/events.html#events_class_eventemitter
+[msix-lib]:  https://github.com/electron-userland/electron-windows-msix
--- a/docs/api/base-window.md
+++ b/docs/api/base-window.md
@@ -351,7 +351,11 @@ Emitted when the window has closed a sheet.

 #### Event: 'new-window-for-tab' _macOS_

-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 #### Event: 'system-context-menu' _Windows_ _Linux_

@@ -756,6 +760,9 @@ Returns [`Rectangle`](structures/rectangle.md) - The `bounds` of the window as `
 > [!NOTE]
 > On macOS, the y-coordinate value returned will be at minimum the [Tray](tray.md) height. For example, calling `win.setBounds({ x: 25, y: 20, width: 800, height: 600 })` with a tray height of 38 means that `win.getBounds()` will return `{ x: 25, y: 38, width: 800, height: 600 }`.

+> [!NOTE]
+> On Wayland, this method will return `{ x: 0, y: 0, ... }` as introspecting or programmatically changing the global window coordinates is prohibited.
+
 #### `win.getBackgroundColor()`

 Returns `string` - Gets the background color of the window in Hex (`#RRGGBB`) format.
@@ -969,6 +976,9 @@ Moves window to `x` and `y`.

 Returns `Integer[]` - Contains the window's current position.

+> [!NOTE]
+> On Wayland, this method will return `[0, 0]` as introspecting or programmatically changing the global window coordinates is prohibited.
+
 #### `win.setTitle(title)`

 * `title` string
@@ -1043,7 +1053,7 @@ under this mode apps can choose to optimize their UI for tablets, such as
 enlarging the titlebar and hiding titlebar buttons.

 This API returns whether the window is in tablet mode, and the `resize` event
-can be be used to listen to changes to tablet mode.
+can be used to listen to changes to tablet mode.

 #### `win.getMediaSourceId()`

--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@@ -435,7 +435,11 @@ Emitted when the window has closed a sheet.

 #### Event: 'new-window-for-tab' _macOS_

-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.

 #### Event: 'system-context-menu' _Windows_ _Linux_

@@ -862,6 +866,9 @@ Returns [`Rectangle`](structures/rectangle.md) - The `bounds` of the window as `
 > [!NOTE]
 > On macOS, the y-coordinate value returned will be at minimum the [Tray](tray.md) height. For example, calling `win.setBounds({ x: 25, y: 20, width: 800, height: 600 })` with a tray height of 38 means that `win.getBounds()` will return `{ x: 25, y: 38, width: 800, height: 600 }`.

+> [!NOTE]
+> On Wayland, this method will return `{ x: 0, y: 0, ... }` as introspecting or programmatically changing the global window coordinates is prohibited.
+
 #### `win.getBackgroundColor()`

 Returns `string` - Gets the background color of the window in Hex (`#RRGGBB`) format.
@@ -1087,6 +1094,9 @@ Not supported on Wayland (Linux).

 Returns `Integer[]` - Contains the window's current position.

+> [!NOTE]
+> On Wayland, this method will return `[0, 0]` as introspecting or programmatically changing the global window coordinates is prohibited.
+
 #### `win.setTitle(title)`

 * `title` string
@@ -1159,7 +1169,7 @@ under this mode apps can choose to optimize their UI for tablets, such as
 enlarging the titlebar and hiding titlebar buttons.

 This API returns whether the window is in tablet mode, and the `resize` event
-can be be used to listen to changes to tablet mode.
+can be used to listen to changes to tablet mode.

 #### `win.getMediaSourceId()`

--- a/docs/api/client-request.md
+++ b/docs/api/client-request.md
@@ -264,7 +264,7 @@ will not be allowed. The `finish` event is emitted just after the end operation.
 Cancels an ongoing HTTP transaction. If the request has already emitted the
 `close` event, the abort operation will have no effect. Otherwise an ongoing
 event will emit `abort` and `close` events. Additionally, if there is an ongoing
-response object,it will emit the `aborted` event.
+response object, it will emit the `aborted` event.

 #### `request.followRedirect()`

--- a/docs/api/clipboard.md
+++ b/docs/api/clipboard.md
@@ -5,7 +5,7 @@
 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process) _Deprecated_ (non-sandboxed only)

 > [!NOTE]
-> Using the `clipoard` API from the renderer process is deprecated.
+> Using the `clipboard` API from the renderer process is deprecated.

 > [!IMPORTANT]
 > If you want to call this API from a renderer process,
--- a/docs/api/command-line-switches.md
+++ b/docs/api/command-line-switches.md
@@ -172,7 +172,7 @@ Enables net log events to be saved and writes them to `path`.
 Sets the verbosity of logging when used together with `--enable-logging`.
 `N` should be one of [Chrome's LogSeverities][severities].

-Note that two complimentary logging mechanisms in Chromium -- `LOG()`
+Note that two complementary logging mechanisms in Chromium -- `LOG()`
 and `VLOG()` -- are controlled by different switches. `--log-level`
 controls `LOG()` messages, while `--v` and `--vmodule` control `VLOG()`
 messages. So you may want to use a combination of these three switches
@@ -370,6 +370,13 @@ Keep in mind that standalone switches can sometimes be split into individual fea

 Finally, you'll need to ensure that the version of Chromium in Electron matches the version of the browser you're using to cross-reference the switches.

+### Chromium features relevant to Electron apps
+
+* `AlwaysLogLOAFURL`: enables script attribution for
+  [`long-animation-frame`](https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Long_animation_frame_timing)
+  `PerformanceObserver` events for non-http(s), non-data, non-blob URLs (such as `file:` or custom
+  protocol URLs).
+
 [app]: app.md
 [append-switch]: command-line.md#commandlineappendswitchswitch-value
 [debugging-main-process]: ../tutorial/debugging-main-process.md
--- a/docs/api/cookies.md
+++ b/docs/api/cookies.md
@@ -51,7 +51,12 @@ Returns:
 * `event` Event
 * `cookie` [Cookie](structures/cookie.md) - The cookie that was changed.
 * `cause` string - The cause of the change with one of the following values:
-  * `explicit` - The cookie was changed directly by a consumer's action.
+  * `inserted` -  The cookie was inserted.
+  * `inserted-no-change-overwrite` - The newly inserted cookie overwrote a cookie but
+    did not result in any change. For example, inserting an identical cookie will produce this cause.
+  * `inserted-no-value-change-overwrite` - The newly inserted cookie overwrote a cookie but
+    did not result in any value change, but it's web observable (e.g. updates the expiry).
+  * `explicit` - The cookie was deleted directly by a consumer's action.
  * `overwrite` - The cookie was automatically removed due to an insert
    operation that overwrote it.
  * `expired` - The cookie was automatically removed as it expired.
@@ -102,7 +107,7 @@ the response.
    cookie and will not be retained between sessions.
  * `sameSite` string (optional) - The [Same Site](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies) policy to apply to this cookie.  Can be `unspecified`, `no_restriction`, `lax` or `strict`.  Default is `lax`.

-Returns `Promise<void>` - A promise which resolves when the cookie has been set
+Returns `Promise<void>` - A promise which resolves when the cookie has been set.

 Sets a cookie with `details`.

@@ -111,16 +116,16 @@ Sets a cookie with `details`.
 * `url` string - The URL associated with the cookie.
 * `name` string - The name of cookie to remove.

-Returns `Promise<void>` - A promise which resolves when the cookie has been removed
+Returns `Promise<void>` - A promise which resolves when the cookie has been removed.

-Removes the cookies matching `url` and `name`
+Removes the cookies matching `url` and `name`.

 #### `cookies.flushStore()`

-Returns `Promise<void>` - A promise which resolves when the cookie store has been flushed
+Returns `Promise<void>` - A promise which resolves when the cookie store has been flushed.

-Writes any unwritten cookies data to disk
+Writes any unwritten cookies data to disk.

-Cookies written by any method will not be written to disk immediately, but will be written every 30 seconds or 512 operations
+Cookies written by any method will not be written to disk immediately, but will be written every 30 seconds or 512 operations.

 Calling this method can cause the cookie to be written to disk immediately.
--- a/docs/api/corner-smoothing-css.md
+++ b/docs/api/corner-smoothing-css.md
@@ -49,7 +49,7 @@ Use the `system-ui` keyword to match the smoothness to the OS design language.
 | Value: | `60%` | `0%` |
 | Example: | ![A rectangle with round corners whose smoothness matches macOS](../images/corner-smoothing-example-60.svg) | ![A rectangle with round corners whose smoothness matches Windows and Linux](../images/corner-smoothing-example-0.svg) |

-### Controlling availibility
+### Controlling availability

 This CSS rule can be disabled using the Blink feature flag `ElectronCSSCornerSmoothing`.

