chore: remove interface bound checks

chore: update spec/api-utility-process-spec.ts
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
2026-05-02 03:00:22 -04:00 · 2025-06-17 18:05:09 +09:00 · 2025-06-17 17:27:54 +09:00 · 2025-06-16 12:31:22 +09:00 · 2025-06-15 23:16:22 +02:00 · 2025-06-15 19:26:06 +09:00
1288 changed files with 32504 additions and 69581 deletions
--- a/.claude/.gitignore
+++ b/.claude/.gitignore
@@ -1 +0,0 @@
-settings.local.json
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -1,25 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(e sync)",
-      "Bash(e patches --list-targets:*)",
-      "Bash(git add:*)",
-      "Bash(git am:*)",
-      "Bash(git commit:*)",
-      "Bash(git log:*)",
-      "Bash(git show:*)",
-      "Bash(e patches:*)",
-      "Bash(e sync:*)",
-      "Skill(electron-chromium-upgrade)",
-      "Skill(electron-node-upgrade)",
-      "Read(*)",
-      "Bash(echo:*)",
-      "Bash(e build:*)",
-      "Bash(tee:*)",
-      "Bash(git diff:*)",
-      "Bash(git rev-parse:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}
--- a/.claude/skills/electron-chromium-upgrade/SKILL.md
+++ b/.claude/skills/electron-chromium-upgrade/SKILL.md
@@ -1,199 +0,0 @@
---
-name: electron-chromium-upgrade
-description: Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
---
-
-# Electron Chromium Upgrade: Phase One
-
-## Summary
-
-Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then run `e patches all` and commit changes atomically.
-
-## Success Criteria
-
-Phase One is complete when:
- `e sync --3` exits with code 0 (no patch failures)
- `e patches all` has been run to export all changes
- All changes are committed per the commit guidelines below
-
-Do not stop until these criteria are met.
-
-**CRITICAL** Do not delete or skip patches unless 100% certain the patch is no longer needed. Complicated conflicts or hard to resolve issues should be presented to the user after you have exhausted all other options. Do not delete the patch just because you can't solve it.
-
-## Context
-
-The `roller/chromium/main` branch is created by automation to update Electron's Chromium dependency SHA. No work has been done to handle breaking changes between the old and new versions.
-
-**Key directories:**
- Current directory: Electron repo (always run `e` commands here)
- `..` (parent): Chromium repo (where most patches apply)
- `patches/`: Patch files organized by target
- `docs/development/patches.md`: Patch system documentation
-
-## Workflow
-
-1. Delete the `.git/rr-cache` in both the `electron` and `..` folder to ensure no accidental rerere replays occur from before this upgrade phase attempt started
-2. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
-3. If succeeds → skip to step 6
-4. If patch fails:
-   - Identify target repo and patch from error output
-   - Analyze failure (see references/patch-analysis.md)
-   - Fix conflict in target repo's working directory
-   - Run `git am --continue` in affected repo
-   - Repeat until all patches for that repo apply
-   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches {target}` to export fixes
-   - Return to step 1
-5. When `e sync --3` succeeds, run `e patches all`
-6. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-
-Before committing any Phase One changes, you MUST read `references/phase-one-commit-guidelines.md` and follow its instructions exactly.
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e sync --3` | Clone deps and apply patches with 3-way merge |
-| `git am --continue` | Continue after resolving conflict (run in target repo) |
-| `e patches {target}` | Export commits from target repo to patch files |
-| `e patches all` | Export all patches from all targets |
-| `e patches --list-targets` | List targets and config paths |
-
-## Patch System Mental Model
-
-```
-patches/{target}/*.patch  →  [e sync --3]  →  target repo commits
-                          ←  [e patches]   ←
-```
-
-## When to Edit Patches
-
-| Situation | Action |
-|-----------|--------|
-| During active `git am` conflict | Fix in target repo, then `git am --continue` |
-| Modifying patch outside conflict | Edit `.patch` file directly |
-| Creating new patch (rare, avoid) | Commit in target repo, then `e patches {target}` |
-
-Fix existing patches 99% of the time rather than creating new ones.
-
-## Patch Fixing Rules
-
-1. **Preserve authorship**: Keep original author in TODO comments (from patch `From:` field)
-2. **Never change TODO assignees**: `TODO(name)` must retain original name
-3. **Update descriptions**: If upstream changed (e.g., `DCHECK` → `CHECK_IS_TEST`), update patch commit message to reflect current state
-
-## Final Deliverable
-
-After Phase One, write a summary of every change: what was fixed, why, reasoning, and Chromium CL links.
-
-# Electron Chromium Upgrade: Phase Two
-
-## Summary
-
-Run `e build -k 999` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
-
-Run Phase Two immediately after Phase One is complete.
-
-## Success Criteria
-
-Phase Two is complete when:
- `e build -k 999` exits with code 0 (no build failures)
- `e start --version` has been run to check Electron launches
- All changes are committed per the commit guidelines below
-
-Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.
-
-## Context
-
-The `roller/chromium/main` branch is created by automation to update Electron's Chromium dependency SHA. No work has been done to handle breaking changes between the old and new versions. Chromium APIs frequently are renamed or refactored. In every case the code in Electron must be updated to account for the change in Chromium, strongly avoid making changes to the code in chromium to fix Electrons build.
-
-**Key directories:**
- Current directory: Electron repo (always run `e` commands here)
- `..` (parent): Chromium repo (do not touch this code to fix build issues, just read it to obtain context)
-
-## Workflow
-
-1. Run `e build -k 999` (the `-k 999` flag is a flag to ninja to say "do not stop until you find that many errors" it is an attempt to get as much error
-  context as possible for each time we run build)
-2. If succeeds → skip to step 6
-3. If build fails:
-    - Identify underlying file in "electron" from the compilation error message
-    - Analyze failure
-    - Fix build issue by adapting Electron's code for the change in Chromium
-    - Run `e build -t {target_that_failed}.o` to build just the failed target we were specifically fixing
-        - You can identify the target_that_failed from the failure line in the build log. E.g. `FAILED: 2e506007-8d5d-4f38-bdd1-b5cd77999a77 "./obj/electron/chromium_src/chrome/process_singleton_posix.o" CXX obj/electron/chromium_src/chrome/process_singleton_posix.o` the target name is `obj/electron/chromium_src/chrome/process_singleton_posix.o`
-    - **Read `references/phase-two-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-    - Return to step 1
-4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
-    - Look for other modified `.patch` files that only have index/hunk header changes
-    - These are dependent patches affected by your fix
-    - Commit them immediately with: `git commit -am "chore: update patch hunk headers"`
-    - This prevents losing track of necessary updates
-5. Return to step 1
-6. When `e build` succeeds, run `e start --version`
-7. Check if you have any pending changes in the Chromium repo by running `git status`
-    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file
-
-Before committing any Phase Two changes, you MUST read `references/phase-two-commit-guidelines.md` and follow its instructions exactly.
-
-## Build Error Detection
-
-When monitoring `e build -k 999` output, filter for errors using this regex pattern:
-error:|FAILED:|fatal:|subcommand failed|build finished
-
-The build output is extremely verbose. Filtering is essential to catch errors quickly.
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e build -k 999` | Builds Electron and won't stop until either all targets attempted or 999 errors found |
-| `e build -t {target}.o` | Build just one specific target to verify a fix |
-| `e start --version` | Validate Electron launches after successful build |
-
-## Two Types of Build Fixes
-
-### A. Patch Fixes (for files in chromium_src or patched Chromium files)
-
-When the error is in a file that Electron patches (check with `grep -l "filename" patches/chromium/*.patch`):
-
-1. Edit the file in the Chromium source tree (e.g., `/src/chrome/browser/...`)
-2. Create a fixup commit targeting the original patch commit:
-    ```bash
-    cd ..  # to chromium repo
-    git add <modified-file>
-    git commit --fixup=<original-patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-3. Export the updated patch: e patches chromium
-4. Commit the updated patch file in the electron repo following the `references/phase-one-commit-guidelines.md`, then commit changes following those instructions exactly. **READ THESE GUIDELINES BEFORE COMMITTING THESE CHANGES**
-
-To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`
-
-The base commit for rebase is the Chromium commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.
-
-B. Electron Code Fixes (for files in shell/, electron/, etc.)
-
-When the error is in Electron's own source code:
-
-1. Edit files directly in the electron repo
-2. Commit directly (no patch export needed)
-
-Dependent Patch Updates
-
-IMPORTANT: When you modify a patch, other patches that apply to the same file may have their hunk headers invalidated. After committing a patch fix:
-
-1. Run git status in the electron repo
-2. Look for other modified .patch files with just index/hunk header changes
-3. Commit these with: git commit -m "chore: update patch hunk headers"
-
-# Critical: Read Before Committing
-
- Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
- Before ANY Phase Two commits: Read `references/phase-two-commit-guidelines.md`
-
-# Skill Directory Structure
-This skill has additional reference files in `references/`:
- patch-analysis.md - How to analyze patch failures
- phase-one-commit-guidelines.md - Commit format for Phase One
- phase-two-commit-guidelines.md - Commit format for Phase Two
-
-Read these when referenced in the workflow steps.
--- a/.claude/skills/electron-chromium-upgrade/references/patch-analysis.md
+++ b/.claude/skills/electron-chromium-upgrade/references/patch-analysis.md
@@ -1,69 +0,0 @@
-# Analyzing Patch Failures
-
-## Investigation Steps
-
-1. **Read the patch file** at `patches/{target}/{patch_name}.patch`
-
-2. **Examine current state** of the file in Chromium at mentioned line numbers
-
-3. **Check recent upstream changes:**
-   ```bash
-   cd ..  # or relevant target repo
-   git log --oneline -10 -- {file}
-   ```
-
-4. **Find Chromium CL** in commit messages:
-   ```
-   Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/{CL_NUMBER}
-   ```
-
-## Common Failure Patterns
-
-| Pattern | Cause | Solution |
-|---------|-------|----------|
-| Context lines don't match | Surrounding code changed | Update context in patch |
-| File not found | File renamed/moved | Update patch target path |
-| Function not found | Refactored upstream | Find new function name |
-| `DCHECK` → `CHECK_IS_TEST` | Macro change | Update to new macro |
-| Deleted code | Feature removed | Verify patch still needed |
-
-## Using Git Blame
-
-To find the CL that changed specific lines:
-
-```bash
-cd ..
-git blame -L {start},{end} -- {file}
-git log -1 {commit_sha}  # Look for Reviewed-on: line
-```
-
-## Verifying Patch Necessity
-
-Before deleting a patch, verify:
-1. The patched functionality was intentionally removed upstream
-2. Electron doesn't need the patch for other reasons
-3. No other code depends on the patched behavior
-
-When in doubt, keep the patch and adapt it.
-
-## Phase Two: Build-Time Patch Issues
-
-Sometimes patches that applied successfully in Phase One cause build errors in Phase Two. This can happen when:
-
-1. **Incomplete types**: A patch disables a header include, but new upstream code uses the type
-2. **Missing members**: A patch modifies a class, but upstream added new code referencing the original
-
-### Finding Which Patch Affects a File
-
-```bash
-grep -l "filename.cc" patches/chromium/*.patch
-```
-
-Matching Existing Patch Patterns
-
-When fixing build errors in patched files, examine the existing patch to understand its style:
- Does it use #if 0 / #endif guards?
- Does it use #if BUILDFLAG(...) conditionals?
- What's the pattern for disabled functionality?
-
-Apply fixes consistent with the existing patch style.
--- a/.claude/skills/electron-chromium-upgrade/references/phase-one-commit-guidelines.md
+++ b/.claude/skills/electron-chromium-upgrade/references/phase-one-commit-guidelines.md
@@ -1,52 +0,0 @@
-# Phase One Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes to `patches/` after Phase One succeeds.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Atomic Commits
-
-For each fix made to a patch, create a separate commit:
-
-```
-fix(patch-conflict): {concise title}
-
-{Brief explanation, 1-2 paragraphs max}
-
-Ref: {Chromium CL link}
-```
-
-IMPORTANT: Ensure that any changes made to patch content as a result of a change in Chromium is committed individually. Each change should have it's own commit message and it's own REF.
-
-IMPORTANT: Try really hard to find the CL reference per the instructions below. Each change you made should in theory have been in response to a change made in Chromium that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
-
-## Finding CL References
-
-Use `git log` or `git blame` on Chromium source files. Look for:
-
-```
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX
-```
-
-If no CL found after searching: `Ref: Unable to locate CL`
-
-## Final Cleanup
-
-After all fix commits, stage remaining changes:
-
-```bash
-git add patches
-git commit -m "chore: update patch hunk headers"
-```
-
-## Example Commit
-
-```
-fix(patch-conflict): update web_contents_impl.cc context for navigation refactor
-
-The upstream navigation code was refactored to use NavigationRequest directly
-instead of going through NavigationController. Updated surrounding context
-to match new code structure.
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/1234567
-```
--- a/.claude/skills/electron-chromium-upgrade/references/phase-two-commit-guidelines.md
+++ b/.claude/skills/electron-chromium-upgrade/references/phase-two-commit-guidelines.md
@@ -1,82 +0,0 @@
-# Phase Two Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes in the Electron repo after any fixes are made during Phase Two that result a target that was failing, successfully building.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Two Commit Types
-
-### For Electron Source Changes (shell/, electron/, etc.)
-
-```
-{CL-Number}: {concise description of API change}
-
-{Brief explanation of what upstream changed and how Electron was adapted}
-
-Ref: {Chromium CL link}
-```
-
-IMPORTANT: Ensure that any change made to electron as a result of a change in Chromium is committed individually. Each change should have it's own commit message and it's own REF. Logically grouped into commits that make sense rather than one giant commit.
-
-IMPORTANT: Try really hard to find the CL reference per the instructions below. Each change you made should in theory have been in response to a change made in Chromium that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
-
-You may include multiple "Ref" links if required.
-
-For a CL link in the format `https://chromium-review.googlesource.com/c/chromium/src/+/2958369` the "CL-Number" is `2958369`
-
-### For Patch Updates (patches/chromium/*.patch)
-
-Use the same fixup workflow as Phase One:
-1. Fix in Chromium source tree
-2. Fixup commit + rebase
-3. Export with `e patches chromium`
-4. Commit the patch file:
-
-```
-fix(patch-update): {concise description}
-
-{Brief explanation}
-
-Ref: {Chromium CL link}
-```
-
-## Dependent Patch Header Updates
-
-After any patch modification, check for other affected patches:
-
-```bash
-git status
-# If other .patch files show as modified with only hunk header changes:
-git add patches/
-git commit -m "chore: update patch hunk headers"
-```
-
-## Finding CL References
-
-Use git log or git blame on Chromium source files. Look for:
-
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/XXXXXXX
-
-If no CL found after searching: Ref: Unable to locate CL
-
-## Example Commits
-
-### Electron Source Fix
-
-fix: update GetPlugins to GetPluginsAsync for API change
-
-The upstream Chromium API changed:
- Old: GetPlugins(callback) - took a callback
- New: GetPluginsAsync(callback) - async version takes a callback
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/1234567
-
-### Patch Fix
-
-fix(patch-conflict): update picture-in-picture for gesture handling refactor
-
-Upstream added new gesture handling code that accesses live caption dialog.
-The live caption functionality is disabled in Electron's patch, so wrapped
-the new code in #if 0 guards to match existing pattern.
-
-Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7654321
--- a/.claude/skills/electron-node-upgrade/SKILL.md
+++ b/.claude/skills/electron-node-upgrade/SKILL.md
@@ -1,323 +0,0 @@
---
-name: electron-node-upgrade
-description: Guide for performing Node.js version upgrades in the Electron project. Use when working on the roller/node/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Node.js changes, building, running the Node.js test suite, and proper commit formatting for patch fixes.
---
-
-# Electron Node.js Upgrade: Phase One
-
-## Summary
-
-Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then export patches and commit changes atomically.
-
-## Success Criteria
-
-Phase One is complete when:
- `e sync --3` exits with code 0 (no patch failures)
- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met.
-
-**CRITICAL** Do not delete or skip patches unless 100% certain the patch is no longer needed. For major version upgrades, patches that shim deprecated V8 APIs or backport upstream changes are often deletable because the new Node.js version already incorporates them — but verify before removing. Complicated conflicts or hard to resolve issues should be presented to the user after you have exhausted all other options. Do not delete the patch just because you can't solve it.
-
-**CRITICAL** Never use `git am --skip` and then manually recreate a patch by making a new commit. This destroys the original patch's authorship, commit message, and position in the series. If `git am --continue` reports "No changes", investigate why — the changes were likely absorbed by a prior conflict resolution's 3-way merge. Present this situation to the user rather than skipping and recreating.
-
-## Context
-
-The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions.
-
-There are two types of Node.js version updates:
- **Bumps** (patch/minor): Automated by `electron-roller[bot]` with commit title `chore: bump node to v{version}`. Trivial patch index updates are handled automatically by `patchup[bot]`. These often land cleanly, but may require manual patch fixes.
- **Major upgrades** (e.g., v22 → v24): Manual, large PRs with commit title `chore: upgrade Node.js to v{X}.{Y}.{Z}`. These typically involve deleting obsolete patches, adapting many others, and updating `@types/node` in `package.json`.
-
-**Key directories:**
- Current directory: Electron repo (always run `e` commands here)
- `../third_party/electron_node`: Node.js repo (where patches apply)
- `patches/node/`: Patch files for Node.js
- `docs/development/patches.md`: Patch system documentation
-
-## Pre-flight Checks
-
-Run these once at the start of each upgrade session:
-
-1. **Clear rerere cache** (if enabled): `git rerere clear` in both the electron and `../third_party/electron_node` repos. Stale recorded resolutions from a prior attempt can silently apply wrong merges.
-2. **Ensure pre-commit hooks are installed**: Check that `.git/hooks/pre-commit` exists. If not, run `yarn husky` to install it. The hook runs `lint-staged` which handles clang-format for C++ files.
-
-## Workflow
-
-1. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
-2. If succeeds → skip to step 5
-3. If patch fails:
-   - Identify target repo and patch from error output
-   - Analyze failure (see references/patch-analysis.md)
-   - Fix conflict in `../third_party/electron_node` working directory
-   - Run `git am --continue` in `../third_party/electron_node`
-   - Repeat until all patches for that repo apply
-   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches node` to export fixes
-   - Return to step 1
-4. When `e sync --3` succeeds, run `e patches all`
-5. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e sync --3` | Clone deps and apply patches with 3-way merge |
-| `git am --continue` | Continue after resolving conflict (run in node repo) |
-| `e patches node` | Export commits from node repo to patch files |
-| `e patches all` | Export all patches from all targets |
-| `e patches node --commit-updates` | Export patches and auto-commit trivial changes |
-| `e patches --list-targets` | List targets and config paths |
-
-## Patch System Mental Model
-
-```
-patches/node/*.patch  →  [e sync --3]  →  ../third_party/electron_node commits
-                      ←  [e patches]   ←
-```
-
-## When to Edit Patches
-
-| Situation | Action |
-|-----------|--------|
-| During active `git am` conflict | Fix in node repo, then `git am --continue` |
-| Modifying patch outside conflict | Edit `.patch` file directly |
-| Creating new patch (rare, avoid) | Commit in node repo, then `e patches node` |
-
-Fix existing patches 99% of the time rather than creating new ones.
-
-## Patch Fixing Rules
-
-1. **Preserve authorship**: Keep original author in TODO comments (from patch `From:` field)
-2. **Never change TODO assignees**: `TODO(name)` must retain original name
-3. **Update descriptions**: If upstream changed APIs or macros, update patch commit message to reflect current state
-4. **Never skip-and-recreate a patch**: If `git am --continue` says "No changes — did you forget to use 'git add'?", do NOT run `git am --skip` and create a replacement commit. The patch's changes were already absorbed by a prior 3-way merge resolution. This means an earlier conflict resolution pulled in too many changes. Present the situation to the user for guidance — the correct fix may require re-doing an earlier resolution more carefully to keep each patch's changes separate.
-
-# Electron Node.js Upgrade: Phase Two
-
-## Summary
-
-Run `e build -k 999 -- --quiet` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
-
-Run Phase Two immediately after Phase One is complete.
-
-## Success Criteria
-
-Phase Two is complete when:
- `e build -k 999 -- --quiet` exits with code 0 (no build failures)
- `e start --version` has been run to check Electron launches
- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.
-
-## Context
-
-The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions. Node.js APIs (especially internal V8 integration, OpenSSL/BoringSSL compatibility, and build system files) frequently change between versions. In every case the code in Electron must be updated to account for the change in Node.js, strongly avoid making changes to the code in Node.js to fix Electron's build.
-
-**Key directories:**
- Current directory: Electron repo (always run `e` commands here)
- `../third_party/electron_node`: Node.js repo (do not touch this code to fix build issues, just read it to obtain context)
-
-## Workflow
-
-1. Run `e build -k 999 -- --quiet` (the `--quiet` flag suppresses per-target status lines, showing only errors and the final result)
-2. If succeeds → skip to step 6
-3. If build fails:
-    - Identify underlying file in "electron" from the compilation error message
-    - Analyze failure
-    - Fix build issue by adapting Electron's code for the change in Node.js
-    - Run `e build -t {target_that_failed}.o` to build just the failed target we were specifically fixing
-        - You can identify the target_that_failed from the failure line in the build log. E.g. `FAILED: 2e506007-8d5d-4f38-bdd1-b5cd77999a77 "./obj/electron/shell/browser/api/electron_api_utility_process.o" CXX obj/electron/shell/browser/api/electron_api_utility_process.o` the target name is `obj/electron/shell/browser/api/electron_api_utility_process.o`
-    - **Read `references/phase-two-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
-    - Return to step 1
-4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
-    - Look for other modified `.patch` files that only have index/hunk header changes
-    - These are dependent patches affected by your fix
-    - Commit them immediately with: `git commit -am "chore: update patches (trivial only)"`