--- a/docs/api/desktop-capturer.md
+++ b/docs/api/desktop-capturer.md
@@ -94,18 +94,45 @@ The `desktopCapturer` module has the following methods:
 Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`DesktopCapturerSource`](structures/desktop-capturer-source.md) objects, each `DesktopCapturerSource` represents a screen or an individual window that can be captured.

 > [!NOTE]
-> Capturing the screen contents requires user consent on macOS 10.15 Catalina or higher,
-> which can detected by [`systemPreferences.getMediaAccessStatus`][].
+
+> * Capturing audio requires `NSAudioCaptureUsageDescription` Info.plist key on macOS 14.2 Sonoma and higher - [read more](#macos-versions-142-or-higher).
+> * Capturing the screen contents requires user consent on macOS 10.15 Catalina or higher, which can detected by [`systemPreferences.getMediaAccessStatus`][].

 [`navigator.mediaDevices.getUserMedia`]: https://developer.mozilla.org/en/docs/Web/API/MediaDevices/getUserMedia
 [`systemPreferences.getMediaAccessStatus`]: system-preferences.md#systempreferencesgetmediaaccessstatusmediatype-windows-macos

 ## Caveats

+### Linux
+
 `desktopCapturer.getSources(options)` only returns a single source on Linux when using Pipewire.

 PipeWire supports a single capture for both screens and windows. If you request the window and screen type, the selected source will be returned as a window capture.

-`navigator.mediaDevices.getUserMedia` does not work on macOS for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this.
+---

-It is possible to circumvent this limitation by capturing system audio with another macOS app like Soundflower and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.
+### MacOS versions 14.2 or higher
+
+`NSAudioCaptureUsageDescription` Info.plist key must be added in-order for audio to be captured by `desktopCapturer`. If instead you are running electron from another program like a terminal or IDE then that parent program must contain the Info.plist key.
+
+This is in order to facillitate use of Apple's new [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps#Configure-the-sample-code-project) by Chromium.
+
+> [!WARNING]
+> Failure of `desktopCapturer` to start an audio stream due to `NSAudioCaptureUsageDescription` permission not present will still create a dead audio stream however no warnings or errors are displayed.
+
+As of electron `v39.0.0-beta.4` Chromium [made Apple's new `CoreAudio Tap API` the default](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e) for desktop audio capture. There is no fallback to the older `Screen & System Audio Recording` permissions system even if [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps) stream creation fails.
+
+If you need to continue using `Screen & System Audio Recording` permissions for `desktopCapturer` on macOS versions 14.2 and later, you can apply a chromium feature flag to force use of that older permissions system:
+
+```js
+// main.js (right beneath your require/import statments)
+app.commandLine.appendSwitch('disable-features', 'MacCatapLoopbackAudioForScreenShare')
+```
+
+---
+
+### MacOS versions 12.7.6 or lower
+
+`navigator.mediaDevices.getUserMedia` does not work on macOS versions 12.7.6 and prior for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this. Only in macOS 13 and onwards does Apple provide APIs to capture desktop audio without the need for a signed kernel extension.
+
+It is possible to circumvent this limitation by capturing system audio with another macOS app like [BlackHole](https://existential.audio/blackhole/) or [Soundflower](https://rogueamoeba.com/freebies/soundflower/) and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.
--- a/docs/api/dialog.md
+++ b/docs/api/dialog.md
@@ -344,7 +344,7 @@ Displays a modal dialog that shows an error message.

 This API can be called safely before the `ready` event the `app` module emits,
 it is usually used to report errors in early stage of startup. If called
-before the app `ready`event on Linux, the message will be emitted to stderr,
+before the app `ready` event on Linux, the message will be emitted to stderr,
 and no GUI dialog will appear.

 ### `dialog.showCertificateTrustDialog([window, ]options)` _macOS_ _Windows_
--- a/docs/api/environment-variables.md
+++ b/docs/api/environment-variables.md
@@ -159,6 +159,22 @@ Notification activated (com.github.Electron:notification:EAF7B87C-A113-43D7-8E76
 Notification replied to (com.github.Electron:notification:EAF7B87C-A113-43D7-8E76-F88EC9D73D44)
 ```

+### `ELECTRON_DEBUG_MSIX_UPDATER`
+
+Adds extra logs to MSIX updater operations on Windows to aid in debugging. Extra logging will be displayed when MSIX update operations are initiated, including package updates, package registration, and restart registration. This helps diagnose issues with MSIX package updates and deployments.
+
+Sample output:
+
+```sh
+UpdateMsix called with URI: https://example.com/app.msix
+DoUpdateMsix: Starting
+Calling AddPackageByUriAsync... URI: https://example.com/app.msix
+Update options - deferRegistration: true, developerMode: false, forceShutdown: false, forceTargetShutdown: false, forceUpdateFromAnyVersion: false
+Waiting for deployment...
+Deployment finished.
+MSIX Deployment completed.
+```
+
 ### `ELECTRON_LOG_ASAR_READS`

 When Electron reads from an ASAR file, log the read offset and file path to
--- a/docs/api/incoming-message.md
+++ b/docs/api/incoming-message.md
@@ -34,7 +34,7 @@ Returns:
 * `error` Error - Typically holds an error string identifying failure root cause.

 Emitted when an error was encountered while streaming response data events. For
-instance, if the server closes the underlying while the response is still
+instance, if the server closes the underlying connection while the response is still
 streaming, an `error` event will be emitted on the response object and a `close`
 event will subsequently follow on the request object.

--- a/docs/api/menu-item.md
+++ b/docs/api/menu-item.md
@@ -17,7 +17,7 @@ See [`Menu`](menu.md) for examples.
 * `options` Object
  * `click` Function (optional) - Will be called with
    `click(menuItem, window, event)` when the menu item is clicked.
-    * `menuItem` MenuItem
+    * `menuItem` [MenuItem](menu-item.md)
    * `window` [BaseWindow](base-window.md) | undefined - This will not be defined if no window is open.
    * `event` [KeyboardEvent](structures/keyboard-event.md)
  * `role` string (optional) - Can be `undo`, `redo`, `cut`, `copy`, `paste`, `pasteAndMatchStyle`, `delete`, `selectAll`, `reload`, `forceReload`, `toggleDevTools`, `resetZoom`, `zoomIn`, `zoomOut`, `toggleSpellChecker`, `togglefullscreen`, `window`, `minimize`, `close`, `help`, `about`, `services`, `hide`, `hideOthers`, `unhide`, `quit`, `showSubstitutions`, `toggleSmartQuotes`, `toggleSmartDashes`, `toggleTextReplacement`, `startSpeaking`, `stopSpeaking`, `zoom`, `front`, `appMenu`, `fileMenu`, `editMenu`, `viewMenu`, `shareMenu`, `recentDocuments`, `toggleTabBar`, `selectNextTab`, `selectPreviousTab`, `showAllTabs`, `mergeAllWindows`, `clearRecentDocuments`, `moveTabToNewWindow` or `windowMenu` - Define the action of the menu item, when specified the
@@ -91,7 +91,7 @@ It can be called with `menuItem.click(event, focusedWindow, focusedWebContents)`

 #### `menuItem.submenu`

-A `Menu` (optional) containing the menu
+A [`Menu`](menu.md) (optional) containing the menu
 item's submenu, if present.

 #### `menuItem.type`
@@ -107,7 +107,7 @@ A `string` (optional) indicating the item's role, if set. Can be `undo`, `redo`,

 #### `menuItem.accelerator`

-An `Accelerator` (optional) indicating the item's accelerator, if set.
+An `Accelerator | null` indicating the item's accelerator, if set.

 #### `menuItem.userAccelerator` _Readonly_ _macOS_

@@ -171,4 +171,4 @@ A `number` indicating an item's sequential unique id.

 #### `menuItem.menu`

-A `Menu` that the item is a part of.
+A [`Menu`](menu.md) that the item is a part of.
--- a/docs/api/menu.md
+++ b/docs/api/menu.md
@@ -28,7 +28,7 @@ The `Menu` class has the following static methods:

 #### `Menu.setApplicationMenu(menu)`

- `menu` Menu | null
+- `menu` [Menu](menu.md) | null

 Sets `menu` as the application menu on macOS. On Windows and Linux, the
 `menu` will be set as each window's top menu.
@@ -39,7 +39,7 @@ indicate which letter should get a generated accelerator. For example, using
 opens the associated menu. The indicated character in the button label then gets an
 underline, and the `&` character is not displayed on the button label.

-In order to escape the `&` character in an item name, add a proceeding `&`. For example, `&&File` would result in `&File` displayed on the button label.
+In order to escape the `&` character in an item name, add a preceding `&`. For example, `&&File` would result in `&File` displayed on the button label.

 Passing `null` will suppress the default menu. On Windows and Linux,
 this has the additional effect of removing the menu bar from the window.
@@ -70,9 +70,9 @@ for more information on macOS' native actions.

 #### `Menu.buildFromTemplate(template)`

- `template` (MenuItemConstructorOptions | MenuItem)[]
+- `template` (MenuItemConstructorOptions | [MenuItem](menu-item.md))[]

-Returns `Menu`
+Returns [`Menu`](menu.md)

 Generally, the `template` is an array of `options` for constructing a
 [MenuItem](menu-item.md). The usage can be referenced above.
@@ -123,7 +123,7 @@ Appends the `menuItem` to the menu.

 - `id` string

-Returns `MenuItem | null` the item with the specified `id`
+Returns [`MenuItem | null`](menu-item.md) - the item with the specified `id`

 #### `menu.insert(pos, menuItem)`

--- a/docs/api/native-theme.md
+++ b/docs/api/native-theme.md
@@ -83,4 +83,4 @@ Currently, Windows high contrast is the only system setting that triggers forced

 ### `nativeTheme.prefersReducedTransparency` _Readonly_

-A `boolean` that indicates the whether the user has chosen via system accessibility settings to reduce transparency at the OS level.
+A `boolean` that indicates whether the user has chosen via system accessibility settings to reduce transparency at the OS level.
--- a/docs/api/notification.md
+++ b/docs/api/notification.md
@@ -67,6 +67,22 @@ Emitted when the notification is shown to the user. Note that this event can be
 multiple times as a notification can be shown multiple times through the
 `show()` method.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('show', () => console.log('Notification shown!'))
+
+  n.show()
+})
+```
+
 #### Event: 'click'

 Returns:
@@ -75,6 +91,22 @@ Returns:

 Emitted when the notification is clicked by the user.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('click', () => console.log('Notification clicked!'))
+
+  n.show()
+})
+```
+
 #### Event: 'close'

 Returns:
@@ -88,21 +120,85 @@ is closed.

 On Windows, the `close` event can be emitted in one of three ways: programmatic dismissal with `notification.close()`, by the user closing the notification, or via system timeout. If a notification is in the Action Center after the initial `close` event is emitted, a call to `notification.close()` will remove the notification from the action center but the `close` event will not be emitted again.

-#### Event: 'reply' _macOS_
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.on('close', () => console.log('Notification closed!'))
+
+  n.show()
+})
+```
+
+#### Event: 'reply' _macOS_ _Windows_

 Returns:

-* `event` Event
-* `reply` string - The string the user entered into the inline reply field.
+* `details` Event\<\>
+  * `reply` string - The string the user entered into the inline reply field.
+* `reply` string _Deprecated_

 Emitted when the user clicks the "Reply" button on a notification with `hasReply: true`.

-#### Event: 'action' _macOS_
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Send a Message',
+    body: 'Body Text',
+    hasReply: true,
+    replyPlaceholder: 'Message text...'
+  })
+
+  n.on('reply', (e, reply) => console.log(`User replied: ${reply}`))
+  n.on('click', () => console.log('Notification clicked'))
+
+  n.show()
+})
+```
+
+#### Event: 'action' _macOS_ _Windows_

 Returns:

-* `event` Event
-* `index` number - The index of the action that was activated.
+* `details` Event\<\>
+  * `actionIndex` number - The index of the action that was activated.
+  * `selectionIndex` number _Windows_ - The index of the selected item, if one was chosen. -1 if none was chosen.
+* `actionIndex` number _Deprecated_
+* `selectionIndex` number _Windows_ _Deprecated_
+
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const items = ['One', 'Two', 'Three']
+  const n = new Notification({
+    title: 'Choose an Action!',
+    actions: [
+      { type: 'button', text: 'Action 1' },
+      { type: 'button', text: 'Action 2' },
+      { type: 'selection', text: 'Apply', items }
+    ]
+  })
+
+  n.on('click', () => console.log('Notification clicked'))
+  n.on('action', (e) => {
+    console.log(`User triggered action at index: ${e.actionIndex}`)
+    if (e.selectionIndex > -1) {
+      console.log(`User chose selection item '${items[e.selectionIndex]}'`)
+    }
+  })
+
+  n.show()
+})
+```

 #### Event: 'failed' _Windows_

@@ -113,6 +209,22 @@ Returns:

 Emitted when an error is encountered while creating and showing the native notification.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Bad Action'
+  })
+
+  n.on('failed', (e, err) => {
+    console.log('Notification failed: ', err)
+  })
+
+  n.show()
+})
+```
+
 ### Instance Methods

 Objects created with the `new Notification()` constructor have the following instance methods:
@@ -126,12 +238,42 @@ call this method before the OS will display it.
 If the notification has been shown before, this method will dismiss the previously
 shown notification and create a new one with identical properties.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.show()
+})
+```
+
 #### `notification.close()`

 Dismisses the notification.

 On Windows, calling `notification.close()` while the notification is visible on screen will dismiss the notification and remove it from the Action Center. If `notification.close()` is called after the notification is no longer visible on screen, calling `notification.close()` will try remove it from the Action Center.

+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const n = new Notification({
+    title: 'Title!',
+    subtitle: 'Subtitle!',
+    body: 'Body!'
+  })
+
+  n.show()
+
+  setTimeout(() => n.close(), 5000)
+})
+```
+
 ### Instance Properties

 #### `notification.title`
--- a/docs/api/process.md
+++ b/docs/api/process.md
@@ -71,7 +71,7 @@ will disable the support for `asar` archives in Node's built-in modules.

 ### `process.noDeprecation`

-A `boolean` that controls whether or not deprecation warnings are printed to `stderr`.
+A `boolean` (optional) that controls whether or not deprecation warnings are printed to `stderr`.
 Setting this to `true` will silence deprecation warnings. This property is used
 instead of the `--no-deprecation` command line flag.

@@ -99,13 +99,13 @@ property is used instead of the `--throw-deprecation` command line flag.

 A `boolean` that controls whether or not deprecations printed to `stderr` include
 their stack trace. Setting this to `true` will print stack traces for deprecations.
- This property is instead of the `--trace-deprecation` command line flag.
+ This property is used instead of the `--trace-deprecation` command line flag.

 ### `process.traceProcessWarnings`

 A `boolean` that controls whether or not process warnings printed to `stderr` include
 their stack trace. Setting this to `true` will print stack traces for process warnings
- (including deprecations). This property is instead of the `--trace-warnings` command
+ (including deprecations). This property is used instead of the `--trace-warnings` command
 line flag.

 ### `process.type` _Readonly_
@@ -128,8 +128,8 @@ A `string` representing Electron's version string.

 ### `process.windowsStore` _Readonly_

-A `boolean`. If the app is running as a Windows Store app (appx), this property is `true`,
-for otherwise it is `undefined`.
+A `boolean`. If the app is running as an MSIX package (including AppX for Windows Store),
+this property is `true`, otherwise it is `undefined`.

 ### `process.contextId` _Readonly_

--- a/docs/api/safe-storage.md
+++ b/docs/api/safe-storage.md
@@ -7,21 +7,44 @@ Process: [Main](../glossary.md#main-process)
 This module adds extra protection to data being stored on disk by using OS-provided cryptography systems. Current
 security semantics for each platform are outlined below.

+> [!NOTE]