-5. Return to step 1
-6. When `e build` succeeds, run `e start --version`
-7. Check if you have any pending changes in the Node.js repo by running `git status` in `../third_party/electron_node`
-    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `e build -k 999 -- --quiet` | Build Electron, continue on errors, suppress status lines |
-| `e build -t {target}.o` | Build just one specific target to verify a fix |
-| `e start --version` | Validate Electron launches after successful build |
-
-## Two Types of Build Fixes
-
-### A. Patch Fixes (for files in patched Node.js files)
-
-When the error is in a file that Electron patches (check with `grep -l "filename" patches/node/*.patch`):
-
-1. Edit the file in the Node.js source tree (`../third_party/electron_node/...`)
-2. Create a fixup commit targeting the original patch commit:
-    ```bash
-    cd ../third_party/electron_node
-    git add <modified-file>
-    git commit --fixup=<original-patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-    ```
-3. Export the updated patch: `e patches node`
-4. Commit the updated patch file following `references/phase-one-commit-guidelines.md`.
-
-To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`
-
-The base commit for rebase is the Node.js commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.
-
-### B. Electron Code Fixes (for files in shell/, electron/, etc.)
-
-When the error is in Electron's own source code:
-
-1. Edit files directly in the electron repo
-2. Commit directly (no patch export needed)
-
-# Electron Node.js Upgrade: Phase Three
-
-## Summary
-
-Run the Node.js test suite via `script/node-spec-runner.js`, fix failing tests, and commit fixes until all tests pass. Certain tests are permanently disabled (listed in `script/node-disabled-tests.json`) and should not be run.
-
-Run Phase Three immediately after Phase Two is complete.
-
-## Success Criteria
-
-Phase Three is complete when:
- `node script/node-spec-runner.js --default` exits with zero failures
- All changes are committed per the commit guidelines
-
-Do not stop until these criteria are met.
-
-## Context
-
-Electron runs a subset of Node.js's upstream test suite using a custom runner (`script/node-spec-runner.js`). Tests are executed with the built Electron binary via `ELECTRON_RUN_AS_NODE=true`. Many tests need adaptation because Electron uses BoringSSL (not OpenSSL) and Chromium's V8 (which may differ from Node.js's bundled V8).
-
-**Key files:**
- `script/node-spec-runner.js` — Test runner script
- `script/node-disabled-tests.json` — Permanently disabled tests (do not try to fix these)
- `../third_party/electron_node/test/` — Node.js test files (where patches apply)
- `patches/node/fix_crypto_tests_to_run_with_bssl.patch` — BoringSSL crypto test adaptations
- `patches/node/test_formally_mark_some_tests_as_flaky.patch` — Flaky test list
-
-## Workflow
-
-1. Run `node script/node-spec-runner.js --default` from the electron repo
-2. If all tests pass → Phase Three is complete
-3. If tests fail:
-    - Identify the failing test file(s) from the output
-    - Analyze each failure (see "Common Failure Patterns" below)
-    - Fix the test in `../third_party/electron_node/test/...`
-    - Re-run the specific failing test to verify: `node script/node-spec-runner.js {test-path}`
-        - The test path is relative to the node `test/` directory, e.g. `test/parallel/test-crypto-key-objects-raw.js`
-        - Do NOT use `--default` when running specific tests — it adds the full suite flags
-        - Do NOT run tests directly with `ELECTRON_RUN_AS_NODE` — the runner handles environment setup (e.g. temporarily switching `package.json` from ESM to CommonJS)
-    - Commit the fix using the fixup workflow and commit guidelines
-    - Return to step 1
-
-## Commands Reference
-
-| Command | Purpose |
-|---------|---------|
-| `node script/node-spec-runner.js --default` | Run full Node.js test suite |
-| `node script/node-spec-runner.js test/parallel/test-foo.js` | Run a single test |
-| `NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs` | Regenerate snapshot for a snapshot-based test |
-
-## Common Failure Patterns
-
-### BoringSSL incompatibilities
-
-Electron uses BoringSSL (via Chromium) instead of OpenSSL. Many crypto features are missing or behave differently:
-
-| Unsupported in BoringSSL | Guard pattern |
-|--------------------------|---------------|
-| ChaCha20-Poly1305 | `if (!process.features.openssl_is_boringssl)` |
-| AES-CCM (aes-128-ccm, aes-256-ccm) | `if (ciphers.includes('aes-128-ccm'))` |
-| AES-KW (key wrapping) | `if (!process.features.openssl_is_boringssl)` |
-| DSA keys | `if (!process.features.openssl_is_boringssl)` |
-| Ed448 / X448 curves | `if (!process.features.openssl_is_boringssl)` |
-| DH key PEM loading | `if (!process.features.openssl_is_boringssl)` |
-| PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) | `if (hasOpenSSL(3, 5))` (already guards these) |
-
-When guarding tests, prefer checking cipher availability (`ciphers.includes(algo)`) over blanket BoringSSL checks where possible, as it's more precise and self-documenting.
-
-New upstream tests that exercise these features will need guards added to the `fix_crypto_tests_to_run_with_bssl` patch.
-
-### Snapshot test mismatches
-
-Some tests compare output against committed `.snapshot` files using `assert.strictEqual` — these are NOT wildcard comparisons. When Chromium's V8 produces different output (e.g. different stack traces due to V8 enhancements), the snapshot must be regenerated:
-
-```bash
-NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs
-```
-
-Then inspect the diff to verify the changes are expected, and commit the updated snapshot into the appropriate patch.
-
-### V8 behavioral differences
-
-Chromium's V8 may be ahead of Node.js's bundled V8. This can cause:
- Different stack trace formats (e.g. thenable async stack frames)
- Different error messages
- Features available in Chromium V8 that aren't in stock Node.js V8 (or vice versa)
-
-## Two Types of Test Fixes
-
-### A. Patch Fixes (most common for test failures)
-
-Most test fixes go into existing patches in `patches/node/`. Use the fixup workflow:
-
-1. Edit the test file in `../third_party/electron_node/test/...`
-2. Find the relevant patch commit: `git log --oneline | grep -i "keyword"`
-    - Crypto/BoringSSL tests → `fix crypto tests to run with bssl`
-    - Snapshot tests → the specific snapshot patch (e.g. `test: accomodate V8 thenable`)
-    - Flaky tests → `test: formally mark some tests as flaky`
-3. Create a fixup commit:
-    ```bash
-    cd ../third_party/electron_node
-    git add test/path/to/test.js
-    git commit --fixup=<patch-commit-hash>
-    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
-    ```
-4. Export: `e patches node`
-5. **Read `references/phase-three-commit-guidelines.md` NOW**, then commit the updated patch file.
-
-### B. New Patches (rare)
-
-Only create a new patch when the fix doesn't belong in any existing patch. The new patch commit in `../third_party/electron_node` must include a description explaining why the patch exists and when it can be removed — the lint check enforces this.
-
-## Adding to Disabled Tests
-
-Only add a test to `script/node-disabled-tests.json` as a **last resort** — when the test is fundamentally incompatible with Electron's architecture (not just a BoringSSL difference that can be guarded). Tests disabled here are completely skipped and never run.
-
-# Critical: Read Before Committing
-
- Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
- Before ANY Phase Two commits: Read `references/phase-two-commit-guidelines.md`
- Before ANY Phase Three commits: Read `references/phase-three-commit-guidelines.md`
-
-# High-Churn Patches
-
-These patches consistently require the most work during Node.js upgrades:
-
- **`fix_handle_boringssl_and_openssl_incompatibilities.patch`** — Electron uses BoringSSL (via Chromium) while Node.js expects OpenSSL. This patch is large and complex, and upstream OpenSSL API changes frequently break it.
- **`fix_crypto_tests_to_run_with_bssl.patch`** — Companion to the above; adapts Node.js crypto tests for BoringSSL. Can grow significantly during major upgrades.
- **`support_v8_sandboxed_pointers.patch`** — V8 sandbox pointer support requires careful adaptation when V8 APIs change.
- **`build_add_gn_build_files.patch`** — The GN build file patch is large and touches many build targets. Upstream build system changes frequently conflict.
-
-# Major Version Upgrades
-
-Major Node.js version transitions (e.g., v22 → v24) are significantly more involved than patch bumps:
-
-1. **Expect patch deletions.** Electron uses Chromium's V8, which is often ahead of the V8 version bundled in Node.js. Many patches exist to bridge this gap — shimming newer V8 APIs that Chromium's V8 has but Node.js' older V8 doesn't. When Node.js bumps to a newer major version, its V8 catches up to Chromium's, and those bridge patches can be deleted. In the v22 → v24 upgrade, 17 patches were deleted for this reason.
-2. **Update `@types/node`** in `package.json` to match the new major version.
-3. **Post-upgrade regressions are expected.** Even after the upgrade lands, follow-up fix PRs for edge cases (ESM path handling, certificate loading, platform-specific issues) are normal.
-
-# Skill Directory Structure
-This skill has additional reference files in `references/`:
- patch-analysis.md - How to analyze patch failures
- phase-one-commit-guidelines.md - Commit format for Phase One
- phase-two-commit-guidelines.md - Commit format for Phase Two
- phase-three-commit-guidelines.md - Commit format for Phase Three
-
-Read these when referenced in the workflow steps.
--- a/.claude/skills/electron-node-upgrade/references/patch-analysis.md
+++ b/.claude/skills/electron-node-upgrade/references/patch-analysis.md
@@ -1,112 +0,0 @@
-# Analyzing Patch Failures
-
-## Investigation Steps
-
-1. **Read the patch file** at `patches/node/{patch_name}.patch`
-
-2. **Examine current state** of the file in the Node.js repo at mentioned line numbers
-
-3. **Check recent upstream changes:**
-   ```bash
-   cd ../third_party/electron_node
-   git log --oneline -10 -- {file}
-   ```
-
-4. **Find Node.js PR** in commit messages:
-   ```
-   PR-URL: https://github.com/nodejs/node/pull/{PR_NUMBER}
-   ```
-
-## Critical: Resolve by Intent, Not by Mechanical Merge
-
-When resolving a patch conflict, do NOT blindly preserve the patch's old code. Instead:
-
-1. **Understand the upstream commit's full scope** — not just the conflicting hunk.
-   Run `git show <commit> --stat` and read diffs for all affected files.
-   Upstream may have removed structs, members, or methods that the patch
-   references in other hunks or files.
-
-2. **Re-read the patch commit message** to understand its *intent* — what
-   behavior does it need to preserve or add?
-
-3. **Implement the intent against the new upstream code.** If the patch's
-   purpose is "add BoringSSL compatibility", add only the compatibility
-   layer — don't also restore old code that upstream separately removed.
-
-### Lesson: Upstream Removals Break Patch References
-
- **Trigger:** Patch conflict involves an upstream refactor (not just context drift)
- **Strategy:** After identifying the upstream commit, check its full diff for
-  removed types, members, and methods. If the patch's old code references
-  something removed, the resolution must use the new upstream mechanism.
-
-### Lesson: Separate Patch Purpose from Patch Implementation
-
- **Trigger:** Conflict between "upstream simplified code" vs "patch has older code"
- **Strategy:** Identify the *minimal* change the patch needs. If the patch
-  wraps code in a conditional, only add the conditional — don't restore old
-  code that was inside the conditional but was separately cleaned up upstream.
-
-### Lesson: Finish the Adaptation at Conflict Time
-
- **Trigger:** A patch conflict involves an upstream API removal or replacement
- **Strategy:** When resolving the conflict, fully adapt the patch to use the
-  new API in the same commit. Don't remove the old code and leave behind stale
-  references that will "be fixed in Phase Two." Each patch fix commit should be
-  a complete resolution.
-
-## Common Failure Patterns
-
-| Pattern | Cause | Solution |
-|---------|-------|----------|
-| Context lines don't match | Surrounding code changed | Update context in patch |
-| File not found | File renamed/moved | Update patch target path |
-| Function not found | Refactored upstream | Find new function name |
-| OpenSSL → BoringSSL mismatch | Crypto API change | Update to BoringSSL-compatible API |
-| GYP/GN build change | Build system refactor | Adapt build patch to new structure |
-| Deleted code | Feature removed | Verify patch still needed |
-| V8 API bridge patch conflicts | Node.js caught up to Chromium's V8 | Patch may be deletable — verify the API is now in Node.js' V8 natively |
-
-## Using Git Blame
-
-To find the commit that changed specific lines:
-
-```bash
-cd ../third_party/electron_node
-git blame -L {start},{end} -- {file}
-git log -1 {commit_sha}  # Look for PR-URL: line
-```
-
-## Verifying Patch Necessity
-
-Before deleting a patch, verify:
-1. The patched functionality was intentionally removed upstream
-2. Electron doesn't need the patch for other reasons
-3. No other code depends on the patched behavior
-
-**V8 bridge patches:** Electron uses Chromium's V8, which is often ahead of the V8 bundled in Node.js. Many patches exist to bridge this version gap — adapting Node.js code to work with newer V8 APIs that Chromium's V8 exposes. During major Node.js upgrades, Node.js' V8 catches up to Chromium's, and these bridge patches often become unnecessary. Check whether the API the patch shims is now available natively in the new Node.js version's V8.
-
-When in doubt, keep the patch and adapt it.
-
-## Phase Two: Build-Time Patch Issues
-
-Sometimes patches that applied successfully in Phase One cause build errors in Phase Two. This can happen when:
-
-1. **Incomplete types**: A patch disables a header include, but new upstream code uses the type
-2. **Missing members**: A patch modifies a class, but upstream added new code referencing the original
-
-### Finding Which Patch Affects a File
-
-```bash
-grep -l "filename.cc" patches/node/*.patch
-```
-
-### Matching Existing Patch Patterns
-
-When fixing build errors in patched files, examine the existing patch to understand its style:
- Does it use `#if 0` / `#endif` guards?
- Does it use `#if BUILDFLAG(...)` conditionals?
- Does it use `#ifndef` / `#ifdef` guards for BoringSSL vs OpenSSL?
- What's the pattern for disabled functionality?
-
-Apply fixes consistent with the existing patch style.
--- a/.claude/skills/electron-node-upgrade/references/phase-one-commit-guidelines.md
+++ b/.claude/skills/electron-node-upgrade/references/phase-one-commit-guidelines.md
@@ -1,111 +0,0 @@
-# Phase One Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes to `patches/` after Phase One succeeds.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Each Commit Must Be Complete
-
-When resolving a patch conflict, fully adapt the patch to the new upstream code in the same commit. If the upstream change removes an API the patch uses, update the patch to use the replacement API now — don't leave stale references knowing they'll need fixing later. The goal is that each commit represents a finished resolution, not a partial one that defers known work to a future phase.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-### Patch conflict fixes
-
-Use `fix(patch):` prefix. The title should name the upstream change, not your response to it:
-
-```
-fix(patch): {topic headline}
-
-Ref: {Node.js commit or issue link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Only add a description body if it provides clarity beyond the title. For straightforward context drift or simple API renames, the title + Ref is sufficient.
-
-Examples:
- `fix(patch): stop using v8::PropertyCallbackInfo<T>::This()`
- `fix(patch): BoringSSL and OpenSSL incompatibilities`
- `fix(patch): refactor module_wrap.cc FixedArray::Get params`
-
-### Upstreamed patch removal
-
-When patches are no longer needed (applied cleanly with "already applied" or confirmed upstreamed), group ALL removals into a single commit:
-
-```
-chore: remove upstreamed patch
-```
-
-or (if multiple):
-
-```
-chore: remove upstreamed patches
-```
-
-Most Node.js patches in Electron are Electron-authored (no upstream `PR-URL:`). If the patch originated from an upstream Node.js PR, no extra `Ref:` is needed. Otherwise, add a `Ref:` pointing to the relevant Node.js issue or commit if one exists.
-
-### Trivial patch updates
-
-After all fix commits, stage remaining trivial changes (index, line numbers, context only):
-
-```bash
-git add patches
-git commit -m "chore: update patches (trivial only)"
-```
-
-**Conflict resolution can produce trivial results.** A `git am` conflict doesn't always mean the patch content changed — context drift alone can cause a conflict. After resolving and exporting, inspect the patch diff: if only index hashes, line numbers, and context lines changed (not the patch's own `+`/`-` lines), it's trivial and belongs here, not in a `fix(patch):` commit.
-
-## Atomic Commits
-
-Each patch conflict fix gets its own commit with its own Ref.
-
-IMPORTANT: Try really hard to find the PR or commit reference per the instructions below. Each change you made should in theory have been in response to a change made in Node.js that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
-
-## Finding Commit/Issue References
-
-Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
-
-```
-PR-URL: https://github.com/nodejs/node/pull/XXXXX
-```
-
-or issue references in the patch itself:
-
-```
-Refs: https://github.com/nodejs/node/issues/XXXXX
-```
-
-Note: Most Node.js patches in Electron are Electron-authored and won't have upstream references. In that case, check `git log` in the Node.js repo to find which upstream commit caused the conflict.
-
-If no reference found after searching: `Ref: Unable to locate reference`
-
-## Example Commits
-
-### Patch conflict fix (simple — title is sufficient)
-
-```
-fix(patch): stop using v8::PropertyCallbackInfo<T>::This()
-
-Ref: https://github.com/nodejs/node/issues/60616
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Patch conflict fix (complex — description adds value)
-
-```
-fix(patch): BoringSSL and OpenSSL incompatibilities
-
-Upstream updated OpenSSL APIs that diverge from BoringSSL. Adapted
-the compatibility shims in crypto patches to use the BoringSSL
-equivalents.
-
-Ref: Unable to locate reference
-
-Co-Authored-By: <AI model attribution>
-```
--- a/.claude/skills/electron-node-upgrade/references/phase-three-commit-guidelines.md
+++ b/.claude/skills/electron-node-upgrade/references/phase-three-commit-guidelines.md
@@ -1,80 +0,0 @@
-# Phase Three Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes after fixing a test failure during Phase Three.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-## Commit Types
-
-### Patch updates (most test fixes)
-
-Test fixes go into existing patches via the fixup workflow. Use `fix(patch):` prefix with a descriptive topic:
-
-```
-fix(patch): {topic headline}
-
-Ref: {Node.js commit or issue link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Examples:
- `fix(patch): guard DH key test for BoringSSL`
- `fix(patch): adapt new crypto tests for BoringSSL`
- `fix(patch): correct thenable snapshot for Chromium V8`
- `fix(patch): skip AES-KW tests with BoringSSL`
-
-Group related test fixes into a single commit when they address the same root cause (e.g., multiple crypto tests all needing BoringSSL guards for the same missing cipher). Don't create one commit per test file if they share the same fix pattern.
-
-### Snapshot regeneration
-
-When a snapshot test fails because Chromium's V8 produces different output, regenerate it:
-
-```bash
-NODE_REGENERATE_SNAPSHOTS=1 node script/node-spec-runner.js test/test-runner/test-foo.mjs
-```
-
-Then commit the updated snapshot patch with a title describing what changed:
-
-```
-fix(patch): correct {name} snapshot for Chromium V8
-
-Ref: {V8 CL or issue link if known}
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Trivial patch updates
-
-After any patch modification, check for dependent patches that only have index/hunk header changes:
-
-```bash
-git status
-# If other .patch files show as modified with only trivial changes:
-git add patches/
-git commit -m "chore: update patches (trivial only)"
-```
-
-## Finding References
-
-For BoringSSL-related test fixes, the reference is typically the upstream Node.js PR that added the new test:
-
-```bash
-cd ../third_party/electron_node
-git log --oneline -5 -- test/parallel/test-crypto-foo.js
-git log -1 <commit> --format="%B" | grep "PR-URL"
-```
-
-For V8 behavioral differences, reference the Chromium CL:
-
-```
-Ref: https://chromium-review.googlesource.com/c/v8/v8/+/NNNNNNN
-```
-
-If no reference found after searching: `Ref: Unable to locate reference`
--- a/.claude/skills/electron-node-upgrade/references/phase-two-commit-guidelines.md
+++ b/.claude/skills/electron-node-upgrade/references/phase-two-commit-guidelines.md
@@ -1,96 +0,0 @@
-# Phase Two Commit Guidelines
-
-Only follow these instructions if there are uncommitted changes in the Electron repo after any fixes are made during Phase Two that result a target that was failing, successfully building.
-
-Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
-
-## Commit Message Style
-
-**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters. Exception: upstream Node.js PR titles are used verbatim even if longer.
-
-Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
-
-## Two Commit Types
-
-### For Electron Source Changes (shell/, electron/, etc.)
-
-When the upstream Node.js commit has a `PR-URL:`:
-
-```
-node#{PR-Number}: {upstream PR's original title}
-
-Ref: {Node.js PR link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-When there is no `PR-URL:` but there is an issue reference or commit:
-
-```
-fix: {description of the adaptation}
-
-Ref: {Node.js issue or commit link}
-
-Co-Authored-By: <AI model attribution>
-```
-
-Use the **upstream commit's original title** when available — do not paraphrase or rewrite it. To find it: check the commit message in `../third_party/electron_node` for `PR-URL:` or `Refs:` lines.
-
-Only add a description body if it provides clarity beyond what the title already says (e.g., when Electron's adaptation is non-obvious). For simple renames, method additions, or straightforward API updates, the title + Ref link is sufficient.
-
-Each change should have its own commit and its own Ref. Logically group into commits that make sense rather than one giant commit. You may include multiple "Ref" links if required.
-
-IMPORTANT: Try really hard to find a reference. Each change you made should in theory have been in response to a change in Node.js. Check `git log` and `git blame` in the Node.js repo. Do not give up easily.
-
-### For Patch Updates (patches/node/*.patch)
-
-Use the same fixup workflow as Phase One and follow `references/phase-one-commit-guidelines.md` for the commit message format (`fix(patch):` prefix, topic style).
-
-## Dependent Patch Header Updates
-
-After any patch modification, check for other affected patches:
-
-```bash
-git status
-# If other .patch files show as modified with only index, line number, and context changes:
-git add patches/
-git commit -m "chore: update patches (trivial only)"
-```
-
-## Finding References
-
-Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
-
-```
-PR-URL: https://github.com/nodejs/node/pull/XXXXX
-Refs: https://github.com/nodejs/node/issues/XXXXX
-```
-
-Note: Many Node.js patches in Electron are Electron-authored and won't have upstream `PR-URL:` lines. Check the patch's own commit message for `Refs:` lines, or use `git log` in the Node.js repo to find which upstream commit caused the build break.
-
-If no reference found after searching: `Ref: Unable to locate reference`
-
-## Example Commits
-
-### Electron Source Fix (with upstream PR)
-
-```
-node#61898: src: stop using v8::PropertyCallbackInfo<T>::This()
-
-Ref: https://github.com/nodejs/node/pull/61898
-
-Co-Authored-By: <AI model attribution>
-```
-
-### Electron Source Fix (with issue reference, no PR)
-
-```
-fix: adapt to v8::PropertyCallbackInfo<T>::This() removal
-
-Updated NodeBindings to use HolderV2() after upstream Node.js
-stopped using the deprecated This() API.
-
-Ref: https://github.com/nodejs/node/issues/60616
-
-Co-Authored-By: <AI model attribution>
-```
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3'

 services:
  buildtools:
-    image: ghcr.io/electron/devcontainer:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+    image: ghcr.io/electron/devcontainer:424eedbf277ad9749ffa9219068aa72ed4a5e373

    volumes:
      - ..:/workspaces/gclient/src/electron:cached
--- a/.devcontainer/on-create-command.sh
+++ b/.devcontainer/on-create-command.sh
@@ -48,8 +48,7 @@ if [ ! -f $buildtools/configs/evm.testing.json ]; then
            \"gen\": {
                \"args\": [
                    \"import(\\\"//electron/build/args/testing.gn\\\")\",
-                    \"use_remoteexec = true\",
-                    \"use_siso=true\"
+                    \"use_remoteexec = true\"
                ],
                \"out\": \"Testing\"
            },
@@ -59,13 +58,13 @@ if [ ! -f $buildtools/configs/evm.testing.json ]; then
            },
            \"\$schema\": \"file:///home/builduser/.electron_build_tools/evm-config.schema.json\",
            \"configValidationLevel\": \"strict\",
-            \"remoteBuild\": \"siso\",
-            \"preserveSDK\": 5
+            \"reclient\": \"$1\",
+            \"preserveXcode\": 5
        }
    " >$buildtools/configs/evm.testing.json
  }

-  write_config
+  write_config remote_exec

  e use testing 
 else
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -58,16 +58,6 @@ body:
    label: Last Known Working Electron version
    description: What is the last version of Electron this worked in, if applicable?
    placeholder: 16.0.0
- type: dropdown
-  attributes:
-    label: Does the issue also appear in Chromium / Google Chrome?
-    description: If it does, please report the issue in the [Chromium issue tracker](https://issues.chromium.org/issues), not against Electron. Electron will inherit the fix once Chromium resolves the issue.
-    options:
-      - I don't know how to test
-      - "Yes"
-      - "No"
-  validations:
-    required: true
 - type: textarea
  attributes:
    label: Expected Behavior
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -10,7 +10,7 @@ Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.
 #### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->

- [ ] PR description included
+- [ ] PR description included and stakeholders cc'd
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -17,6 +17,9 @@ inputs:
  is-release:
    description: 'Is release build'
    required: true
+  strip-binaries:
+    description: 'Strip binaries (Linux only)'
+    required: false
  generate-symbols:
    description: 'Generate symbols'
    required: true
@@ -35,17 +38,10 @@ runs:
      run: |
        GN_APPENDED_ARGS="$GN_EXTRA_ARGS target_cpu=\"x64\" v8_snapshot_toolchain=\"//build/toolchain/mac:clang_x64\""
        echo "GN_EXTRA_ARGS=$GN_APPENDED_ARGS" >> $GITHUB_ENV
-    - name: Set GN_EXTRA_ARGS for Windows
-      shell: bash
-      if: ${{inputs.target-arch != 'x64' && inputs.target-platform == 'win' }}
-      run: |
-        GN_APPENDED_ARGS="$GN_EXTRA_ARGS target_cpu=\"${{ inputs.target-arch }}\""
-        echo "GN_EXTRA_ARGS=$GN_APPENDED_ARGS" >> $GITHUB_ENV
    - name: Add Clang problem matcher
      shell: bash
      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
    - name: Build Electron ${{ inputs.step-suffix }}
-      if: ${{ inputs.target-platform != 'win' }}
      shell: bash
      run: |
        rm -rf "src/out/Default/Electron Framework.framework"
@@ -61,51 +57,22 @@ runs:
          sudo launchctl limit maxfiles 65536 200000
        fi

-        if [ "${{ inputs.is-release }}" = "true" ]; then
-          NINJA_SUMMARIZE_BUILD=1 e build --target electron:release_build
-        else
-          NINJA_SUMMARIZE_BUILD=1 e build --target electron:testing_build
-        fi
+        NINJA_SUMMARIZE_BUILD=1 e build -j $NUMBER_OF_NINJA_PROCESSES
        cp out/Default/.ninja_log out/electron_ninja_log
        node electron/script/check-symlinks.js
-
-        # Upload build stats to Datadog
-        if ! [ -z $DD_API_KEY ]; then
-          npx node electron/script/build-stats.mjs out/Default/siso.INFO --upload-stats || true          
-        else
-          echo "Skipping build-stats.mjs upload because DD_API_KEY is not set"
-        fi
-    - name: Build Electron (Windows) ${{ inputs.step-suffix }}
-      if: ${{ inputs.target-platform == 'win' }}
-      shell: powershell
+    - name: Strip Electron Binaries ${{ inputs.step-suffix }}
+      shell: bash
+      if: ${{ inputs.strip-binaries == 'true' }}
      run: |
-        cd src\electron
-        git pack-refs
-        cd ..
-
-        $env:NINJA_SUMMARIZE_BUILD = 1
-        if ("${{ inputs.is-release }}" -eq "true") {          
-          e build --target electron:release_build
-        } else {
-          e build --target electron:testing_build
-        }
-        Copy-Item out\Default\.ninja_log out\electron_ninja_log
-        node electron\script\check-symlinks.js
-
-        # Upload build stats to Datadog
-        if ($env:DD_API_KEY) {
-          try {
-            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats ; $LASTEXITCODE = 0
-          } catch {
-            Write-Host "Build stats upload failed, continuing..."
-          }
-        } else {
-          Write-Host "Skipping build-stats.mjs upload because DD_API_KEY is not set"
-        }
-    - name: Verify dist.zip ${{ inputs.step-suffix }}
+        cd src
+        electron/script/copy-debug-symbols.py --target-cpu="${{ inputs.target-arch }}" --out-dir=out/Default/debug --compress
+        electron/script/strip-binaries.py --target-cpu="${{ inputs.target-arch }}" --verbose
+        electron/script/add-debug-link.py --target-cpu="${{ inputs.target-arch }}" --debug-dir=out/Default/debug
+    - name: Build Electron dist.zip ${{ inputs.step-suffix }}
      shell: bash
      run: |
-        cd src        
+        cd src
+        e build --target electron:electron_dist_zip -j $NUMBER_OF_NINJA_PROCESSES -d explain
        if [ "${{ inputs.is-asan }}" != "true" ]; then
          target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
          if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
@@ -113,10 +80,11 @@ runs:
          fi
          electron/script/zip_manifests/check-zip-manifest.py out/Default/dist.zip electron/script/zip_manifests/dist_zip.$target_os.${{ inputs.target-arch }}.manifest
        fi
-    - name: Fixup Mksnapshot ${{ inputs.step-suffix }}
+    - name: Build Mksnapshot ${{ inputs.step-suffix }}
      shell: bash
      run: |
        cd src
+        e build --target electron:electron_mksnapshot -j $NUMBER_OF_NINJA_PROCESSES
        ELECTRON_DEPOT_TOOLS_DISABLE_LOG=1 e d gn desc out/Default v8:run_mksnapshot_default args > out/Default/mksnapshot_args
        # Remove unused args from mksnapshot_args
        SEDOPTION="-i"
@@ -125,10 +93,21 @@ runs:
        fi
        sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
        sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--reorder-builtins/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--warn-about-builtin-profile-data/d' out/Default/mksnapshot_args
-        sed $SEDOPTION '/--abort-on-bad-builtin-profile-data/d' out/Default/mksnapshot_args