+> We recommend using the asynchronous API (`encryptStringAsync`/`decryptStringAsync`) over the synchronous API.
+> The async API is non-blocking, supports key rotation, and handles temporary unavailability gracefully.
+> The synchronous API may be deprecated in a future version of Electron.
+
+## Platform-Specific Key Providers
+
+### Synchronous API
+
 * **macOS**: Encryption keys are stored for your app in [Keychain Access](https://support.apple.com/en-ca/guide/keychain-access/kyca1083/mac) in a way that prevents
 other applications from loading them without user override. Therefore, content is protected from other users and other apps running in the same userspace.
-* **Windows**: Encryption keys are generated via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata).
-As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically
-decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the
+* **Windows**: Encryption keys are generated via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata). As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the
 same userspace.
 * **Linux**: Encryption keys are generated and stored in a secret store that varies depending on your window manager and system setup. Options currently supported are `kwallet`, `kwallet5`, `kwallet6` and `gnome-libsecret`, but more may be available in future versions of Electron. As such, the
 security semantics of content protected via the `safeStorage` API vary between window managers and secret stores.
-  * Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the `safeStorage` API will be unprotected
-as they are encrypted via hardcoded plaintext password. You can detect when this happens when `safeStorage.getSelectedStorageBackend()` returns `basic_text`.
+  * Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the `safeStorage` API will be unprotected as they are encrypted via hardcoded plaintext password. You can detect when this happens when `safeStorage.getSelectedStorageBackend()` returns `basic_text`.

-Note that on Mac, access to the system Keychain is required and
+Note that on macOS, access to the system Keychain is required and
 these calls can block the current thread to collect user input.
 The same is true for Linux, if a password management tool is available.

+### Asynchronous API
+
+The asynchronous API uses pluggable key providers that vary by platform:
+
+* **macOS**: Encryption keys are stored and retrieved from [Keychain Access](https://developer.apple.com/documentation/security/keychain-items). This provides the same security model as the synchronous API, protecting content from other users and other apps running in the same userspace.
+* **Windows**: Encryption keys are protected via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi). This provides the same security model as the synchronous API, protecting content from other users on the same machine but not from other apps running in the same userspace.
+* **Linux**: Multiple key providers may be available depending on the desktop environment:
+  * [`org.freedesktop.portal.Secret`](https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html): Uses the Portal Secret D-Bus interface to retrieve application-specific secrets. This is the preferred provider for sandboxed environments like Flatpak.
+  * [Secret Service API](https://specifications.freedesktop.org/secret-service/latest/): Uses the freedesktop.org Secret Service API (e.g., GNOME Keyring) for key storage.
+  * A fallback provider is used for environments without a secret service available.
+
+Unlike the synchronous API, these operations are non-blocking and support additional features like key rotation (indicated by `shouldReEncrypt`) and temporary unavailability handling (indicated by `isTemporarilyUnavailable`).
+
+## Events
+
+The `safeStorage` module emits the following events:
+
 ## Methods

 The `safeStorage` module has the following methods:
@@ -34,6 +57,10 @@ On Linux, returns true if the app has emitted the `ready` event and the secret k
 On MacOS, returns true if Keychain is available.
 On Windows, returns true once the app has emitted the `ready` event.

+### `safeStorage.isAsyncEncryptionAvailable()`
+
+Returns `Promise<Boolean>` - Whether encryption is available for asynchronous safeStorage operations.
+
 ### `safeStorage.encryptString(plainText)`

 * `plainText` string
@@ -49,7 +76,21 @@ This function will throw an error if encryption fails.
 Returns `string` - the decrypted string. Decrypts the encrypted buffer
 obtained  with `safeStorage.encryptString` back into a string.

-This function will throw an error if decryption fails.
+### `safeStorage.encryptStringAsync(plainText)`
+
+* `plainText` string
+
+Returns `Promise<Buffer>` -  An array of bytes representing the encrypted string.
+
+### `safeStorage.decryptStringAsync(encrypted)`
+
+* `encrypted` Buffer
+
+Returns `Promise<Object>` - Resolve with an object containing the following:
+
+* `shouldReEncrypt` boolean - whether data that has just been returned from the decrypt operation should be
+  re-encrypted, as the key has been rotated or a new  key is available that provides a different security level. If `true`, you should call `decryptStringAsync` again to receive the new decrypted string.
+* `result` string - the decrypted string.

 ### `safeStorage.setUsePlainTextEncryption(usePlainText)`

--- a/docs/api/session.md
+++ b/docs/api/session.md
@@ -1216,7 +1216,7 @@ function createWindow () {

  mainWindow.webContents.session.setBluetoothPairingHandler((details, callback) => {
    bluetoothPinCallback = callback
-    // Send a IPC message to the renderer to prompt the user to confirm the pairing.
+    // Send an IPC message to the renderer to prompt the user to confirm the pairing.
    // Note that this will require logic in the renderer to handle this message and
    // display a prompt to the user.
    mainWindow.webContents.send('bluetooth-pairing-request', details)
@@ -1264,7 +1264,7 @@ session.defaultSession.allowNTLMCredentialsForDomains('*')

 Overrides the `userAgent` and `acceptLanguages` for this session.

-The `acceptLanguages` must a comma separated ordered list of language codes, for
+The `acceptLanguages` must be a comma separated ordered list of language codes, for
 example `"en-US,fr,de,ko,zh-CN,ja"`.

 This doesn't affect existing `WebContents`, and each `WebContents` can use
--- a/docs/api/share-menu.md
+++ b/docs/api/share-menu.md
@@ -9,6 +9,13 @@ For including the share menu as a submenu of other menus, please use the

 ## Class: ShareMenu

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/25629
+```
+-->
+
 > Create share menu on macOS.

 Process: [Main](../glossary.md#main-process)
--- a/docs/api/shared-texture.md
+++ b/docs/api/shared-texture.md
@@ -21,7 +21,7 @@ Imports the shared texture from the given options.
 > [!NOTE]
 > This method is only available in the main process.

-Returns `SharedTextureImported` - The imported shared texture.
+Returns [`SharedTextureImported`](structures/shared-texture-imported.md) - The imported shared texture.

 ### `sharedTexture.sendSharedTexture(options, ...args)` _Experimental_

--- a/docs/api/shell.md
+++ b/docs/api/shell.md
@@ -29,6 +29,14 @@ Show the given file in a file manager. If possible, select the file.

 ### `shell.openPath(path)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/20682
+    breaking-changes-header: api-changed-shellopenitem-is-now-shellopenpath
+```
+-->
+
 * `path` string

 Returns `Promise<string>` - Resolves with a string containing the error message corresponding to the failure if a failure occurred, otherwise "".
@@ -37,6 +45,18 @@ Open the given file in the desktop's default manner.

 ### `shell.openExternal(url[, options])`

+<!--
+```YAML history
+changes:
+  - pr-url: https://github.com/electron/electron/pull/4508
+    description: "Added `activate` option."
+  - pr-url: https://github.com/electron/electron/pull/15065
+    description: "Added `workingDirectory` option."
+  - pr-url: https://github.com/electron/electron/pull/37139
+    description: "Added `logUsage` option."
+```
+-->
+
 * `url` string - Max 2081 characters on Windows.
 * `options` Object (optional)
  * `activate` boolean (optional) _macOS_ - `true` to bring the opened application to the foreground. The default is `true`.
@@ -50,6 +70,14 @@ Open the given external protocol URL in the desktop's default manner. (For examp

 ### `shell.trashItem(path)`

+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/25114
+    breaking-changes-header: deprecated-shellmoveitemtotrash
+```
+-->
+
 * `path` string - path to the item to be moved to the trash.

 Returns `Promise<void>` - Resolves when the operation has been completed.
@@ -58,6 +86,10 @@ Rejects if there was an error while deleting the requested item.
 This moves a path to the OS-specific trash location (Trash on macOS, Recycle
 Bin on Windows, and a desktop-environment-specific location on Linux).

+The path must use the default path separator for the platform (backslash on
+Windows). Use `path.resolve()` from the `node:path` module to ensure correct
+handling on all filesystems.
+
 ### `shell.beep()`

 Play the beep sound.
--- a/docs/api/structures/display.md
+++ b/docs/api/structures/display.md
@@ -7,7 +7,7 @@
 * `depthPerComponent` number - The number of bits per color component.
 * `detected` boolean - `true` if the display is detected by the system.
 * `displayFrequency` number - The display refresh rate.
-* `id` number - Unique identifier associated with the display. A value of of -1 means the display is invalid or the correct `id` is not yet known, and a value of -10 means the display is a virtual display assigned to a unified desktop.
+* `id` number - Unique identifier associated with the display. A value of -1 means the display is invalid or the correct `id` is not yet known, and a value of -10 means the display is a virtual display assigned to a unified desktop.
 * `internal` boolean - `true` for an internal display and `false` for an external display.
 * `label` string - User-friendly label, determined by the platform.
 * `maximumCursorSize` [Size](size.md) - Maximum cursor size in native pixels.
--- a/docs/api/structures/notification-action.md
+++ b/docs/api/structures/notification-action.md
@@ -1,13 +1,15 @@
 # NotificationAction Object

-* `type` string - The type of action, can be `button`.
+* `type` string - The type of action, can be `button` or `selection`. `selection` is only supported on Windows.
 * `text` string (optional) - The label for the given action.
+* `items` string[] (optional) _Windows_ - The list of items for the `selection` action `type`.

 ## Platform / Action Support

 | Action Type | Platform Support | Usage of `text` | Default `text` | Limitations |
 |-------------|------------------|-----------------|----------------|-------------|
-| `button`    | macOS            | Used as the label for the button | "Show" (or a localized string by system default if first of such `button`, otherwise empty) | Only the first one is used. If multiple are provided, those beyond the first will be listed as additional actions (displayed when mouse active over the action button). Any such action also is incompatible with `hasReply` and will be ignored if `hasReply` is `true`. |
+| `button`    | macOS, Windows   | Used as the label for the button | "Show" on macOS (localized) if first `button`, otherwise empty; Windows uses provided `text` | macOS: Only the first one is used as primary; others shown as additional actions (hover). Incompatible with `hasReply` (beyond first ignored). |
+| `selection` | Windows          | Used as the label for the submit button for the selection menu | "Select" | Requires an `items` array property specifying option labels. Emits the `action` event with `(index, selectedIndex)` where `selectedIndex` is the chosen option (>= 0). Ignored on platforms that do not support selection actions. |

 ### Button support on macOS

@@ -15,6 +17,37 @@ In order for extra notification buttons to work on macOS your app must meet the
 following criteria.

 * App is signed
-* App has it's `NSUserNotificationAlertStyle` set to `alert` in the `Info.plist`.
+* App has its `NSUserNotificationAlertStyle` set to `alert` in the `Info.plist`.

 If either of these requirements are not met the button won't appear.
+
+### Selection support on Windows
+
+To add a selection (combo box) style action, include an action with `type: 'selection'`, a `text` label for the submit button, and an `items` array of strings:
+
+```js
+const { Notification, app } = require('electron')
+
+app.whenReady().then(() => {
+  const items = ['One', 'Two', 'Three']
+  const n = new Notification({
+    title: 'Choose an option',
+    actions: [{
+      type: 'selection',
+      text: 'Apply',
+      items
+    }]
+  })
+
+  n.on('action', (e) => {
+    console.log(`User triggered action at index: ${e.actionIndex}`)
+    if (e.selectionIndex > 0) {
+      console.log(`User chose selection item '${items[e.selectionIndex]}'`)
+    }
+  })
+
+  n.show()
+})
+```
+
+When the user activates the selection action, the notification's `action` event will be emitted with two parameters: `actionIndex` (the action's index in the `actions` array) and `selectedIndex` (the zero-based index of the chosen item, or `-1` if unavailable). On non-Windows platforms selection actions are ignored.
--- a/docs/api/structures/shared-texture-import-texture-info.md
+++ b/docs/api/structures/shared-texture-import-texture-info.md
@@ -5,6 +5,7 @@
  * `rgba` - 32bpp RGBA (byte-order), 1 plane.
  * `rgbaf16` - Half float RGBA, 1 plane.
  * `nv12` - 12bpp with Y plane followed by a 2x2 interleaved UV plane.
+  * `p010le` - 4:2:0 10-bit YUV (little-endian), Y plane followed by a 2x2 interleaved UV plane.
 * `colorSpace` [ColorSpace](color-space.md) (optional) - The color space of the texture.
 * `codedSize` [Size](size.md) - The full dimensions of the shared texture.
 * `visibleRect` [Rectangle](rectangle.md) (optional) - A subsection of [0, 0, codedSize.width, codedSize.height]. In common cases, it is the full section area.
--- a/docs/api/structures/web-preferences.md
+++ b/docs/api/structures/web-preferences.md
@@ -40,7 +40,7 @@
 * `javascript` boolean (optional) - Enables JavaScript support. Default is `true`.
 * `webSecurity` boolean (optional) - When `false`, it will disable the
  same-origin policy (usually using testing websites by people), and set
-  `allowRunningInsecureContent` to `true` if this options has not been set
+  `allowRunningInsecureContent` to `true` if this option has not been set
  by user. Default is `true`.
 * `allowRunningInsecureContent` boolean (optional) - Allow an https page to run
  JavaScript, CSS or plugins from http URLs. Default is `false`.
@@ -94,6 +94,7 @@
    The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
    * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
    * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
+  * `deviceScaleFactor` number (optional) _Experimental_ - The device scale factor of the offscreen rendering output. If not set, will use primary display's scale factor as default.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
  the specified `preload` script in a separate JavaScript context. Defaults
  to `true`. The context that the `preload` script runs in will only have
@@ -156,6 +157,8 @@
  `WebContents` when the preferred size changes. Default is `false`.
 * `transparent` boolean (optional) - Whether to enable background transparency for the guest page. Default is `true`. **Note:** The guest page's text and background colors are derived from the [color scheme](https://developer.mozilla.org/en-US/docs/Web/CSS/color-scheme) of its root element. When transparency is enabled, the text color will still change accordingly but the background will remain transparent.
 * `enableDeprecatedPaste` boolean (optional) _Deprecated_ - Whether to enable the `paste` [execCommand](https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand). Default is `false`.
+* `focusOnNavigation` boolean (optional) - Whether to focus the WebContents
+  when navigating. Default is `true`.

 [chrome-content-scripts]: https://developer.chrome.com/extensions/content_scripts#execution-environment
 [runtime-enabled-features]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/runtime_enabled_features.json5
--- a/docs/api/utility-process.md
+++ b/docs/api/utility-process.md
@@ -36,6 +36,12 @@ Process: [Main](../glossary.md#main-process)<br />
    `com.apple.security.cs.allow-unsigned-executable-memory` entitlements. This will allow the utility process
    to load unsigned libraries. Unless you specifically need this capability, it is best to leave this disabled.
    Default is `false`.
+  * `disclaim` boolean (optional) _macOS_ - With this flag, the utility process will disclaim
+    responsibility for the child process. This causes the operating system to consider the child
+    process as a separate entity for purposes of security policies like Transparency, Consent, and
+    Control (TCC). When responsibility is disclaimed, the parent process will not be attributed
+    for any TCC requests initiated by the child process. This is useful when launching processes
+    that run third-party or otherwise untrusted code. Default is `false`.
  * `respondToAuthRequestsFromMainProcess` boolean (optional) - With this flag, all HTTP 401 and 407 network
    requests created via the [net module](net.md) will allow responding to them via the
    [`app#login`](app.md#event-login) event in the main process instead of the default
--- a/docs/api/view.md
+++ b/docs/api/view.md
@@ -62,9 +62,17 @@ it becomes the topmost view.

 If the view passed as a parameter is not a child of this view, this method is a no-op.

-#### `view.setBounds(bounds)`
+#### `view.setBounds(bounds[, options])`

 * `bounds` [Rectangle](structures/rectangle.md) - New bounds of the View.
+* `options` Object (optional) - Options for setting the bounds.
+  * `animate` boolean | Object (optional) - If true, the bounds change will be animated. If an object is passed, it can contain the following properties:
+    * `duration` Integer (optional) - Duration of the animation in milliseconds. Default is `250`.
+    * `easing` string (optional) - Easing function for the animation. Default is `linear`.
+      * `linear`
+      * `ease-in`
+      * `ease-out`
+      * `ease-in-out`

 #### `view.getBounds()`

--- a/docs/api/web-contents.md
+++ b/docs/api/web-contents.md
@@ -383,7 +383,7 @@ Emitted after a server side redirect occurs during navigation.  For example a 30
 redirect.

 This event cannot be prevented, if you want to prevent redirects you should
-checkout out the `will-redirect` event above.
+check out the `will-redirect` event above.

 #### Event: 'did-navigate'

@@ -1465,7 +1465,7 @@ Ignore application menu shortcuts while this web contents is focused.
  without a recognized 'action' value will result in a console error and have
  the same effect as returning `{action: 'deny'}`.

-Called before creating a window a new window is requested by the renderer, e.g.
+Called before creating a window when a new window is requested by the renderer, e.g.
 by `window.open()`, a link with `target="_blank"`, shift+clicking on a link, or
 submitting a form with `<form target="_blank">`. See
 [`window.open()`](window-open.md) for more details and how to use this in
@@ -1748,11 +1748,12 @@ Returns `Promise<PrinterInfo[]>` - Resolves with a [`PrinterInfo[]`](structures/
  * `footer` string (optional) - string to be printed as page footer.
  * `pageSize` string | Size (optional) - Specify page size of the printed document. Can be `A0`, `A1`, `A2`, `A3`,
  `A4`, `A5`, `A6`, `Legal`, `Letter`, `Tabloid` or an Object containing `height` and `width`.
+  * `usePrinterDefaultPageSize` boolean (optional) - Whether to use a given printer's default page size. Default is `false`. Cannot be combined with `pageSize`. When `deviceName` is provided, uses the default page size of that specific printer. When `deviceName` is not provided, uses the default page size of the system's default printer. If the printer's default page size cannot be retrieved, falls back to A4 (210mm x 297mm).
 * `callback` Function (optional)
  * `success` boolean - Indicates success of the print call.
  * `failureReason` string - Error description called back if the print fails.

-When a custom `pageSize` is passed, Chromium attempts to validate platform specific minimum values for `width_microns` and `height_microns`. Width and height must both be minimum 353 microns but may be higher on some operating systems.
+When a custom `pageSize` is passed, Chromium attempts to validate platform specific minimum values for `width_microns` and `height_microns`. Width and height must both be minimum 353 microns but may be higher on some operating systems. If a valid `pageSize` is not passed and `usePrinterDefaultPageSize` is `false`, an error will be thrown.

 Prints window's web page. When `silent` is set to `true`, Electron will pick
 the system's default printer if `deviceName` is empty and the default settings for printing.
@@ -2168,7 +2169,7 @@ Returns `boolean` - If _offscreen rendering_ is enabled returns whether it is cu
 * `fps` Integer

 If _offscreen rendering_ is enabled sets the frame rate to the specified number.
-Only values between 1 and 240 are accepted.
+When `webPreferences.offscreen.useSharedTexture` is `false` only values between 1 and 240 are accepted.

 #### `contents.getFrameRate()`

@@ -2369,7 +2370,7 @@ instance that might own this `WebContents`.

 #### `contents.devToolsWebContents` _Readonly_

-A `WebContents | null` property that represents the of DevTools `WebContents` associated with a given `WebContents`.
+A `WebContents | null` property that represents the DevTools `WebContents` associated with a given `WebContents`.

 > [!NOTE]
 > Users should never store this object because it may become `null`
--- a/docs/api/webview-tag.md
+++ b/docs/api/webview-tag.md
@@ -588,6 +588,7 @@ Stops any `findInPage` request for the `webview` with the provided `action`.
  * `footer` string (optional) - string to be printed as page footer.
  * `pageSize` string | Size (optional) - Specify page size of the printed document. Can be `A3`,
  `A4`, `A5`, `Legal`, `Letter`, `Tabloid` or an Object containing `height` in microns.
+  * `usePrinterDefaultPageSize` boolean (optional) - Whether to use the system's default page size. Default is `false`. Cannot be combined with `pageSize`. When `deviceName` is provided, uses the default page size of that specific printer. When `deviceName` is not provided, uses the default page size of the system's default printer. If the printer's default page size cannot be retrieved, falls back to A4 (210mm x 297mm).

 Returns `Promise<void>`

--- a/docs/breaking-changes.md
+++ b/docs/breaking-changes.md
@@ -12,6 +12,16 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.

+## Planned Breaking API Changes (42.0)
+
+### Behavior Changed: Offscreen rendering will use `1.0` as default device scale factor.
+
+Previously, OSR used the primary display's device scale factor for rendering, which made the output frame size vary across users.
+Developers had to manually calculate the correct size using `screen.getPrimaryDisplay().scaleFactor`. We now provide an optional property
+`webPreferences.offscreen.deviceScaleFactor` to specify a custom value when creating an OSR window. At first, if the property is not set, it defaults
+to the primary display's scale factor (preserving the old behavior). Starting from Electron 42, the default will change to a constant value of `1.0`
+for more consistent output sizes.
+
 ## Planned Breaking API Changes (41.0)

 ### Behavior Changed: PDFs no longer create a separate WebContents
@@ -20,6 +30,14 @@ Previously, PDF resources created a separate guest [WebContents](https://www.ele

 Under the hood, Chromium [enabled](https://chromium-review.googlesource.com/c/chromium/src/+/7239572) a feature that changes PDFs to use out-of-process iframes (OOPIFs) instead of the `MimeHandlerViewGuest` extension.

+### Behavior Changed: Updated Cookie Change Cause in the Cookie 'changed' Event
+
+We have updated the [cookie](https://www.electronjs.org/docs/latest/api/cookies#event-changed) change cause in the cookie 'changed' event.
+When a new cookie is set, the change cause is `inserted`.
+When a cookie is deleted, the change cause remains `explicit`.
+When the cookie being set is identical to an existing one (same name, domain, path, and value, with no actual changes), the change cause is `inserted-no-change-overwrite`.
+When the value of the cookie being set remains unchanged but some of its attributes are updated, such as the expiration attribute, the change cause will be `inserted-no-value-change-overwrite`.
+
 ## Planned Breaking API Changes (40.0)

 ### Deprecated: `clipboard` API access from renderer processes
@@ -58,6 +76,22 @@ webContents.setWindowOpenHandler((details) => {
 })
 ```