+        if [ "${{ inputs.target-platform }}" = "linux" ]; then
+          if [ "${{ inputs.target-arch }}" = "arm" ]; then
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x86_v8_arm/v8_context_snapshot_generator
+          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/clang_x64_v8_arm64/v8_context_snapshot_generator
+          else
+            electron/script/strip-binaries.py --file $PWD/out/Default/mksnapshot
+            electron/script/strip-binaries.py --file $PWD/out/Default/v8_context_snapshot_generator
+          fi
+        fi
+
+        e build --target electron:electron_mksnapshot_zip -j $NUMBER_OF_NINJA_PROCESSES
        if [ "${{ inputs.target-platform }}" = "win" ]; then
          cd out/Default
          powershell Compress-Archive -update mksnapshot_args mksnapshot.zip
@@ -162,15 +141,13 @@ runs:
      shell: bash
      run: |
        cd src
+        e build --target electron:electron_chromedriver -j $NUMBER_OF_NINJA_PROCESSES
        e build --target electron:electron_chromedriver_zip
-
-        if [ "${{ inputs.is-asan }}" != "true" ]; then
-          target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
-          if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
-            target_os="${target_os}_mas"
-          fi
-          electron/script/zip_manifests/check-zip-manifest.py out/Default/chromedriver.zip electron/script/zip_manifests/chromedriver_zip.$target_os.${{ inputs.target-arch }}.manifest
-        fi
+    - name: Build Node.js headers ${{ inputs.step-suffix }}
+      shell: bash
+      run: |
+        cd src
+        e build --target electron:node_headers
    - name: Create installed_software.json ${{ inputs.step-suffix }}
      shell: powershell
      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'win' }}
@@ -190,11 +167,17 @@ runs:
        # Needed for msdia140.dll on 64-bit windows
        cd src
        export PATH="$PATH:$(pwd)/third_party/llvm-build/Release+Asserts/bin"
-    - name: Zip Symbols ${{ inputs.step-suffix }}
+    - name: Generate & Zip Symbols ${{ inputs.step-suffix }}
      shell: bash
      run: |
+        # Generate breakpad symbols on release builds
+        if [ "${{ inputs.generate-symbols }}" = "true" ]; then
+          e build --target electron:electron_symbols
+        fi
        cd src
        export BUILD_PATH="$(pwd)/out/Default"
+        e build --target electron:licenses
+        e build --target electron:electron_version_file
        if [ "${{ inputs.is-release }}" = "true" ]; then
          DELETE_DSYMS_AFTER_ZIP=1 electron/script/zip-symbols.py -b $BUILD_PATH
        else
@@ -205,18 +188,20 @@ runs:
      if: ${{ inputs.is-release == 'true' }}
      run: |
        cd src
-        # Reuse the hermetic mac_sdk_path that `e build` wrote for out/Default so
-        # out/ffmpeg builds against the same SDK instead of the runner's system Xcode.
-        # The path has to live under root_build_dir, so copy the symlink tree and
-        # rewrite Default -> ffmpeg.
-        MAC_SDK_ARG=""
-        if [ "$(uname)" = "Darwin" ]; then
-          mkdir -p out/ffmpeg
-          cp -a out/Default/xcode_links out/ffmpeg/
-          MAC_SDK_ARG=$(sed -n 's|^\(mac_sdk_path = "//out/\)Default/|\1ffmpeg/|p' out/Default/args.gn)
-        fi
-        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $MAC_SDK_ARG $GN_EXTRA_ARGS"
-        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true $GN_EXTRA_ARGS"
+        e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Hunspell Dictionaries ${{ inputs.step-suffix }}
+      shell: bash
+      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
+      run: |
+        e build --target electron:hunspell_dictionaries_zip -j $NUMBER_OF_NINJA_PROCESSES
+    - name: Generate Libcxx ${{ inputs.step-suffix }}
+      shell: bash
+      if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'linux' }}
+      run: |
+        e build --target electron:libcxx_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        e build --target electron:libcxxabi_headers_zip -j $NUMBER_OF_NINJA_PROCESSES
+        e build --target electron:libcxx_objects_zip -j $NUMBER_OF_NINJA_PROCESSES
    - name: Remove Clang problem matcher
      shell: bash
      run: echo "::remove-matcher owner=clang::"
@@ -225,11 +210,10 @@ runs:
      shell: bash
      run: |
        cd src/electron
-        node script/yarn.js create-typescript-definitions
+        node script/yarn create-typescript-definitions
    - name: Publish Electron Dist ${{ inputs.step-suffix }}
      if: ${{ inputs.is-release == 'true' }}
      shell: bash
-      id: github-upload
      run: |
        rm -rf src/out/Default/obj
        cd src/electron
@@ -240,34 +224,7 @@ runs:
          echo 'Uploading Electron release distribution to GitHub releases'
          script/release/uploaders/upload.py --verbose
        fi
-    - name: Generate artifact attestation
-      if: ${{ inputs.is-release == 'true' }}
-      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-      with:
-        subject-path: ${{ steps.github-upload.outputs.UPLOADED_PATHS }}
-    - name: Generate siso report
-      if: ${{ inputs.target-platform != 'win' && !cancelled() }}
-      shell: bash
-      run: |
-        cd src
-        e d siso report -C out/Default > siso_report.txt
-        SISO_REPORT_PATH=$(grep -o '/.*siso-report-[^ ]*' siso_report.txt)
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $GITHUB_ENV
-        cat siso_report.txt
-        echo "SISO REPORT AT $SISO_REPORT_PATH"
-    - name: Generate siso report (Windows)
-      if: ${{ inputs.target-platform == 'win' && !cancelled() }}
-      shell: powershell
-      run: |
-        cd src
-        e d siso report -C out\Default > siso_report.txt
-        $SISO_REPORT_PATH = Get-Content "siso_report.txt" | Select-String "report file:\s*(.+)" | ForEach-Object { 
-          $_.Matches.Groups[1].Value.Trim() 
-        }
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH"
-        echo "SISO_REPORT_PATH=$SISO_REPORT_PATH" >> $env:GITHUB_ENV
    - name: Generate Artifact Key
-      if: always() && !cancelled()
      shell: bash
      run: |
        if [ "${{ inputs.is-asan }}" = "true" ]; then 
@@ -279,17 +236,15 @@ runs:
    # The current generated_artifacts_<< artifact.key >> name was taken from CircleCI
    # to ensure we don't break anything, but we may be able to improve that.
    - name: Move all Generated Artifacts to Upload Folder ${{ inputs.step-suffix }}
-      if: always() && !cancelled()
      shell: bash
      run: ./src/electron/script/actions/move-artifacts.sh
    - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
-      if: always() && !cancelled()
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
      with:
        name: generated_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./generated_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
    - name: Upload Src Artifacts ${{ inputs.step-suffix }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
      with:
        name: src_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
--- a/.github/actions/checkout/action.yml
+++ b/.github/actions/checkout/action.yml
@@ -28,7 +28,7 @@ runs:
    shell: bash
    run: |
      node src/electron/script/generate-deps-hash.js
-      DEPSHASH="v2-src-cache-$(cat src/electron/.depshash)"
+      DEPSHASH="v1-src-cache-$(cat src/electron/.depshash)"
      echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
      echo "CACHE_FILE=$DEPSHASH.tar" >> $GITHUB_ENV
      if [ "${{ inputs.target-platform }}" = "win" ]; then
@@ -40,10 +40,10 @@ runs:
    if: ${{ inputs.generate-sas-token == 'true' }}
    shell: bash
    run: |
-      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}&getAccountName=true" > sas-token
+      curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}" > sas-token
  - name: Save SAS Key
    if: ${{ inputs.generate-sas-token == 'true' }}
-    uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -109,7 +109,7 @@ runs:
        echo "target_os=['$TARGET_OS']" >> ./.gclient
      fi

-      ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=0 DEPOT_TOOLS_WIN_TOOLCHAIN=0 ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags
+      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags -vv
      if [[ "${{ inputs.is-release }}" != "true" ]]; then
        # Re-export all the patches to check if there were changes.
        python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
@@ -117,7 +117,12 @@ runs:
        git update-index --refresh || true
        if ! git diff-index --quiet HEAD --; then
          # There are changes to the patches. Make a git commit with the updated patches
-          if node ./script/patch-up.js; then
+          git add patches
+          GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
+          # Export it
+          mkdir -p ../../patches
+          git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
+          if node ./script/push-patch.js; then
            echo
            echo "======================================================================"
            echo "Changes to the patches when applying, we have auto-pushed the diff to the current branch"
@@ -125,11 +130,6 @@ runs:
            echo "======================================================================"
            exit 1
          else
-            git add patches
-            GIT_COMMITTER_NAME="PatchUp" GIT_COMMITTER_EMAIL="73610968+patchup[bot]@users.noreply.github.com" git commit -m "chore: update patches" --author="PatchUp <73610968+patchup[bot]@users.noreply.github.com>"
-            # Export it
-            mkdir -p ../../patches
-            git format-patch -1 --stdout --keep-subject --no-stat --full-index > ../../patches/update-patches.patch
            echo
            echo "======================================================================"
            echo "There were changes to the patches when applying."
@@ -143,17 +143,16 @@ runs:
          echo "No changes to patches detected"
        fi
      fi
-  - name: Remove patch conflict problem matchers
+  - name: Remove patch conflict problem matcher
    shell: bash
    run: |
      echo "::remove-matcher owner=merge-conflict::"
      echo "::remove-matcher owner=patch-conflict::"
-      echo "::remove-matcher owner=patch-needs-update::"
  - name: Upload patches stats
    if: ${{ inputs.target-platform == 'linux' && github.ref == 'refs/heads/main' }}
    shell: bash
    run: |
-      node src/electron/script/patches-stats.mjs --upload-stats || true
+      npx node src/electron/script/patches-stats.mjs --upload-stats || true
  # delete all .git directories under src/ except for
  # third_party/angle/ and third_party/dawn/ because of build time generation of files
  # gen/angle/commit.h depends on third_party/angle/.git/HEAD
@@ -173,6 +172,7 @@ runs:
    run: |
      rm -rf src/android_webview
      rm -rf src/ios/chrome
+      rm -rf src/third_party/blink/web_tests
      rm -rf src/third_party/blink/perf_tests
      rm -rf src/chrome/test/data/xr/webvr_info
      rm -rf src/third_party/angle/third_party/VK-GL-CTS/src
@@ -187,35 +187,21 @@ runs:
    shell: bash
    run: |
      echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-      # Named .tar but zstd-compressed; the sas-sidecar's filename allowlist
-      # only permits .tar/.tgz so we keep the extension and decode on restore.
-      tar -cf - src | zstd -T0 --long=30 -f -o $CACHE_FILE
+      tar -cf $CACHE_FILE src
      echo "Compressed src to $(du -sh $CACHE_FILE | cut -f1 -d' ')"
+      cp ./$CACHE_FILE $CACHE_DRIVE/
  - name: Persist Src Cache
    if: ${{ steps.check-cache.outputs.cache_exists == 'false' && inputs.use-cache == 'true' }}
    shell: bash
    run: |
      final_cache_path=$CACHE_DRIVE/$CACHE_FILE
-      # Upload to a run-unique temp name first so concurrent readers never
-      # observe a partially-written file, and an interrupted copy can't leave
-      # a truncated file at the final path. Orphaned temp files get swept by
-      # the clean-orphaned-cache-uploads workflow.
-      tmp_cache_path=$final_cache_path.upload-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}
-      echo "Uploading to temp path: $tmp_cache_path"
-      cp ./$CACHE_FILE $tmp_cache_path
-
      echo "Using cache key: $DEPSHASH"
-      if [ -f "$final_cache_path" ]; then
-        echo "Cache already persisted at $final_cache_path by a concurrent run; discarding ours"
-        rm -f $tmp_cache_path
-      else
-        mv -f $tmp_cache_path $final_cache_path
-        echo "Cache key persisted in $final_cache_path"
-      fi
-
+      echo "Checking path: $final_cache_path"
      if [ ! -f "$final_cache_path" ]; then
        echo "Cache key not found"
        exit 1
+      else
+        echo "Cache key persisted in $final_cache_path"
      fi
  - name: Wait for active SSH sessions
    shell: bash
--- a/.github/actions/cipd-install/action.yml
+++ b/.github/actions/cipd-install/action.yml
@@ -14,58 +14,27 @@ inputs:
    description: 'Target platform, should be linux, win, macos'
  package:
    description: 'Package to install'
-  dependency-version:
-    description: 'Version of the dependency to install'
-    default: ''
 runs:
  using: "composite"
  steps:
    - name: Delete wrong ${{ inputs.dependency }}
      shell: bash
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
      run : |
-        rm -rf "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}"
+        rm -rf ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }}
    - name: Create ensure file for ${{ inputs.dependency }}
-      if: ${{ inputs.dependency-version == '' }}
      shell: bash
-      env:
-        PACKAGE: ${{ inputs.package }}
-        DEPS_FILE: ${{ inputs.deps-file }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo "$PACKAGE" $(e d gclient getdep --deps-file="$DEPS_FILE" -r "${INSTALLATION_DIR}:${PACKAGE}") > "${DEPENDENCY}_ensure_file"
-        cat "${DEPENDENCY}_ensure_file"
-
-    - name: Create ensure file for ${{ inputs.dependency }} from dependency-version
-      if: ${{ inputs.dependency-version != '' }}
-      shell: bash
-      env:
-        PACKAGE: ${{ inputs.package }}
-        DEPENDENCY_VERSION: ${{ inputs.dependency-version }}
-        DEPENDENCY: ${{ inputs.dependency }}
-      run: |
-        echo "$PACKAGE $DEPENDENCY_VERSION" > "${DEPENDENCY}_ensure_file"
-        cat "${DEPENDENCY}_ensure_file"
+        echo '${{ inputs.package }}' `e d gclient getdep --deps-file=${{ inputs.deps-file }} -r '${{ inputs.installation-dir }}:${{ inputs.package }}'` > ${{ inputs.dependency }}_ensure_file
+        cat ${{ inputs.dependency }}_ensure_file
    - name: CIPD installation of ${{ inputs.dependency }} (macOS)
-      if: ${{ inputs.target-platform != 'win' }}
+      if: ${{ inputs.target-platform == 'macos' }}
      shell: bash
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo "ensuring $DEPENDENCY"
-        e d cipd ensure --root "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}" -ensure-file "${DEPENDENCY}_ensure_file"
+        echo "ensuring ${{ inputs.dependency }} on macOS"
+        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
    - name: CIPD installation of ${{ inputs.dependency }} (Windows)
      if: ${{ inputs.target-platform == 'win' }}
      shell: powershell
-      env:
-        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
-        INSTALLATION_DIR: ${{ inputs.installation-dir }}
-        DEPENDENCY: ${{ inputs.dependency }}
      run: |
-        echo "ensuring $env:DEPENDENCY on Windows"
-        e d cipd ensure --root "$env:CIPD_ROOT_PREFIX$env:INSTALLATION_DIR" -ensure-file "$($env:DEPENDENCY)_ensure_file"
+        echo "ensuring ${{ inputs.dependency }} on Windows"
+        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
--- a/.github/actions/fix-sync/action.yml
+++ b/.github/actions/fix-sync/action.yml
@@ -19,17 +19,12 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Fix llvm toolchain
-      if: ${{ inputs.target-platform != 'linux' }}
+    - name: Fix clang
      shell: bash
      run : |
        rm -rf src/third_party/llvm-build
        python3 src/tools/clang/scripts/update.py
-        # Refs https://chromium-review.googlesource.com/c/chromium/src/+/6667681
-        python3 src/tools/clang/scripts/update.py --package objdump
-        python3 src/tools/clang/scripts/update.py --package clang-tidy
    - name: Fix esbuild
-      if: ${{ inputs.target-platform != 'linux' }}
      uses: ./src/electron/.github/actions/cipd-install
      with:
        cipd-root-prefix-path: src/third_party/devtools-frontend/src/
@@ -38,24 +33,7 @@ runs:
        installation-dir: third_party/esbuild
        target-platform: ${{ inputs.target-platform }}
        package: infra/3pp/tools/esbuild/${platform}
-    - name: Fix rollup
-      if: ${{ inputs.target-platform != 'linux' }}
-      uses: ./src/electron/.github/actions/cipd-install
-      with:
-        cipd-root-prefix-path: src/third_party/devtools-frontend/src/
-        dependency: rollup_libs
-        deps-file: src/third_party/devtools-frontend/src/DEPS
-        installation-dir: third_party/rollup_libs
-        target-platform: ${{ inputs.target-platform }}
-        package: infra/3pp/tools/rollup_libs/${platform}
-    - name: Sync native rollup libs
-      if: ${{ inputs.target-platform != 'linux' }}
-      shell: bash
-      run : |
-        cd src/third_party/devtools-frontend/src
-        python3 scripts/deps/sync_rollup_libs.py
    - name: Fix rustc
-      if: ${{ inputs.target-platform != 'linux' }}
      shell: bash
      run : |
        rm -rf src/third_party/rust-toolchain
@@ -79,7 +57,6 @@ runs:
        target-platform: ${{ inputs.target-platform }}
        package: gn/gn/windows-amd64
    - name: Fix reclient
-      if: ${{ inputs.target-platform != 'linux' }}
      uses: ./src/electron/.github/actions/cipd-install
      with:
        dependency: reclient
@@ -88,7 +65,6 @@ runs:
        target-platform: ${{ inputs.target-platform }}
        package: infra/rbe/client/${platform}
    - name: Configure reclient configs
-      if: ${{ inputs.target-platform != 'linux' }}
      shell: bash
      run : |
        python3 src/buildtools/reclient_cfgs/configure_reclient_cfgs.py --rbe_instance "projects/rbe-chrome-untrusted/instances/default_instance" --reproxy_cfg_template reproxy.cfg.template --rewrapper_cfg_project "" --skip_remoteexec_cfg_fetch
@@ -106,7 +82,6 @@ runs:
          python3 src/third_party/depot_tools/download_from_google_storage.py --no_resume --no_auth --bucket chromium-browser-clang -s $DSYM_SHA_FILE -o src/tools/clang/dsymutil/bin/dsymutil
        fi
    - name: Fix ninja
-      if: ${{ inputs.target-platform != 'linux' }}
      uses: ./src/electron/.github/actions/cipd-install
      with:
        dependency: ninja
@@ -115,25 +90,15 @@ runs:
        target-platform: ${{ inputs.target-platform }}
        package: infra/3pp/tools/ninja/${platform}
    - name: Set ninja in path
-      if: ${{ inputs.target-platform != 'linux' }}
      shell: bash
      run : |
        echo "$(pwd)/src/third_party/ninja" >> $GITHUB_PATH
-    - name: Fix siso
-      uses: ./src/electron/.github/actions/cipd-install
-      with:
-        dependency: siso
-        deps-file: src/DEPS
-        installation-dir: src/third_party/siso/cipd
-        target-platform: ${{ inputs.target-platform }}
-        package: build/siso/${platform}
    - name: Fixup angle git
-      if: ${{ inputs.target-platform != 'linux' }}
      shell: bash
      run : |
        cd src/third_party/angle
        rm -f .git/objects/info/alternates
-        git remote set-url origin https://github.com/google/angle.git
+        git remote set-url origin https://chromium.googlesource.com/angle/angle.git
        cp .git/config .git/config.backup
        git remote remove origin
        mv .git/config.backup .git/config
--- a/.github/actions/free-space-macos/action.yml
+++ b/.github/actions/free-space-macos/action.yml
@@ -6,8 +6,6 @@ runs:
    - name: Free Space on MacOS
      shell: bash
      run: |
-        echo "Disk usage before cleanup:"
-        df -h
        sudo mkdir -p $TMPDIR/del-target