+### Behavior Changed: `NSAudioCaptureUsageDescription` should be included in your app's Info.plist file to use `desktopCapturer` (🍏 macOS ≥14.2)
+
+Per [Chromium update](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e) which enables Apple's newer [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps#Configure-the-sample-code-project) by default, you now must have `NSAudioCaptureUsageDescription` defined in your `Info.plist` to use `desktopCapturer`.
+
+Electron's `desktopCapturer` will create a dead audio stream if the new permission is absent however no errors or warnings will occur. This is partially a side-effect of Chromium not falling back to the older `Screen & System Audio Recording` permissions system if the new system fails.
+
+To restore previous behavior:
+
+```js
+// main.js (right beneath your require/import statments)
+app.commandLine.appendSwitch(
+  'disable-features',
+  'MacCatapLoopbackAudioForScreenShare'
+)
+```
+
 ### Behavior Changed: shared texture OSR `paint` event data structure

 When using shared texture offscreen rendering feature, the `paint` event now emits a more structured object.
@@ -76,7 +110,7 @@ Users can force XWayland by passing `--ozone-platform=x11`.
 ### Removed: `ORIGINAL_XDG_CURRENT_DESKTOP` environment variable

 Previously, Electron changed the value of `XDG_CURRENT_DESKTOP` internally to `Unity`, and stored the original name of the desktop session
-in a separate variable. `XDG_CURRENT_DESKTOP` is no longer overriden and now reflects the actual desktop environment.
+in a separate variable. `XDG_CURRENT_DESKTOP` is no longer overridden and now reflects the actual desktop environment.

 ### Removed: macOS 11 support

@@ -157,7 +191,7 @@ window is not currently visible.

 `app.commandLine` was only meant to handle chromium switches (which aren't case-sensitive) and switches passed via `app.commandLine` will not be passed down to any of the child processes.

-If you were using `app.commandLine` to control the behavior of the  main process, you should do this via `process.argv`.
+If you were using `app.commandLine` to control the behavior of the main process, you should do this via `process.argv`.

 ### Deprecated: `NativeImage.getBitmap()`

@@ -187,7 +221,7 @@ from upstream Chromium.
 ### Deprecated: `null` value for `session` property in `ProtocolResponse`

 Previously, setting the ProtocolResponse.session property to `null`
-Would create a random independent session. This is no longer supported.
+would create a random independent session. This is no longer supported.

 Using single-purpose sessions here is discouraged due to overhead costs;
 however, old code that needs to preserve this behavior can emulate it by
@@ -198,7 +232,7 @@ and then using it in `ProtocolResponse.session`.

 When calling `Session.clearStorageData(options)`, the `options.quota`
 property is deprecated. Since the `syncable` type was removed, there
-is only type left -- `'temporary'` -- so specifying it is unnecessary.
+is only one type left -- `'temporary'` -- so specifying it is unnecessary.

 ### Deprecated: Extension methods and events on `session`

@@ -527,7 +561,7 @@ more information.

 ### Removed: The `--disable-color-correct-rendering` switch

-This switch was never formally documented but it's removal is being noted here regardless. Chromium itself now has better support for color spaces so this flag should not be needed.
+This switch was never formally documented but its removal is being noted here regardless. Chromium itself now has better support for color spaces so this flag should not be needed.

 ### Behavior Changed: `BrowserView.setAutoResize` behavior on macOS

@@ -1218,7 +1252,7 @@ more details.

 ### API Changed: `webContents.printToPDF()`

-`webContents.printToPDF()` has been modified to conform to [`Page.printToPDF`](https://chromedevtools.github.io/devtools-protocol/tot/Page/#method-printToPDF) in the Chrome DevTools Protocol. This has been changes in order to
+`webContents.printToPDF()` has been modified to conform to [`Page.printToPDF`](https://chromedevtools.github.io/devtools-protocol/tot/Page/#method-printToPDF) in the Chrome DevTools Protocol. This has been changed in order to
 address changes upstream that made our previous implementation untenable and rife with bugs.

 **Arguments Changed**
@@ -2685,6 +2719,18 @@ Replace with: https://atom.io/download/electron

 The following list includes the breaking API changes made in Electron 2.0.

+### `autoUpdater`
+
+```js
+// Deprecated
+autoUpdater.setFeedURL(url, headers)
+// Replace with
+autoUpdater.setFeedURL({
+  url,
+  headers
+})
+```
+
 ### `BrowserWindow`

 ```js
--- a/docs/development/build-instructions-macos.md
+++ b/docs/development/build-instructions-macos.md
@@ -40,7 +40,7 @@ If you are on arm64 architecture, the build script may be pointing to the wrong

 ### Certificates fail to verify

-installing [`certifi`](https://pypi.org/project/certifi/) will fix the following error:
+Installing [`certifi`](https://pypi.org/project/certifi/) will fix the following error:

 ```sh
 ________ running 'python3 src/tools/clang/scripts/update.py' in '/Users/<user>/electron'
--- a/docs/development/debugging-on-windows.md
+++ b/docs/development/debugging-on-windows.md
@@ -28,7 +28,7 @@ with breakpoints inside Electron's source code.
  format.