        tmpify() {
@@ -17,30 +15,28 @@ runs:
        }

        strip_universal_deep() {
-          if [ -d "$1" ]; then
-            opwd=$(pwd)
-            cd $1
-            f=$(find . -perm +111 -type f)
-            for fp in $f
-            do
-              if [[ $(file "$fp") == *"universal binary"* ]]; then
-                if [ "`arch`" == "arm64" ]; then
-                  if [[ $(file "$fp") == *"x86_64"* ]]; then
-                    sudo lipo -remove x86_64 "$fp" -o "$fp" || true
-                  fi
-                else
-                  if [[ $(file "$fp") == *"arm64e)"* ]]; then
-                    sudo lipo -remove arm64e "$fp" -o "$fp" || true
-                  fi
-                  if [[ $(file "$fp") == *"arm64)"* ]]; then
-                    sudo lipo -remove arm64 "$fp" -o "$fp" || true
-                  fi
+          opwd=$(pwd)
+          cd $1
+          f=$(find . -perm +111 -type f)
+          for fp in $f
+          do
+            if [[ $(file "$fp") == *"universal binary"* ]]; then
+              if [ "`arch`" == "arm64" ]; then
+                if [[ $(file "$fp") == *"x86_64"* ]]; then
+                  sudo lipo -remove x86_64 "$fp" -o "$fp" || true
+                fi
+              else
+                if [[ $(file "$fp") == *"arm64e)"* ]]; then
+                  sudo lipo -remove arm64e "$fp" -o "$fp" || true
+                fi
+                if [[ $(file "$fp") == *"arm64)"* ]]; then
+                  sudo lipo -remove arm64 "$fp" -o "$fp" || true
                fi
              fi
-            done
+            fi
+          done

-            cd $opwd
-          fi
+          cd $opwd
        }

        tmpify /Library/Developer/CoreSimulator
@@ -61,31 +57,9 @@ runs:
        sudo rm -rf $TMPDIR/del-target

        sudo rm -rf /Applications/Safari.app
-        sudo rm -rf /Applications/Xcode_16.1.app
-        sudo rm -rf /Applications/Xcode_16.2.app
-        sudo rm -rf /Applications/Xcode_16.3.app
-        sudo rm -rf /Applications/Xcode_26*
-        sudo rm -rf /Applications/Google Chrome.app
-        sudo rm -rf /Applications/Google Chrome for Testing.app
-        sudo rm -rf /Applications/Firefox.app
-        sudo rm -rf /Applications/Microsoft Edge.app
        sudo rm -rf ~/project/src/third_party/catapult/tracing/test_data
        sudo rm -rf ~/project/src/third_party/angle/third_party/VK-GL-CTS
-        sudo rm -rf /Users/runner/Library/Android
-        sudo rm -rf $JAVA_HOME_11_arm64
-        sudo rm -rf $JAVA_HOME_17_arm64
-        sudo rm -rf $JAVA_HOME_21_arm64
-        sudo rm -rf $JAVA_HOME_25_arm64
-        sudo rm -rf /Users/runner/.dotnet/
-        sudo rm -rf /Users/runner/.rustup
-
-        # remove homebrew packages we don't need
-        if command -v brew &> /dev/null; then
-          brew uninstall -f --zap aws-sam-cli session-manager-plugin gcc gcc@13 gcc@14 llvm@18 gradle maven ant azure-cli
-          brew autoremove
-        fi

        # lipo off some huge binaries arm64 versions to save space
        strip_universal_deep $(xcode-select -p)/../SharedFrameworks
-        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
-        sudo mdutil -a -i off
+        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
--- a/.github/actions/generate-types/action.yml
+++ b/.github/actions/generate-types/action.yml
@@ -13,16 +13,12 @@ runs:
  - name: Generating Types for SHA in ${{ inputs.sha-file }}
    shell: bash
    run: |
-      export ELECTRON_DIR=$(pwd)
-      if [ "${{ inputs.sha-file }}" == ".dig-old" ]; then
-        cd /tmp
-        git clone https://github.com/electron/electron.git
-        cd electron
-      fi
-      git checkout $(cat $ELECTRON_DIR/${{ inputs.sha-file }})
-      node script/yarn.js install --immutable
+      git checkout $(cat ${{ inputs.sha-file }})
+      rm -rf node_modules
+      yarn install --frozen-lockfile --ignore-scripts
      echo "#!/usr/bin/env node\nglobal.x=1" > node_modules/typescript/bin/tsc
      node node_modules/.bin/electron-docs-parser --dir=./ --outDir=./ --moduleVersion=0.0.0-development
      node node_modules/.bin/electron-typescript-definitions --api=electron-api.json --outDir=artifacts
-      mv artifacts/electron.d.ts $ELECTRON_DIR/artifacts/${{ inputs.filename }}
+      mv artifacts/electron.d.ts artifacts/${{ inputs.filename }}
+      git checkout .
    working-directory: ./electron
--- a/.github/actions/install-build-tools/action.yml
+++ b/.github/actions/install-build-tools/action.yml
@@ -11,11 +11,9 @@ runs:
        git config --global core.autocrlf false
        git config --global branch.autosetuprebase always
        git config --global core.fscache true
-        git config --global core.longpaths true
        git config --global core.preloadindex true
-        git config --global core.longpaths true
      fi
-      export BUILD_TOOLS_SHA=1b7bd25dae4a780bb3170fff56c9327b53aaf7eb
+      export BUILD_TOOLS_SHA=6e8526315ea3b4828882497e532b8340e64e053c
      npm i -g @electron/build-tools
      # Update depot_tools to ensure python
      e d update_depot_tools
@@ -29,4 +27,4 @@ runs:
      else
        echo "$HOME/.electron_build_tools/third_party/depot_tools" >> $GITHUB_PATH
        echo "$HOME/.electron_build_tools/third_party/depot_tools/python-bin" >> $GITHUB_PATH
-      fi
+      fi
--- a/.github/actions/install-dependencies/action.yml
+++ b/.github/actions/install-dependencies/action.yml
@@ -6,8 +6,8 @@ runs:
  - name: Get yarn cache directory path
    shell: bash
    id: yarn-cache-dir-path
-    run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
-  - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    run: echo "dir=$(node src/electron/script/yarn cache dir)" >> $GITHUB_OUTPUT
+  - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
    id: yarn-cache
    with:
      path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
@@ -18,14 +18,4 @@ runs:
    shell: bash
    run: |
      cd src/electron
-      if [ "$TARGET_ARCH" = "x86" ]; then
-        export npm_config_arch="ia32"
-      fi
-      # if running on linux arm skip yarn Builds
-      ARCH=$(uname -m)
-      if [ "$ARCH" = "armv7l" ]; then
-        echo "Skipping yarn build on linux arm"
-        node script/yarn.js install --immutable --mode=skip-build
-      else
-        node script/yarn.js install --immutable
-      fi
+      node script/yarn install --frozen-lockfile --prefer-offline
--- a/.github/actions/restore-cache-aks/action.yml
+++ b/.github/actions/restore-cache-aks/action.yml
@@ -31,7 +31,7 @@ runs:
      fi

      mkdir temp-cache
-      zstd -d --long=30 -c $cache_path | tar -xf - -C temp-cache
+      tar -xf $cache_path -C temp-cache
      echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"

      if [ -d "temp-cache/src" ]; then
--- a/.github/actions/restore-cache-azcopy/action.yml
+++ b/.github/actions/restore-cache-azcopy/action.yml
@@ -8,14 +8,14 @@ runs:
  steps:
  - name: Obtain SAS Key
    continue-on-error: true
-    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-1
      enableCrossOsArchive: true
  - name: Obtain SAS Key
    continue-on-error: true
-    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+    uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf
    with:
      path: sas-token
      key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -24,7 +24,7 @@ runs:
    # The cache will always exist here as a result of the checkout job
    # Either it was uploaded to Azure in the checkout job for this commit
    # or it was uploaded in the checkout job for a previous commit.
-    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
    with:
      timeout_minutes: 30
      max_attempts: 3
@@ -32,23 +32,22 @@ runs:
      shell: bash
      command: |
        sas_token=$(cat sas-token)
-        if [ -z "$sas_token" ]; then
+        if [ -z $sas-token ]; then
          echo "SAS Token not found; exiting src cache download early..."
          exit 1
        else
-          sas_token=$(jq -r '.sasToken' sas-token)
-          account_name=$(jq -r '.accountName' sas-token)
          if [ "${{ inputs.target-platform }}" = "win" ]; then
            azcopy copy --log-level=ERROR \
-            "https://$account_name.file.core.windows.net/${{ env.AZURE_AKS_WIN_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
+            "https://${{ env.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}.file.core.windows.net/${{ env.AZURE_AKS_WIN_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
          else
            azcopy copy --log-level=ERROR \
-            "https://$account_name.file.core.windows.net/${{ env.AZURE_AKS_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
+            "https://${{ env.AZURE_AKS_CACHE_STORAGE_ACCOUNT }}.file.core.windows.net/${{ env.AZURE_AKS_CACHE_SHARE_NAME }}/${{ env.CACHE_PATH }}?$sas_token" $DEPSHASH.tar
          fi            
        fi
    env:
-      AZURE_AKS_CACHE_SHARE_NAME: linux-cache
-      AZURE_AKS_WIN_CACHE_SHARE_NAME: windows-cache
+      AZURE_AKS_CACHE_STORAGE_ACCOUNT: f723719aa87a34622b5f7f3
+      AZURE_AKS_CACHE_SHARE_NAME: pvc-f6a4089f-b082-4bee-a3f9-c3e1c0c02d8f
+      AZURE_AKS_WIN_CACHE_SHARE_NAME: pvc-71dec4f2-0d44-4fd1-a2c3-add049d70bdf
  - name: Clean SAS Key
    shell: bash
    run: rm -f sas-token
@@ -61,9 +60,9 @@ runs:
        echo "Cache is empty - exiting"
        exit 1
      fi
-
+      
      mkdir temp-cache
-      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
+      tar -xf $DEPSHASH.tar -C temp-cache
      echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"

      if [ -d "temp-cache/src" ]; then
@@ -85,21 +84,23 @@ runs:

  - name: Unzip and Ensure Src Cache (Windows)
    if: ${{ inputs.target-platform == 'win' }}
-    shell: bash
+    shell: powershell
    run: |
-      echo "Downloaded cache is $(du -sh $DEPSHASH.tar | cut -f1)"
-      if [ `du $DEPSHASH.tar | cut -f1` = "0" ]; then
-        echo "Cache is empty - exiting"
+      $src_cache = "$env:DEPSHASH.tar"
+      $cache_size = $(Get-Item $src_cache).length
+      Write-Host "Downloaded cache is $cache_size"
+      if ($cache_size -eq 0) {
+        Write-Host "Cache is empty - exiting"
        exit 1
-      fi
+      }

-      mkdir temp-cache
-      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
-      rm -f $DEPSHASH.tar
+      $TEMP_DIR=New-Item -ItemType Directory -Path temp-cache
+      $TEMP_DIR_PATH = $TEMP_DIR.FullName
+      C:\ProgramData\Chocolatey\bin\7z.exe -y x $src_cache -o"$TEMP_DIR_PATH"

  - name: Move Src Cache (Windows)
    if: ${{ inputs.target-platform == 'win' }}
-    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
    with:
      timeout_minutes: 30
      max_attempts: 3
@@ -110,6 +111,9 @@ runs:
          Write-Host "Relocating Cache"
          Remove-Item -Recurse -Force src
          Move-Item temp-cache\src src
+
+          Write-Host "Deleting zip file"
+          Remove-Item -Force $src_cache
        }
        if (-Not (Test-Path "src\third_party\blink")) {
          Write-Host "Cache was not correctly restored - exiting"
--- a/.github/actions/set-chromium-cookie/action.yml
+++ b/.github/actions/set-chromium-cookie/action.yml
@@ -7,7 +7,7 @@ runs:
    if: ${{ runner.os != 'Windows' }}
    shell: bash
    run: |
-      if [[ -z "$CHROMIUM_GIT_COOKIE" ]]; then
+      if [[ -z "${{ env.CHROMIUM_GIT_COOKIE }}" ]]; then
        echo "CHROMIUM_GIT_COOKIE is not set - cannot authenticate."
        exit 0
      fi
@@ -18,7 +18,9 @@ runs:

      git config --global http.cookiefile ~/.gitcookies

-      echo "$CHROMIUM_GIT_COOKIE" | tr , \\t >>~/.gitcookies
+      tr , \\t <<\__END__ >>~/.gitcookies
+      ${{ env.CHROMIUM_GIT_COOKIE }}
+      __END__
      eval 'set -o history' 2>/dev/null || unsetopt HIST_IGNORE_SPACE 2>/dev/null

      RESPONSE=$(curl -s -b ~/.gitcookies https://chromium-review.googlesource.com/a/accounts/self)
@@ -40,7 +42,7 @@ runs:
      )

      git config --global http.cookiefile "%USERPROFILE%\.gitcookies"
-      powershell -noprofile -nologo -command Write-Output $env:CHROMIUM_GIT_COOKIE_WINDOWS_STRING >>"%USERPROFILE%\.gitcookies"
+      powershell -noprofile -nologo -command Write-Output "${{ env.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}" >>"%USERPROFILE%\.gitcookies"

      curl -s -b "%USERPROFILE%\.gitcookies" https://chromium-review.googlesource.com/a/accounts/self > response.txt