 * **ProcMon**: The [free SysInternals tool][sys-internals] allows you to inspect
-  a processes parameters, file handles, and registry operations.
+  a process's parameters, file handles, and registry operations.

 ## Attaching to and Debugging Electron

--- a/docs/development/source-code-directory-structure.md
+++ b/docs/development/source-code-directory-structure.md
@@ -14,7 +14,7 @@ control via the [`DEPS`](https://github.com/electron/electron/blob/main/DEPS) fi
 [initializing a local Electron checkout](./build-instructions-gn.md), Electron's source code is just one
 of many nested folders within the project root.

-The project contains a single `src` folder that corresponds a specific git checkout of
+The project contains a single `src` folder that corresponds to a specific git checkout of
 [Chromium's `src` folder](https://source.chromium.org/chromium/chromium/src). In addition, Electron's
 repository code is contained in `src/electron` (with its own nested git repository), and other
 Electron-specific third-party dependencies (e.g. [nan](https://github.com/nodejs/nan) or
--- a/docs/development/style-guide.md
+++ b/docs/development/style-guide.md
@@ -99,7 +99,7 @@ Using `autoUpdater` as an example:

 ## Methods

-### `autoUpdater.setFeedURL(url[, requestHeaders])`
+### `autoUpdater.setFeedURL(options)`
 ```

 ### Classes
--- a/docs/development/testing.md
+++ b/docs/development/testing.md
@@ -17,7 +17,7 @@ style, run `npm run lint`, which will run a variety of linting checks
 against your changes depending on which areas of the code they touch.

 Many of these checks are included as precommit hooks, so it's likely
-you error would be caught at commit time.
+your error would be caught at commit time.

 ## Unit Tests

--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -14,7 +14,7 @@ dependency tree from `node_modules`).

 ### ASAR integrity

-ASAR integrity is an security feature that validates the contents of your app's
+ASAR integrity is a security feature that validates the contents of your app's
 ASAR archives at runtime. When enabled, your Electron app will verify the
 header hash of its ASAR archive on runtime. If no hash is present or if there is a mismatch in the
 hashes, the app will forcefully terminate.
@@ -137,9 +137,9 @@ See also: [code signing](#code-signing)

 ### OSR

-OSR (offscreen rendering) can be used for loading heavy page in
+OSR (offscreen rendering) can be used for loading a heavy page in
 background and then displaying it after (it will be much faster).
-It allows you to render page without showing it on screen.
+It allows you to render a page without showing it on screen.

 For more information, read the [Offscreen Rendering][] tutorial.

--- a/docs/tutorial/asar-archives.md
+++ b/docs/tutorial/asar-archives.md
@@ -6,7 +6,7 @@ hide_title: false
 ---

 After creating an [application distribution](application-distribution.md), the
-app's source code are usually bundled into an [ASAR archive](https://github.com/electron/asar),
+app's source code is usually bundled into an [ASAR archive](https://github.com/electron/asar),
 which is a simple extensive archive format designed for Electron apps. By bundling the app
 we can mitigate issues around long path names on Windows, speed up `require` and conceal your source
 code from cursory inspection.
@@ -134,7 +134,7 @@ underlying system calls, Electron will extract the needed file into a
 temporary file and pass the path of the temporary file to the APIs to make them
 work. This adds a little overhead for those APIs.

-APIs that requires extra unpacking are:
+APIs that require extra unpacking are:

 * `child_process.execFile`
 * `child_process.execFileSync`
--- a/docs/tutorial/asar-integrity.md
+++ b/docs/tutorial/asar-integrity.md
@@ -15,6 +15,14 @@ Currently, ASAR integrity checking is supported on:
 * macOS as of `electron>=16.0.0`
 * Windows as of `electron>=30.0.0`

+> [!NOTE]
+> ASAR integrity is fully supported in Mac App Store (MAS) builds and is recommended
+> as a best practice. While MAS-installed applications have their `Resources/` folder
+> protected by the system (owned by root), ASAR integrity still provides an additional
+> layer of security. It is especially important if you use Electron's MAS build but
+> distribute your app through channels other than the Mac App Store (such as direct
+> download), since those installations won't have the system-level read-only protections.
+
 In order to enable ASAR integrity checking, you also need to ensure that your `app.asar` file
 was generated by a version of the `@electron/asar` npm package that supports ASAR integrity.

@@ -24,7 +32,7 @@ All versions of `@electron/asar` support ASAR integrity.
 ## How it works

 Each ASAR archive contains a JSON string header. The header format includes an `integrity` object
-that contain a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
+that contains a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
 block of `blockSize` bytes.

 ```json
--- a/docs/tutorial/automated-testing.md
+++ b/docs/tutorial/automated-testing.md
@@ -203,7 +203,7 @@ test('launch app', async () => {
 })
 ```

-After that, you will access to an instance of Playwright's `ElectronApp` class. This
+After that, you will have access to an instance of Playwright's `ElectronApp` class. This
 is a powerful class that has access to main process modules for example:

 ```js {5-10} @ts-nocheck
@@ -237,7 +237,7 @@ test('save screenshot', async () => {
 })
 ```

-Putting all this together using the Playwright test-runner, let's create a `example.spec.js`
+Putting all this together using the Playwright test-runner, let's create an `example.spec.js`
 test file with a single test and assertion:

 ```js title='example.spec.js' @ts-nocheck
@@ -377,7 +377,7 @@ class TestDriver {
 module.exports = { TestDriver }
 ```

-In your app code, can then write a simple handler to receive RPC calls:
+In your app code, you can then write a simple handler to receive RPC calls:

 ```js title='main.js'
 const METHODS = {
--- a/docs/tutorial/code-signing.md
+++ b/docs/tutorial/code-signing.md
@@ -17,7 +17,7 @@ run them, users need to go through multiple advanced and manual steps.

 If you are building an Electron app that you intend to package and distribute,
 it should be code signed. The Electron ecosystem tooling makes codesigning your
-apps straightforward - this documentation explains how sign your apps on both
+apps straightforward - this documentation explains how to sign your apps on both
 Windows and macOS.

 ## Signing & notarizing macOS builds
@@ -210,7 +210,7 @@ const msiCreator = new MSICreator({
 const supportBinaries = await msiCreator.create()

 // 🆕 Step 2a: optionally sign support binaries if you
-// sign you binaries as part of of your packaging script
+// sign your binaries as part of your packaging script
 for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
@@ -238,6 +238,20 @@ with 3+ years of verifiable business history and to individual developers in the
 Microsoft is looking to make the program more widely available. If you're reading this at a
 later point, it could make sense to check if the eligibility criteria have changed.

+#### Using `jsign` for Azure Trusted Signing
+
+For developers on Linux or macOS, [`jsign`](https://ebourg.github.io/jsign/) can be used to sign Windows apps via Azure Trusted Signing. Example usage:
+
+```bash
+jsign --storetype TRUSTEDSIGNING \
+      --keystore https://eus.codesigning.azure.net/ \
+      --storepass $AZURE_ACCESS_TOKEN \
+      --alias trusted-sign-acct/AppName \
+      --tsaurl http://timestamp.acs.microsoft.com/ \
+      --tsmode RFC3161 \
+      --replace <file>
+```
+
 #### Using Electron Forge

 Electron Forge is the recommended way to sign your app as well as your `Squirrel.Windows`
--- a/docs/tutorial/custom-title-bar.md
+++ b/docs/tutorial/custom-title-bar.md
@@ -110,7 +110,7 @@ const win = new BrowserWindow({
 #### Show and hide the traffic lights programmatically _macOS_