--- a/.github/actions/ssh-debug/action.yml
+++ b/.github/actions/ssh-debug/action.yml
@@ -1,20 +0,0 @@
-name: Debug via SSH
-description: Setup a SSH server with a tunnel to access it to debug via SSH.
-inputs:
-  tunnel:
-    description: 'Enable SSH tunneling via cloudflared'
-    required: true
-    default: 'false'
-  timeout:
-    description: 'SSH session timeout in seconds'
-    required: false
-    type: number
-    default: 3600
-runs:
-  using: composite
-  steps:
-    - run: $GITHUB_ACTION_PATH/setup-ssh.sh
-      shell: bash
-      env:
-        TUNNEL: ${{ inputs.tunnel }}
-        TIMEOUT: ${{ inputs.timeout }}
--- a/.github/actions/ssh-debug/bashrc
+++ b/.github/actions/ssh-debug/bashrc
@@ -1,4 +0,0 @@
-# If we're in an interactive SSH session and we're not already in tmux and there's no explicit SSH command, auto attach tmux
-if [ -n "$SSH_TTY" ] && [ -z "$TMUX" ] && [ -z "$SSH_ORIGINAL_COMMAND" ]; then
-    exec tmux attach || exec tmux
-fi
--- a/.github/actions/ssh-debug/setup-ssh.sh
+++ b/.github/actions/ssh-debug/setup-ssh.sh
@@ -1,146 +0,0 @@
-#!/bin/bash -e
-
-if [ "${TUNNEL}" != "true" ]; then
-    echo "SSH tunneling is disabled. Set enable-tunnel: true to enable remote access."
-    echo "Local SSH server would be available on localhost:2222 if this were a local environment."
-    exit 0
-fi
-
-echo ::group::Configuring Tunnel
-
-echo "SSH tunneling enabled. Setting up remote access..."
-
-EXTERNAL_DEPS="curl jq ssh-keygen"
-
-for dep in $EXTERNAL_DEPS; do
-    if ! command -v "${dep}" > /dev/null 2>&1; then
-       echo "Command ${dep} not installed on the system!" >&2
-       exit 1
-    fi
-done
-
-cd "$GITHUB_ACTION_PATH"
-
-bashrc_path=$(pwd)/bashrc
-
-# Source `bashrc` to auto start tmux on SSH login.
-if ! grep -q "${bashrc_path}" ~/.bash_profile; then
-    echo >> ~/.bash_profile # On macOS runner there's no newline at the end of the file
-    echo "source \"${bashrc_path}\"" >> ~/.bash_profile
-fi
-
-OS=$(uname -s | tr '[:upper:]' '[:lower:]')
-ARCH=$(uname -m)
-
-if [ "${ARCH}" = "x86_64" ]; then
-    ARCH="amd64"
-elif [ "${ARCH}" = "aarch64" ]; then
-    ARCH="arm64"
-fi
-
-if [ "${OS}" = "darwin" ] && ! command -v tmux > /dev/null 2>&1; then
-    echo "Installing tmux..."
-    brew install tmux
-fi
-
-if [ "$OS" = "darwin" ]; then
-    cloudflared_url="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${OS}-${ARCH}.tgz"
-    echo "Downloading \`cloudflared\` from <$cloudflared_url>..."
-    curl --location --silent --output cloudflared.tgz "${cloudflared_url}"
-    tar xf cloudflared.tgz
-    rm cloudflared.tgz
-fi
-
-chmod +x cloudflared
-
-echo 'Creating SSH server key...'
-ssh-keygen -q -f ssh_host_rsa_key -N ''
-
-echo 'Creating SSH server config...'
-sed "s,\$PWD,${PWD},;s,\$USER,${USER}," sshd_config.template > sshd_config
-
-echo 'Starting SSH server...'
-sudo /usr/sbin/sshd -f sshd_config -D &
-sshd_pid=$!
-
-echo "SSH server started successfully (PID: ${sshd_pid})"
-
-echo 'Starting tmux session...'
-(cd "${GITHUB_WORKSPACE}" && tmux new-session -d -s debug)
-
-mkdir ~/.cloudflared
-CLEAN_TUNNEL_CERT=$(printf '%s\n' "${CLOUDFLARE_TUNNEL_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
-
-echo "${CLEAN_TUNNEL_CERT}" > ~/.cloudflared/cert.pem
-
-CLEAN_USER_CA_CERT=$(printf '%s\n' "${CLOUDFLARE_USER_CA_CERT}" | tr -d '\r' | sed '/^[[:space:]]*$/d')
-
-echo "${CLEAN_USER_CA_CERT}" | sudo tee /etc/ssh/ca.pub > /dev/null
-sudo chmod 644 /etc/ssh/ca.pub
-
-random_suffix=$(openssl rand -hex 5 | cut -c1-10)
-tunnel_name="${GITHUB_SHA}-${GITHUB_RUN_ID}-${random_suffix}"
-tunnel_url="${tunnel_name}.${CLOUDFLARE_TUNNEL_HOSTNAME}"
-
-if ./cloudflared tunnel list | grep -q "${tunnel_name}"; then
-    echo "Deleting existing tunnel: ${tunnel_name}"
-    ./cloudflared tunnel delete ${tunnel_name}
-fi
-
-echo "Creating new cloudflare tunnel: ${tunnel_name}"
-./cloudflared tunnel create ${tunnel_name}
-
-credentials_file=$(find ~/.cloudflared -name "*.json" | head -n 1)
-if [ -z "${credentials_file}" ]; then
-    echo "Error: Could not find tunnel credentials file"
-    exit 1
-fi
-
-echo "Found credentials file: ${credentials_file}"
-
-echo 'Creating tunnel configuration...'
-cat > tunnel_config.yml << EOF
-tunnel: ${tunnel_name}
-credentials-file: ${credentials_file}
-
-ingress:
-  - hostname: ${tunnel_url}
-    service: ssh://localhost:2222
-  - service: http_status:404
-EOF
-
-echo 'Setting up DNS routing for tunnel...'
-./cloudflared tunnel route dns ${tunnel_name} ${tunnel_url}
-
-echo 'Running cloudflare tunnel...'
-./cloudflared tunnel --no-autoupdate --config tunnel_config.yml run 2>&1 | tee cloudflared.log | sed -u 's/^/cloudflared: /' &
-cloudflared_pid=$!
-
-echo ::endgroup::
-
-echo ::notice title=SSH Debug Session Ready::ssh ${tunnel_url}
-
-
-(
-    echo '    '
-    echo '    '
-    echo '🔗 SSH Debug Session Ready!'
-    echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
-    echo '    '
-    echo '📋 Infra WG can copy and run this command to connect:'
-    echo '    '
-    echo "ssh ${tunnel_url}"
-    echo '    '
-    echo "⏰ Session expires automatically in ${TIMEOUT} seconds"
-    echo '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'
-    echo '    '
-    echo '    '
-) | cat
-
-echo ::group::Starting Background Session
-echo 'Starting SSH session in background...'
-./ssh-session.sh "${sshd_pid}" "${cloudflared_pid}" "${TIMEOUT}" "${tunnel_name}" &
-
-echo 'SSH session is running in background. GitHub Action will continue.'
-echo 'Session will auto-cleanup after timeout or when processes end.'
-echo ::endgroup::
--- a/.github/actions/ssh-debug/ssh-session.sh
+++ b/.github/actions/ssh-debug/ssh-session.sh
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-SSHD_PID=$1
-CLOUDFLARED_PID=$2
-SESSION_TIMEOUT=${3:-10000}
-TUNNEL_NAME=$4
-
-cleanup() {
-    # Kill processes.
-    for pid in "$SLEEP_PID" "$SSHD_PID" "$CLOUDFLARED_PID"; do
-        if [ -n "$pid" ] && kill -0 "$pid" 2>/dev/null; then
-            kill "$pid" 2>/dev/null || true
-        fi
-    done
-
-    # Clean up tunnel.
-    if [ -n "$TUNNEL_NAME" ]; then
-        cd "$GITHUB_ACTION_PATH"
-        ./cloudflared tunnel delete "$TUNNEL_NAME" 2>/dev/null || {
-            echo "Failed to delete tunnel"
-        }
-    fi
-
-    echo "Session ended at $(date)"
-    exit 0
-}
-
-# Trap signals to ensure cleanup.
-trap cleanup SIGTERM SIGINT SIGQUIT SIGHUP EXIT
-
-# Wait for timeout or until processes die.
-sleep "$SESSION_TIMEOUT" &
-SLEEP_PID=$!
-
-# Monitor processes
-while kill -0 "$SLEEP_PID" 2>/dev/null; do
-    # Check SSH daemon.
-    if ! kill -0 "$SSHD_PID" 2>/dev/null; then
-        echo "SSH daemon died at $(date)"
-        break
-    fi
-
-    # Check cloudflared,
-    if ! kill -0 "$CLOUDFLARED_PID" 2>/dev/null; then
-        echo "Cloudflared died at $(date)"
-        break
-    fi
-
-    sleep 10
-done
-
-cleanup
--- a/.github/actions/ssh-debug/sshd_config.template
+++ b/.github/actions/ssh-debug/sshd_config.template
@@ -1,25 +0,0 @@
-Port 2222
-HostKey $PWD/ssh_host_rsa_key
-PidFile $PWD/sshd.pid
-
-# Connection settings
-ClientAliveInterval 30
-ClientAliveCountMax 10
-MaxStartups 10
-LoginGraceTime 120
-
-# Allow TCP forwarding for tunneling
-AllowTcpForwarding yes
-
-# Try to prevent timeouts
-TCPKeepAlive yes
-
-# Security
-TrustedUserCAKeys /etc/ssh/ca.pub
-PubkeyAuthentication yes
-PasswordAuthentication no
-
-AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
-AuthorizedPrincipalsCommandUser nobody
-
-PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,122 +0,0 @@
-# Copilot Instructions for Electron
-
-## Build System
-
-Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
-
-```bash
-e sync              # Fetch sources and apply patches
-e build             # Build Electron (GN + Ninja)
-e build -k 999      # Build, continuing through errors
-e start             # Run built Electron
-e start --version   # Verify Electron launches
-e test              # Run full test suite
-e debug             # Run in debugger (lldb on macOS, gdb on Linux)
-```
-
-### Linting
-
-```bash
-npm run lint              # Run all linters (JS, C++, Python, GN, docs)
-npm run lint:js           # JavaScript/TypeScript only
-npm run lint:clang-format # C++ formatting only
-npm run lint:cpp          # C++ linting only
-npm run lint:docs         # Documentation only
-```
-
-### Running a Single Test
-
-```bash
-npm run test -- -g "pattern"   # Run tests matching a regex pattern
-# Example: npm run test -- -g "ipc"
-```
-
-### Running a Single Node.js Test
-
-```bash
-node script/node-spec-runner.js parallel/test-crypto-keygen
-```
-
-## Architecture
-
-Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
-
-### Process Model
-
-Electron has two primary process types, mirroring Chromium:
-
- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
-
-### Native ↔ JavaScript Bridge
-
-Each API is implemented as a C++/JS pair:
-
- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
-
-### Patches System
-
-Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
-
-```text
-patches/{target}/*.patch  →  [e sync]   →  target repo commits
-                          ←  [e patches] ←
-```
-
-Key rules:
-
- Fix existing patches rather than creating new ones
- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
- Each patch commit message must explain why the patch exists
- After modifying patches, run `e patches {target}` to export
-
-When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
-
-## Conventions
-
-### File Naming
-
- JS/TS files: kebab-case (`file-name.ts`)
- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
- Test files: `api-{module-name}-spec.ts` in `spec/`
- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
-
-### JavaScript/TypeScript
-
- Semicolons required (`"semi": ["error", "always"]`)
- `const` and `let` only (no `var`)
- Arrow functions preferred
- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
- Prefer getters/setters over jQuery-style `.text([text])` patterns
-
-### C++
-
- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
- Uses Chromium abstractions (`base::`, `content::`, etc.)
- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
-
-### Testing
-
- Framework: Mocha + Chai + Sinon
- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
- Tests import from `electron/main` or `electron/renderer`
-
-### Documentation
-
- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
- API history tracked via YAML blocks in HTML comments within doc files
- Docs must pass `npm run lint:docs`
-
-### Build Configuration
-
- `BUILD.gn`: Main GN build config
- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
- `DEPS`: Dependency versions and checkout paths
- `chromium_src/`: Chromium source file overrides (compiled instead of originals)
--- a/.github/problem-matchers/clang.json
+++ b/.github/problem-matchers/clang.json
@@ -5,7 +5,7 @@
      "fromPath": "src/out/Default/args.gn",
      "pattern": [
        {
-          "regexp": "^(.+)[(:](\\d+)[:,](\\d+)\\)?:\\s+(warning|fatal error|error):\\s+(.*)$",
+          "regexp": "^(.+)[(:](\\d+)[:,](\\d+)\\)?:\\s+(warning|error):\\s+(.*)$",
          "file": 1,
          "line": 2,
          "column": 3,
--- a/.github/problem-matchers/markdownlint.json
+++ b/.github/problem-matchers/markdownlint.json
@@ -1,16 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "markdownlint",
-      "pattern": [
-        {
-          "regexp": "^(.+):(\\d+):(\\d+)\\s+(.*)$",
-          "file": 1,
-          "line": 2,
-          "column": 3,
-          "message": 4
-        }
-      ]
-    }
-  ]
-}
--- a/.github/problem-matchers/patch-conflict.json
+++ b/.github/problem-matchers/patch-conflict.json
@@ -19,16 +19,6 @@
          "line": 3
        }
      ]
-    },
-    {
-      "owner": "patch-needs-update",
-      "pattern": [
-        {
-          "regexp": "^((patches\/.*): needs update)$",
-          "message": 1,
-          "file": 2
-        }
-      ]
    }
  ]
 }
--- a/.github/siso-patches/0001-siso-reuse-the-outer-os.File-for-chunked-ReadAt-in-f.patch
+++ b/.github/siso-patches/0001-siso-reuse-the-outer-os.File-for-chunked-ReadAt-in-f.patch
@@ -1,47 +0,0 @@
-From 85b561ea4dbc76ba98af020b970f3aa6b20fdb9e Mon Sep 17 00:00:00 2001
-From: Samuel Attard <sam@electronjs.org>
-Date: Wed, 8 Apr 2026 23:24:15 -0700
-Subject: [PATCH] siso: reuse the outer *os.File for chunked ReadAt in
- fileParser.readFile
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The per-chunk goroutine currently re-opens fname to get its own handle
-for ReadAt. (*os.File).ReadAt is documented as safe for concurrent
-calls on the same File (on Windows it is ReadFile with an OVERLAPPED
-offset, so there is no shared seek state), so the extra open is
-redundant — the goroutines can share the outer f.
-
-Besides halving the CreateFileW calls per subninja, this avoids an
-intermittent 'The parameter is incorrect.' (ERROR_INVALID_PARAMETER)
-from bindflt.sys when out/ is a mapped directory inside a Windows
-container: bindflt's handle-relative NtCreateFile path races when a
-second relative open arrives while the first handle to the same target
-is still being set up. Absolute paths and single opens do not trigger
-it; see microsoft/Windows-Containers#<tbd>.
---
- siso/toolsupport/ninjautil/file_parser.go | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/siso/toolsupport/ninjautil/file_parser.go b/siso/toolsupport/ninjautil/file_parser.go
-index 8c18d084..63116662 100644
--- a/siso/toolsupport/ninjautil/file_parser.go
-+++ b/siso/toolsupport/ninjautil/file_parser.go
-@@ -111,13 +111,6 @@ func (p *fileParser) readFile(ctx context.Context, fname string) ([]byte, error)
- 		eg.Go(func() error {
- 			p.sema <- struct{}{}
- 			defer func() { <-p.sema }()
-			f, err := os.Open(fname)
-			if err != nil {
-				return err
-			}
-			defer func() {
-				_ = f.Close()
-			}()
- 			for len(chunkBuf) > 0 {
- 				n, err := f.ReadAt(chunkBuf, pos)
- 				if err != nil {
-- 
-2.53.0
-
--- a/.github/workflows/apply-patches.yml
+++ b/.github/workflows/apply-patches.yml
@@ -1,81 +0,0 @@
-name: Apply Patches
-
-on:
-  pull_request:
-
-permissions: {}
-
-concurrency:
-  group: apply-patches-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  setup:
-    if: github.repository == 'electron/electron'
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: read
-    outputs:
-      has-patches: ${{ steps.filter.outputs.patches }}
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        persist-credentials: false
-        ref: ${{ github.event.pull_request.head.sha }}
-    # Use dorny/paths-filter instead of the path filter under the on: pull_request: block
-    # so that the output can be used to conditionally run the apply-patches job, which lets
-    # the job be marked as a required status check (conditional skip counts as a success).
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-      id: filter
-      with:
-        filters: |
-          patches:
-            - DEPS
-            - 'patches/**'
-
-  apply-patches:
-    needs: setup
-    if: ${{ needs.setup.outputs.has-patches == 'true' }}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-        - /var/run/sas:/var/run/sas
-    env:
-      CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        persist-credentials: false
-        ref: ${{ github.event.pull_request.base.ref }}
-    - name: Merge PR HEAD
-      working-directory: src/electron
-      env:
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      run: |
-        git config user.email "electron@github.com"
-        git config user.name "Electron Bot"
-        git fetch origin refs/pull/${PR_NUMBER}/head
-        git merge --squash FETCH_HEAD
-        git commit -n -m "Squashed commits"
-    - name: Checkout & Sync & Save
-      uses: ./src/electron/.github/actions/checkout
-      with:
-        target-platform: linux
-    - name: Upload Patch Conflict Fix
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-      with:
-        name: update-patches
-        path: patches/update-patches.patch
-        if-no-files-found: ignore
-        archive: false
--- a/.github/workflows/archaeologist-dig.yml
+++ b/.github/workflows/archaeologist-dig.yml
@@ -3,39 +3,31 @@ name: Archaeologist
 on:
  pull_request:

-permissions: {}
-
 jobs:
   archaeologist-dig:
    name: Archaeologist Dig
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
        with:
          fetch-depth: 0
      - name: Setup Node.js/npm
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
-          node-version: 24.12.x
+          node-version: 20.19.x
      - name: Setting Up Dig Site
-        env:
-          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
-          echo "remote: $CLONE_URL"
-          echo "sha $HEAD_SHA"
-          echo "base ref $BASE_REF"
-          git clone https://github.com/electron/electron.git electron
+          echo "remote: ${{ github.event.pull_request.head.repo.clone_url }}"
+          echo "sha ${{ github.event.pull_request.head.sha }}"
+          echo "base ref ${{ github.event.pull_request.base.ref }}"
+          git clone https://github.com/electron/electron.git electron          
          cd electron
          mkdir -p artifacts
-          git remote add fork "$CLONE_URL" && git fetch fork
-          git checkout "$HEAD_SHA"
-          git merge-base "origin/$BASE_REF" HEAD > .dig-old
-          echo "$HEAD_SHA" > .dig-new
+          git remote add fork ${{ github.event.pull_request.head.repo.clone_url }} && git fetch fork
+          git checkout  ${{ github.event.pull_request.head.sha }}
+          git merge-base origin/${{ github.event.pull_request.base.ref }} HEAD > .dig-old
+          echo  ${{ github.event.pull_request.head.sha }} > .dig-new
          cp .dig-old artifacts

      - name: Generating Types for SHA in .dig-new
@@ -49,7 +41,7 @@ jobs:
          sha-file: .dig-old
          filename: electron.old.d.ts
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
        with:
          name: artifacts
          path: electron/artifacts
--- a/.github/workflows/audit-branch-ci.yml
+++ b/.github/workflows/audit-branch-ci.yml
@@ -15,26 +15,12 @@ jobs:
    permissions:
      contents: read
    steps:
-      - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version: 22.17.x
-      - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          sparse-checkout: |
-            .
-            .github
-            .yarn
-      - run: yarn workspaces focus @electron/gha-workflows
-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      - run: npm install @actions/cache @electron/fiddle-core
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        id: audit-errors
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
-            const { chdir } = require('node:process');
-            chdir('${{ github.workspace }}/.github/workflows');
-
            const cache = require('@actions/cache');
            const { ElectronVersions } = require('@electron/fiddle-core');

@@ -43,7 +29,7 @@ jobs:
            // Only want the most recent workflow run that wasn't skipped or cancelled
            const isValidWorkflowRun = (run) => !['skipped', 'cancelled'].includes(run.conclusion);

-            const versions = await ElectronVersions.create({ ignoreCache: true });
+            const versions = await ElectronVersions.create(undefined, { ignoreCache: true });
            const branches = versions.supportedMajors.map((branch) => `${branch}-x-y`);

            for (const branch of ["main", ...branches]) {
@@ -83,8 +69,6 @@ jobs:
                      annotation_level === "failure" &&
                      !message.startsWith("Process completed with exit code") &&
                      !message.startsWith("Response status code does not indicate success") &&
-                      !message.startsWith("The hosted runner lost communication with the server") &&
-                      !message.startsWith("Dependabot encountered an error performing the update") &&
                      !/Unable to make request/.test(message) &&
                      !/The requested URL returned error/.test(message),
                  )
@@ -117,6 +101,7 @@ jobs:
            }

            if (runsWithErrors.length > 0) {
+              core.setOutput('errorsFound', true);
              core.summary.addHeading('⚠️ Runs with Errors');
              core.summary.addTable([
                [
@@ -143,7 +128,6 @@ jobs:

              // Set this as failed so it's easy to scan runs to find failures
              if (runsWithErrors.find((run) => !run.isStale)) {
-                core.setOutput('errorsFound', true);
                process.exitCode = 1;
              }
            } else {
@@ -152,8 +136,8 @@ jobs:

            await core.summary.write();
      - name: Send Slack message if errors
-        if: ${{ always() && steps.audit-errors.outputs.errorsFound && github.ref == 'refs/heads/main' }}
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        if: ${{ steps.audit-errors.outputs.errorsFound && github.ref == 'refs/heads/main' }}
+        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
        with:
          payload: |
            link: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
--- a/.github/workflows/branch-created.yml
+++ b/.github/workflows/branch-created.yml
@@ -75,7 +75,7 @@ jobs:
          org: electron
      - name: Generate Release Project Board Metadata
        if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        id: generate-project-metadata
        with:
          script: |
--- a/.github/workflows/build-git-cache.yml
+++ b/.github/workflows/build-git-cache.yml
@@ -6,15 +6,11 @@ on:
  schedule:
    - cron: "0 0 * * *"

-permissions: {}
-
 jobs:
  build-git-cache-linux:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
      options: --user root
      volumes:
        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -23,7 +19,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -33,11 +29,9 @@ jobs:
        target-platform: linux

  build-git-cache-windows:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
      options: --user root --device /dev/fuse --cap-add SYS_ADMIN
      volumes:
        - /mnt/win-cache:/mnt/win-cache
@@ -47,7 +41,7 @@ jobs:
      TARGET_OS: 'win'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -57,13 +51,11 @@ jobs:
        target-platform: win

  build-git-cache-macos:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    # This job updates the same git cache as linux, so it needs to run after the linux one.
    needs: build-git-cache-linux
    container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
      options: --user root
      volumes:
        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -72,7 +64,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,7 +6,7 @@ on:
      build-image-sha:
        type: string
        description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
        required: true
      skip-macos:
        type: boolean
@@ -28,11 +28,6 @@ on:
        description: 'Skip lint check'
        default: false
        required: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
  push:
    branches:
      - main
@@ -43,13 +38,10 @@ defaults:
  run:
    shell: bash

-permissions: {}
-
 jobs:
  setup:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
      pull-requests: read
    outputs:
        docs: ${{ steps.filter.outputs.docs }}
@@ -57,7 +49,7 @@ jobs:
        build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
        docs-only: ${{ steps.set-output.outputs.docs-only }}
    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2
      with:
        ref: ${{ github.event.pull_request.head.sha }}
    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -66,17 +58,13 @@ jobs:
        filters: |
          docs:
            - 'docs/**'
-            - README.md
-            - SECURITY.md
-            - CONTRIBUTING.md
-            - CODE_OF_CONDUCT.md
          src:
            - '!docs/**'
    - name: Set Outputs for Build Image SHA & Docs Only
      id: set-output
      run: |
        if [ -z "${{ inputs.build-image-sha }}" ]; then
-          echo "build-image-sha=a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb" >> "$GITHUB_OUTPUT"
+          echo "build-image-sha=424eedbf277ad9749ffa9219068aa72ed4a5e373" >> "$GITHUB_OUTPUT"
        else
          echo "build-image-sha=${{ inputs.build-image-sha }}" >> "$GITHUB_OUTPUT"
        fi
@@ -87,30 +75,24 @@ jobs:
    needs: setup
    if: ${{ !inputs.skip-lint }}
    uses: ./.github/workflows/pipeline-electron-lint.yml
-    permissions:
-      contents: read
    with:
      container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
    secrets: inherit

  # Docs Only Jobs
  docs-only:
-    needs: [setup, checkout-linux]
+    needs: setup
    if: ${{ needs.setup.outputs.docs-only == 'true' }}
    uses: ./.github/workflows/pipeline-electron-docs-only.yml
-    permissions:
-      contents: read
    with:
-      container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
    secrets: inherit

  # Checkout Jobs
  checkout-macos:
    needs: setup
    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
      options: --user root
@@ -124,7 +106,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -137,10 +119,8 @@ jobs:

  checkout-linux:
    needs: setup
-    if: ${{ !inputs.skip-linux}}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-linux}}
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
      options: --user root
@@ -156,7 +136,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -169,9 +149,7 @@ jobs:
  checkout-windows:
    needs: setup
    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
      options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -188,7 +166,7 @@ jobs:
      build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -199,51 +177,35 @@ jobs:
        generate-sas-token: 'true'
        target-platform: win

-  # Build a patched siso binary for Windows CI in parallel with checkout-windows.
-  # The Windows build jobs download the resulting artifact and use it via SISO_PATH.
-  build-siso-windows:
-    needs: setup
-    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
-    uses: ./.github/workflows/pipeline-segment-build-siso-windows.yml
-    permissions:
-      contents: read
-
  # GN Check Jobs
  macos-gn-check:
    uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
    needs: checkout-macos
    with:
      target-platform: macos
      target-archs: x64 arm64
-      check-runs-on: macos-15
+      check-runs-on: macos-14
      gn-build-type: testing
    secrets: inherit

  linux-gn-check:
    uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
    needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
      target-platform: linux
      target-archs: x64 arm arm64
-      check-runs-on: electron-arc-centralus-linux-amd64-8core
+      check-runs-on: electron-arc-linux-amd64-8core
      check-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      gn-build-type: testing
    secrets: inherit

  windows-gn-check:
    uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
    needs: checkout-windows
    with:
      target-platform: win
      target-archs: x64 x86 arm64
-      check-runs-on: electron-arc-centralus-linux-amd64-8core
+      check-runs-on: electron-arc-linux-amd64-8core
      check-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-windows.outputs.build-image-sha }}","options":"--user root --device /dev/fuse --cap-add SYS_ADMIN","volumes":["/mnt/win-cache:/mnt/win-cache"]}'
      gn-build-type: testing
    secrets: inherit
@@ -257,15 +219,14 @@ jobs:
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
    needs: checkout-macos
    with:
-      build-runs-on: macos-15-xlarge
-      test-runs-on: macos-15-large
+      build-runs-on: macos-14-xlarge
+      test-runs-on: macos-13
      target-platform: macos
      target-arch: x64
      is-release: false
      gn-build-type: testing
      generate-symbols: false
      upload-to-storage: '0'
-      enable-ssh: ${{ inputs.enable-ssh || false }}
    secrets: inherit
  
  macos-arm64:
@@ -276,15 +237,14 @@ jobs:
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
    needs: checkout-macos
    with:
-      build-runs-on: macos-15-xlarge
-      test-runs-on: macos-15
+      build-runs-on: macos-14-xlarge
+      test-runs-on: macos-14
      target-platform: macos
      target-arch: arm64
      is-release: false
      gn-build-type: testing
      generate-symbols: false
      upload-to-storage: '0'
-      enable-ssh: ${{ inputs.enable-ssh || false }}
    secrets: inherit

  linux-x64:
@@ -294,10 +254,9 @@ jobs:
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
    needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-amd64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
      target-platform: linux
@@ -315,10 +274,9 @@ jobs:
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
    needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-amd64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
      target-platform: linux
@@ -337,12 +295,11 @@ jobs:
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
    needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-arm64-4core
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-arm64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init --memory=12g","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
+      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
      target-platform: linux
      target-arch: arm
      is-release: false
@@ -358,10 +315,9 @@ jobs:
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
    needs: checkout-linux
-    if: ${{ needs.setup.outputs.src == 'true' }}
    with:
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: ubuntu-22.04-arm
+      build-runs-on: electron-arc-linux-amd64-32core
+      test-runs-on: electron-arc-linux-arm64-4core
      build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      test-container: '{"image":"ghcr.io/electron/test:arm64v8-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
      target-platform: linux
@@ -378,10 +334,10 @@ jobs:
      issues: read
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    needs: checkout-windows
    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
    with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
      test-runs-on: windows-latest
      target-platform: win
      target-arch: x64
@@ -397,10 +353,10 @@ jobs:
      issues: read
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    needs: checkout-windows
    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
    with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
      test-runs-on: windows-latest
      target-platform: win
      target-arch: x86
@@ -416,11 +372,11 @@ jobs:
      issues: read
      pull-requests: read
    uses: ./.github/workflows/pipeline-electron-build-and-test.yml
-    needs: [checkout-windows, build-siso-windows]
+    needs: checkout-windows
    if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
    with:
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
-      test-runs-on: windows-11-arm
+      build-runs-on: electron-arc-windows-amd64-16core
+      test-runs-on: electron-hosted-windows-arm64-4core
      target-platform: win
      target-arch: arm64
      is-release: false
@@ -432,38 +388,9 @@ jobs:
  gha-done:
    name: GitHub Actions Completed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, build-siso-windows, windows-x64, windows-x86, windows-arm64]
+    needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
    if: always() && !contains(needs.*.result, 'failure')
-    steps:
+    steps: 
    - name: GitHub Actions Jobs Done
      run: |
        echo "All GitHub Actions Jobs are done"
-
-  check-signed-commits:
-    name: Check signed commits in green PR
-    needs: gha-done
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
-        with:
-          comment: |
-            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
-            for all incoming PRs. To get your PR merged, please sign those commits 
-            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
-            (`git push --force-with-lease`)
-
-            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
-
-      - name: Remove needs-signed-commits label
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: |
-          gh pr edit $PR_URL --remove-label needs-signed-commits
--- a/.github/workflows/clean-orphaned-cache-uploads.yml
+++ b/.github/workflows/clean-orphaned-cache-uploads.yml
@@ -1,32 +0,0 @@
-name: Clean Orphaned Cache Uploads
-
-# Description:
-# Sweeps orphaned in-flight upload temp files left on the src-cache volumes
-# by checkout/action.yml when its cp-to-share step dies before the rename.
-# A successful upload finishes in minutes, so anything older than 4h is dead.
-
-on:
-  schedule:
-    - cron: "0 */4 * * *"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  clean-orphaned-uploads:
-    if: github.repository == 'electron/electron'
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
-    container:
-      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
-      options: --user root
-      volumes:
-        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
-        - /mnt/win-cache:/mnt/win-cache
-    steps:
-    - name: Remove Orphaned Upload Temp Files
-      shell: bash
-      run: |
-        find /mnt/cross-instance-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
-        find /mnt/win-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
--- a/.github/workflows/clean-src-cache.yml
+++ b/.github/workflows/clean-src-cache.yml
@@ -1,20 +1,16 @@
 name: Clean Source Cache

-# Description:
-# This workflow cleans up the source cache on the cross-instance cache volume
-# to free up space. It runs daily at midnight and clears files older than 15 days.
+description: |
+  This workflow cleans up the source cache on the cross-instance cache volume
+  to free up space. It runs daily at midnight and clears files older than 15 days.

 on:
  schedule:
    - cron: "0 0 * * *"

-permissions: {}
-
 jobs:
  clean-src-cache:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
      options: --user root
--- a/.github/workflows/issue-commented.yml
+++ b/.github/workflows/issue-commented.yml
@@ -10,24 +10,15 @@ permissions: {}
 jobs:
  issue-commented:
    name: Remove blocked/{need-info,need-repro} on comment
-    if: ${{ (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && github.event.comment.user.type != 'Bot' }}
+    if: ${{ (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && github.event.comment.user.type != 'Bot' }}
    runs-on: ubuntu-latest
    steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
-          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
      - name: Remove label
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
          ISSUE_URL: ${{ github.event.issue.html_url }}
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -4,15 +4,14 @@ on:
  issues:
    types: [labeled]

-permissions: {}
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read

 jobs:
  issue-labeled-with-status:
    name: status/{confirmed,reviewed} label added
    if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -32,8 +31,6 @@ jobs:
    name: blocked/* label added
    if: startsWith(github.event.label.name, 'blocked/')
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -61,10 +58,9 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_REPO: electron/electron
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
-          COMMENT_COUNT=$(gh issue view "$ISSUE_NUMBER" --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
+          COMMENT_COUNT=$(gh issue view ${{ github.event.issue.number }} --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
          if [[ $COMMENT_COUNT -eq 0 ]]; then
            echo "SHOULD_COMMENT=1" >> "$GITHUB_OUTPUT"
          fi
@@ -76,7 +72,7 @@ jobs:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
      - name: Create comment
        if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
        with:
          actions: 'create-comment'
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -11,7 +11,6 @@ jobs:
  add-to-issue-triage:
    if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -29,7 +28,6 @@ jobs:
  set-labels:
    if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -37,29 +35,18 @@ jobs:
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
          org: electron
-      - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          sparse-checkout: |
-            .
-            .github
-            .yarn
-      - run: yarn workspaces focus @electron/gha-workflows
+      - run: npm install @electron/fiddle-core@1.3.3 mdast-util-from-markdown@2.0.0 unist-util-select@5.1.0 semver@7.6.0
      - name: Add labels
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        id: add-labels
        env:
          ISSUE_BODY: ${{ github.event.issue.body }}
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
-            const { chdir } = require('node:process');
-            chdir('${{ github.workspace }}/.github/workflows');
-
-            const { ElectronVersions } = require('@electron/fiddle-core');
-            const { fromMarkdown } = require('mdast-util-from-markdown');
-            const { select } = require('unist-util-select');
-            const semver = require('semver');
+            const { fromMarkdown } = await import('${{ github.workspace }}/node_modules/mdast-util-from-markdown/index.js');
+            const { select } = await import('${{ github.workspace }}/node_modules/unist-util-select/index.js');
+            const semver = await import('${{ github.workspace }}/node_modules/semver/index.js');

            const [ owner, repo ] = '${{ github.repository }}'.split('/');
            const issue_number = ${{ github.event.issue.number }};
@@ -73,8 +60,6 @@ jobs:
              // It's possible for multiple versions to be listed -
              // for now check for comma or space separated version.
              const versions = electronVersion.split(/, | /);
-              let hasSupportedVersion = false;
-
              for (const version of versions) {
                const major = semver.coerce(version, { loose: true })?.major;
                if (major) {
@@ -90,19 +75,19 @@ jobs:
                    labelExists = true;
                  } catch {}

-                  const electronVersions = await ElectronVersions.create(undefined, { ignoreCache: true });
-                  const validVersions = [...electronVersions.supportedMajors, ...electronVersions.prereleaseMajors];
+                  if (labelExists) {
+                    // Check if it's an unsupported major
+                    const { ElectronVersions } = await import('${{ github.workspace }}/node_modules/@electron/fiddle-core/dist/index.js');
+                    const versions = await ElectronVersions.create(undefined, { ignoreCache: true });