 You can also show and hide the traffic lights programmatically from the main process.
-The `win.setWindowButtonVisibility` forces traffic lights to be show or hidden depending
+The `win.setWindowButtonVisibility` forces traffic lights to be shown or hidden depending
 on the value of its boolean parameter.

 ```js title='main.js'
--- a/docs/tutorial/custom-window-interactions.md
+++ b/docs/tutorial/custom-window-interactions.md
@@ -5,12 +5,12 @@
 By default, windows are dragged using the title bar provided by the OS chrome. Apps
 that remove the default title bar need to use the `app-region` CSS property to define
 specific areas that can be used to drag the window. Setting `app-region: drag` marks
-a rectagular area as draggable.
+a rectangular area as draggable.

 It is important to note that draggable areas ignore all pointer events. For example,
 a button element that overlaps a draggable region will not emit mouse clicks or mouse
 enter/exit events within that overlapping area. Setting `app-region: no-drag` reenables
-pointer events by excluding a rectagular area from a draggable region.
+pointer events by excluding a rectangular area from a draggable region.

 To make the whole window draggable, you can add `app-region: drag` as
 `body`'s style:
--- a/docs/tutorial/dark-mode.md
+++ b/docs/tutorial/dark-mode.md
@@ -29,7 +29,7 @@ be updated accordingly.
 In macOS 10.14 Mojave, Apple introduced a new [system-wide dark mode][system-wide-dark-mode]
 for all macOS computers. If your Electron app has a dark mode, you can make it
 follow the system-wide dark mode setting using
-[the `nativeTheme` api](../api/native-theme.md).
+[the `nativeTheme` API](../api/native-theme.md).

 In macOS 10.15 Catalina, Apple introduced a new "automatic" dark mode option
 for all macOS computers. In order for the `nativeTheme.shouldUseDarkColors` and
--- a/docs/tutorial/fuses.md
+++ b/docs/tutorial/fuses.md
@@ -137,6 +137,33 @@ The extra privileges granted to the `file://` protocol by this fuse are incomple
 * `file://` protocol pages have universal access granted to child frames also running on `file://`
  protocols regardless of sandbox settings

+### `wasmTrapHandlers`
+
+**Default:** Enabled
+
+**@electron/fuses:** `FuseV1Options.WasmTrapHandlers`
+
+The `wasmTrapHandlers` fuse controls whether V8 will use signal handlers to trap Out of Bounds memory
+access from WebAssembly. The feature works by surrounding the WebAssembly memory with large guard regions
+and then installing a signal handler that traps attempt to access memory in the guard region. The feature
+is only supported on the following 64-bit systems.
+
+Linux. MacOS, Windows - x86_64
+Linux, MacOS - aarch64
+
+| Guard Pages | WASM heap | Guard Pages |
+|-----8GB-----|           |-----8GB-----|
+
+When the fuse is disabled V8 will use explicit bound checks in the generated WebAssembly code to ensure
+memory safety. However, this method has some downsides
+
+* The compiler generates extra nodes for each memory reference, leading to longer compile times due to the
+additional processing time needed for these nodes.
+* In turn, these extra nodes lead to lots of extra code being generated, making WebAssembly modules bigger
+than they ideally should be.
+* This extra code, particularly the compare and branch before every memory reference,
+incurs a significant runtime cost.
+
 ## How do I flip fuses?

 ### The easy way
--- a/docs/tutorial/ipc.md
+++ b/docs/tutorial/ipc.md
@@ -171,7 +171,7 @@ sections.

 In the main process, we'll be creating a `handleFileOpen()` function that calls
 `dialog.showOpenDialog` and returns the value of the file path selected by the user. This function
-is used as a callback whenever an `ipcRender.invoke` message is sent through the `dialog:openFile`
+is used as a callback whenever an `ipcRenderer.invoke` message is sent through the `dialog:openFile`
 channel from the renderer process. The return value is then returned as a Promise to the original
 `invoke` call.

@@ -446,7 +446,7 @@ After loading the preload script, your renderer process should have access to th
 We don't directly expose the whole `ipcRenderer.on` API for [security reasons][]. Make sure to
 limit the renderer's access to Electron APIs as much as possible.
 Also don't just pass the callback to `ipcRenderer.on` as this will leak `ipcRenderer` via `event.sender`.
-Use a custom handler that invoke the `callback` only with the desired arguments.
+Use a custom handler that invokes the `callback` only with the desired arguments.
 :::

 :::info
--- a/docs/tutorial/keyboard-shortcuts.md
+++ b/docs/tutorial/keyboard-shortcuts.md
@@ -10,7 +10,7 @@ hide_title: false
 ## Accelerators

 Accelerators are strings that can be used to represent keyboard shortcuts throughout your Electron.
-These strings can contain multiple modifiers keys and a single key code joined by the `+` character.
+These strings can contain multiple modifier keys and a single key code joined by the `+` character.

 > [!NOTE]
 > Accelerators are **case-insensitive**.
--- a/docs/tutorial/launch-app-from-url-in-another-app.md
+++ b/docs/tutorial/launch-app-from-url-in-another-app.md
@@ -62,9 +62,9 @@ const createWindow = () => {
 }
 ```

-In this next step, we will create our  `BrowserWindow` and tell our application how to handle an event in which an external protocol is clicked.
+In this next step, we will create our `BrowserWindow` and tell our application how to handle an event in which an external protocol is clicked.

-This code will be different in Windows and Linux compared to MacOS. This is due to both platforms emitting the `second-instance` event rather than the `open-url` event and Windows requiring additional code in order to open the contents of the protocol link within the same Electron instance. Read more about this [here](../api/app.md#apprequestsingleinstancelockadditionaldata).
+This code will be different in Windows and Linux compared to macOS. This is due to both platforms emitting the `second-instance` event rather than the `open-url` event and Windows requiring additional code in order to open the contents of the protocol link within the same Electron instance. Read more about this [here](../api/app.md#apprequestsingleinstancelockadditionaldata).

 #### Windows and Linux code:

@@ -91,7 +91,7 @@ if (!gotTheLock) {
 }
 ```

-#### MacOS code:
+#### macOS code:

 ```js @ts-type={createWindow:()=>void}
 // This method will be called when Electron has finished
--- a/docs/tutorial/mac-app-store-submission-guide.md
+++ b/docs/tutorial/mac-app-store-submission-guide.md
@@ -65,7 +65,7 @@ The full list of certificate types can be found
 Apps signed with "Apple Development" and "Apple Distribution" certificates can
 only run under [App Sandbox][app-sandboxing], so they must use the MAS build of
 Electron. However, the "Developer ID Application" certificate does not have this
-restrictions, so apps signed with it can use either the normal build or the MAS
+restriction, so apps signed with it can use either the normal build or the MAS
 build of Electron.

 #### Legacy certificate names
@@ -208,7 +208,7 @@ signAsync({
 After signing the app with the "Apple Distribution" certificate, you can
 continue to submit it to Mac App Store.

-However, this guide do not ensure your app will be approved by Apple; you
+However, this guide does not ensure your app will be approved by Apple; you
 still need to read Apple's [Submitting Your App][submitting-your-app] guide on
 how to meet the Mac App Store requirements.

--- a/docs/tutorial/macos-dock.md
+++ b/docs/tutorial/macos-dock.md
@@ -25,7 +25,7 @@ Electron application, and this property only exists on macOS.
 One of the main uses for your app's Dock icon is to expose additional app menus. The Dock menu is
 triggered by right-clicking or <kbd>Ctrl</kbd>-clicking the app icon. By default, the app's Dock menu
 will come with system-provided window management utilities, including the ability to show all windows,
-hide the app, and switch betweeen different open windows.
+hide the app, and switch between different open windows.

 To set an app-defined custom Dock menu, pass any [Menu](../api/menu.md) instance into the
 [`dock.setMenu`](../api/dock.md#docksetmenumenu-macos) API.
--- a/docs/tutorial/menus.md
+++ b/docs/tutorial/menus.md
@@ -200,7 +200,7 @@ macOS has a number of platform-specific menu roles available. Many of these map

 * `recentDocuments` - The submenu is an "Open Recent" menu.
 * `clearRecentDocuments` - Map to the [`clearRecentDocuments`](https://developer.apple.com/documentation/appkit/nsdocumentcontroller/clearrecentdocuments(_:)) action.
-* `shareMenu` - The submenu is [share menu][ShareMenu]. The `sharingItem` property must also be set to indicate the item to share.
+* `shareMenu` - The submenu is [share menu](../api/share-menu.md). The `sharingItem` property must also be set to indicate the item to share.

 > [!IMPORTANT]
 > When specifying a `role` on macOS, `label` and `accelerator` are the only
--- a/docs/tutorial/native-code-and-electron-cpp-linux.md
+++ b/docs/tutorial/native-code-and-electron-cpp-linux.md
@@ -1339,7 +1339,7 @@ For developers wanting to learn more, you can refer to the [official N-API docum

 ### Putting `cpp_addon.cc` together

-We've now finished the bridge part our addon - that is, the code that's most concerned with being the bridge between your JavaScript and C++ code (and by contrast, less so actually interacting with the operating system or GTK). After adding all the sections above, your `src/cpp_addon.cc` should look like this:
+We've now finished the bridge part of our addon - that is, the code that's most concerned with being the bridge between your JavaScript and C++ code (and by contrast, less so actually interacting with the operating system or GTK). After adding all the sections above, your `src/cpp_addon.cc` should look like this:

 ```cpp title='src/cpp_addon.cc'
 #include <napi.h>
--- a/Show More
+++ b/Show More