-                  if (validVersions.includes(major)) {
-                    hasSupportedVersion = true;
-                    if (labelExists) {
+                    const validVersions = [...versions.supportedMajors, ...versions.prereleaseMajors];
+                    if (validVersions.includes(major)) {
                      labels.push(versionLabel);
                    }
                  }
                }
              }
-
-              if (!hasSupportedVersion) {
+              if (labels.length === 0) {
                core.setOutput('unsupportedMajor', true);
                labels.push('blocked/need-info ❌');
              }
@@ -146,7 +131,7 @@ jobs:
            }
      - name: Create unsupported major comment
        if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
        with:
          actions: 'create-comment'
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/issue-transferred.yml
+++ b/.github/workflows/issue-transferred.yml
@@ -10,7 +10,6 @@ jobs:
  issue-transferred:
    name: Issue Transferred
    runs-on: ubuntu-latest
-    permissions: {}
    if: ${{ !github.event.changes.new_repository.private }}
    steps:
      - name: Generate GitHub App token
--- a/.github/workflows/issue-unlabeled.yml
+++ b/.github/workflows/issue-unlabeled.yml
@@ -4,23 +4,20 @@ on:
  issues:
    types: [unlabeled]

-permissions: {}
+permissions:
+  contents: read

 jobs:
  issue-unlabeled-blocked:
    name: All blocked/* labels removed
    if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open'
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Check for any blocked labels
        id: check-for-blocked-labels
-        env:
-          LABELS_JSON: ${{ toJSON(github.event.issue.labels.*.name) }}
        run: |
          set -eo pipefail
-          BLOCKED_LABEL_COUNT=$(echo "$LABELS_JSON" | jq '[ .[] | select(startswith("blocked/")) ] | length')
+          BLOCKED_LABEL_COUNT=$(echo '${{ toJSON(github.event.issue.labels.*.name) }}' | jq '[ .[] | select(startswith("blocked/")) ] | length')
          if [[ $BLOCKED_LABEL_COUNT -eq 0 ]]; then
            echo "NOT_BLOCKED=1" >> "$GITHUB_OUTPUT"
          fi
--- a/.github/workflows/linux-publish.yml
+++ b/.github/workflows/linux-publish.yml
@@ -6,7 +6,7 @@ on:
      build-image-sha:
        type: string
        description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
      upload-to-storage:
        description: 'Uploads to Azure storage'
        required: false
@@ -17,13 +17,9 @@ on:
        type: boolean
        default: false

-permissions: {}
-
 jobs:
  checkout-linux:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
      options: --user root
@@ -35,7 +31,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -43,61 +39,49 @@ jobs:
      uses: ./src/electron/.github/actions/checkout

  publish-x64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-linux
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
+      build-runs-on: electron-arc-linux-amd64-32core
      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      target-platform: linux
      target-arch: x64
      is-release: true
      gn-build-type: release
      generate-symbols: true
+      strip-binaries: true
      upload-to-storage: ${{ inputs.upload-to-storage }}
    secrets: inherit

  publish-arm:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-linux
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
+      build-runs-on: electron-arc-linux-amd64-32core
      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      target-platform: linux
      target-arch: arm
      is-release: true
      gn-build-type: release
      generate-symbols: true
+      strip-binaries: true
      upload-to-storage: ${{ inputs.upload-to-storage }}
    secrets: inherit

  publish-arm64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-linux
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-linux-amd64-32core
+      build-runs-on: electron-arc-linux-amd64-32core
      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
      target-platform: linux
      target-arch: arm64
      is-release: true
      gn-build-type: release
      generate-symbols: true
+      strip-binaries: true
      upload-to-storage: ${{ inputs.upload-to-storage }}
    secrets: inherit
--- a/.github/workflows/macos-disk-cleanup.yml
+++ b/.github/workflows/macos-disk-cleanup.yml
@@ -1,104 +0,0 @@
-name: macOS Disk Space Cleanup
-
-# Description:
-# This workflow runs the disk space reclaimer on macOS runners every night
-# and logs disk space metrics to Datadog for monitoring.
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  macos-disk-cleanup:
-    strategy:
-      fail-fast: false
-      matrix:
-        runner:
-          - macos-15
-          - macos-15-large
-          - macos-15-xlarge
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          sparse-checkout: |
-            .github/actions/free-space-macos
-          sparse-checkout-cone-mode: false
-
-      - name: Get Disk Space Before Cleanup
-        id: disk-before
-        shell: bash
-        run: |
-          echo "Disk space before cleanup:"
-          df -h /
-          FREE_SPACE_BEFORE=$(df -k / | tail -1 | awk '{print $4}')
-          echo "free_kb=$FREE_SPACE_BEFORE" >> $GITHUB_OUTPUT
-
-      - name: Free Space on macOS
-        uses: ./.github/actions/free-space-macos
-
-      - name: Get Disk Space After Cleanup
-        id: disk-after
-        shell: bash
-        run: |
-          echo "Disk space after cleanup:"
-          df -h /
-          FREE_SPACE_AFTER=$(df -k / | tail -1 | awk '{print $4}')
-          echo "free_kb=$FREE_SPACE_AFTER" >> $GITHUB_OUTPUT
-
-      - name: Log Disk Space to Datadog
-        if: ${{ env.DD_API_KEY != '' }}
-        shell: bash
-        env:
-          DD_API_KEY: ${{ secrets.DD_API_KEY }}
-          FREE_BEFORE: ${{ steps.disk-before.outputs.free_kb }}
-          FREE_AFTER: ${{ steps.disk-after.outputs.free_kb }}
-          MATRIX_RUNNER: ${{ matrix.runner }}
-        run: |
-          TIMESTAMP=$(date +%s)
-          FREE_BEFORE_GB=$(echo "scale=2; $FREE_BEFORE / 1024 / 1024" | bc)
-          FREE_AFTER_GB=$(echo "scale=2; $FREE_AFTER / 1024 / 1024" | bc)
-          SPACE_FREED_GB=$(echo "scale=2; ($FREE_AFTER - $FREE_BEFORE) / 1024 / 1024" | bc)
-
-          echo "Free space before: ${FREE_BEFORE_GB}GB"
-          echo "Free space after: ${FREE_AFTER_GB}GB"
-          echo "Space freed: ${SPACE_FREED_GB}GB"
-
-          curl -s -X POST "https://api.datadoghq.com/api/v2/series" \
-            -H "Content-Type: application/json" \
-            -H "DD-API-KEY: ${DD_API_KEY}" \
-            -d @- << EOF
-          {
-            "series": [
-              {
-                "metric": "electron.macos.disk.free_space_before_cleanup_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_BEFORE_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              },
-              {
-                "metric": "electron.macos.disk.free_space_after_cleanup_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${FREE_AFTER_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              },
-              {
-                "metric": "electron.macos.disk.space_freed_gb",
-                "points": [{"timestamp": ${TIMESTAMP}, "value": ${SPACE_FREED_GB}}],
-                "type": 3,
-                "unit": "gigabyte",
-                "tags": ["runner:${MATRIX_RUNNER}", "platform:macos"]
-              }
-            ]
-          }
-          EOF
-
-          echo "Disk space metrics logged to Datadog"
--- a/.github/workflows/macos-publish.yml
+++ b/.github/workflows/macos-publish.yml
@@ -6,7 +6,7 @@ on:
      build-image-sha:
        type: string
        description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
        required: true
      upload-to-storage:
        description: 'Uploads to Azure storage'
@@ -18,13 +18,9 @@ on:
        type: boolean
        default: false

-permissions: {}
-
 jobs:
  checkout-macos:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
      options: --user root
@@ -36,7 +32,7 @@ jobs:
      GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -47,16 +43,11 @@ jobs:
        target-platform: macos

  publish-x64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-macos
    with:
      environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
      target-platform: macos
      target-arch: x64
      target-variant: darwin
@@ -67,16 +58,11 @@ jobs:
    secrets: inherit

  publish-x64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-macos
    with:
      environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
      target-platform: macos
      target-arch: x64
      target-variant: mas
@@ -87,16 +73,11 @@ jobs:
    secrets: inherit

  publish-arm64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-macos
    with:
      environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
      target-platform: macos
      target-arch: arm64
      target-variant: darwin
@@ -107,16 +88,11 @@ jobs:
    secrets: inherit

  publish-arm64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
    needs: checkout-macos
    with:
      environment: production-release
-      build-runs-on: macos-15-xlarge
+      build-runs-on: macos-14-xlarge
      target-platform: macos
      target-arch: arm64
      target-variant: mas
--- a/.github/workflows/non-maintainer-dependency-change.yml
+++ b/.github/workflows/non-maintainer-dependency-change.yml
@@ -1,46 +1,30 @@
-name: Check for Disallowed Non-Maintainer Change
+name: Check for Non-Maintainer Dependency Change

 on:
  pull_request_target:
    paths:
      - 'yarn.lock'
      - 'spec/yarn.lock'
-      - '.github/workflows/**'
-      - '.github/actions/**'
-      - '.yarn/**'
-      - '.yarnrc.yml'

-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
 permissions: {}

 jobs:
  check-for-non-maintainer-dependency-change:
-    name: Check for disallowed non-maintainer change
-    if: ${{ github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
+    name: Check for non-maintainer dependency change
+    if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association) && github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
    permissions:
      contents: read
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/pulls/${{ github.event.pull_request.number }} --jq '.author_association')
-          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
      - name: Check for existing review
        id: check-for-review
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), steps.get-author-association.outputs.author_association) }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_URL: ${{ github.event.pull_request.html_url }}
        run: |
          set -eo pipefail
-          REVIEW_COUNT=$(gh pr view $PR_URL --json reviews | jq '[ .reviews[] | select(.author.login == "github-actions") | select(.body | startswith("<!-- disallowed-non-maintainer-change -->")) ] | length')
+          REVIEW_COUNT=$(gh pr view $PR_URL --json reviews | jq '[ .reviews[] | select(.author.login == "github-actions") | select(.body | startswith("<!-- no-dependency-change -->")) ] | length')
          if [[ $REVIEW_COUNT -eq 0 ]]; then
            echo "SHOULD_REVIEW=1" >> "$GITHUB_OUTPUT"
          fi
@@ -49,6 +33,5 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_URL: ${{ github.event.pull_request.html_url }}
-          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
-          printf "<!-- disallowed-non-maintainer-change -->\n\nHello @${PR_AUTHOR}! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-
+          printf "<!-- no-dependency-change -->\n\nHello @${{ github.event.pull_request.user.login }}! It looks like this pull request touches one of our dependency files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-
--- a/.github/workflows/package.json
+++ b/.github/workflows/package.json
@@ -1,13 +0,0 @@
-{
-  "name": "@electron/gha-workflows",
-  "version": "0.0.0-development",
-  "private": true,
-  "type": "module",
-  "dependencies": {
-    "@actions/cache": "^4.0.3",
-    "@electron/fiddle-core": "^2.0.1",
-    "mdast-util-from-markdown": "^2.0.0",
-    "semver": "^7.7.2",
-    "unist-util-select": "^5.1.0"
-  }
-}
--- a/.github/workflows/pipeline-electron-build-and-test-and-nan.yml
+++ b/.github/workflows/pipeline-electron-build-and-test-and-nan.yml
@@ -55,8 +55,6 @@ on:
        type: boolean
        default: false

-permissions: {}
-
 concurrency:
  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
  cancel-in-progress: ${{ github.ref_protected != true }}
@@ -64,8 +62,6 @@ concurrency:
 jobs:
  build:
    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
    with:
      build-runs-on: ${{ inputs.build-runs-on }}
      build-container: ${{ inputs.build-container }}
@@ -78,10 +74,6 @@ jobs:
    secrets: inherit
  test:
    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
    needs: build
    with:
      target-arch: ${{ inputs.target-arch }}
@@ -91,8 +83,6 @@ jobs:
    secrets: inherit
  nn-test:
    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
    needs: build
    with:
      target-arch: ${{ inputs.target-arch }}
--- a/.github/workflows/pipeline-electron-build-and-test.yml
+++ b/.github/workflows/pipeline-electron-build-and-test.yml
@@ -54,23 +54,19 @@ on:
        required: false
        type: boolean
        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false

 concurrency:
  group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
  cancel-in-progress: ${{ github.ref_protected != true }}

-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read  

 jobs:
  build:
    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
    with:
      build-runs-on: ${{ inputs.build-runs-on }}
      build-container: ${{ inputs.build-container }}
@@ -80,21 +76,15 @@ jobs:
      gn-build-type: ${{ inputs.gn-build-type }}
      generate-symbols: ${{ inputs.generate-symbols }}
      upload-to-storage: ${{ inputs.upload-to-storage }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
+      is-asan: ${{ inputs.is-asan}}
    secrets: inherit
  test:
    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
    needs: build
    with:
      target-arch: ${{ inputs.target-arch }}
      target-platform: ${{ inputs.target-platform }}
      test-runs-on: ${{ inputs.test-runs-on }}
      test-container: ${{ inputs.test-container }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
+      is-asan: ${{ inputs.is-asan}}
    secrets: inherit
--- a/.github/workflows/pipeline-electron-docs-only.yml
+++ b/.github/workflows/pipeline-electron-docs-only.yml
@@ -8,42 +8,19 @@ on:
        description: 'Container to run the docs-only ts compile in'
        type: string

-permissions: {}
-
 concurrency:
  group: electron-docs-only-${{ github.ref }}
  cancel-in-progress: true

-env:  
-  GCLIENT_EXTRA_ARGS: --custom-var=checkout_arm=True --custom-var=checkout_arm64=True
-
 jobs:
  docs-only:
    name: Docs Only Compile
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
    timeout-minutes: 20
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
-        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-    - name: Restore src cache via AKS
-      uses: ./src/electron/.github/actions/restore-cache-aks
-      with:
-        target-platform: linux
-    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -54,12 +31,12 @@ jobs:
      shell: bash
      run: |
        cd src/electron
-        node script/yarn.js create-typescript-definitions
-        node script/yarn.js tsc -p tsconfig.default_app.json --noEmit
+        node script/yarn create-typescript-definitions
+        node script/yarn tsc -p tsconfig.default_app.json --noEmit
        for f in build/webpack/*.js
        do
            out="${f:29}"
            if [ "$out" != "base.js" ]; then
-            node script/yarn.js webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
+            node script/yarn webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
            fi
        done
--- a/.github/workflows/pipeline-electron-lint.yml
+++ b/.github/workflows/pipeline-electron-lint.yml
@@ -8,8 +8,6 @@ on:
        description: 'Container to run lint in'
        type: string

-permissions: {}
-
 concurrency:
  group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }}
  cancel-in-progress: ${{ github.ref_protected != true }}
@@ -20,14 +18,12 @@ env:
 jobs:
  lint:
    name: Lint
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
    timeout-minutes: 20
    container: ${{ fromJSON(inputs.container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -46,11 +42,7 @@ jobs:
      shell: bash
      run: |
        chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid chromium_revision: $chromium_revision"
-          exit 1
-        fi
-        gn_version="$(curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/DEPS" | grep gn_version | head -n1 | cut -d\' -f4)"
+        gn_version="$(curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/DEPS?format=TEXT" | base64 -d | grep gn_version | head -n1 | cut -d\' -f4)"

        cipd ensure -ensure-file - -root . <<-CIPD
        \$ServiceURL https://chrome-infra-packages.appspot.com/
@@ -64,20 +56,14 @@ jobs:
      shell: bash
      run: |
        chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
-          echo "::error::Invalid chromium_revision: $chromium_revision"
-          exit 1
-        fi

        mkdir -p src/buildtools
-        curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/buildtools/DEPS" > src/buildtools/DEPS
+        curl -sL "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS

        gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
-    - name: Add problem matchers
+    - name: Add ESLint problem matcher
      shell: bash
-      run: |
-        echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
-        echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
+      run: echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
    - name: Run Lint
      shell: bash
      run: |
@@ -88,15 +74,11 @@ jobs:
        # but then we would lint its contents (at least gn format), and it doesn't pass it.

        cd src/electron
-        node script/yarn.js install --immutable
-        node script/yarn.js lint
+        node script/yarn install --frozen-lockfile
+        node script/yarn lint
    - name: Run Script Typechecker
      shell: bash
      run: |
        cd src/electron
-        node script/yarn.js tsc -p tsconfig.script.json
-    - name: Check GHA Workflows
-      shell: bash
-      run: |
-        cd src/electron
-        node script/copy-pipeline-segment-publish.js --check
+        node script/yarn tsc -p tsconfig.script.json
+    
--- a/.github/workflows/pipeline-segment-build-siso-windows.yml
+++ b/.github/workflows/pipeline-segment-build-siso-windows.yml
@@ -1,98 +0,0 @@
-name: Pipeline Segment - Build Siso (Windows)
-
-# Builds a patched siso binary for Windows CI. Reads the siso revision from
-# the Chromium DEPS file at the pinned chromium_version, shallow-clones
-# chromium.googlesource.com/build at that revision, applies the patches under
-# .github/siso-patches/, cross-compiles siso.exe for windows/amd64, and
-# publishes it as the `siso-windows-amd64` artifact. The Windows build jobs
-# download it and use it via SISO_PATH. The built binary is cached keyed on
-# the siso revision + sha256 of the patch contents, so subsequent runs just
-# restore it.
-
-on:
-  workflow_call: {}
-
-permissions: {}
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        fetch-depth: 1
-        ref: ${{ github.event.pull_request.head.sha }}
-        sparse-checkout: |
-          DEPS
-          .github/siso-patches
-    - name: Resolve siso revision from Chromium DEPS
-      id: resolve
-      run: |
-        set -euo pipefail
-        CHROMIUM_VERSION=$(python3 -c "import re; print(re.search(r\"'chromium_version':\s*\n\s*'([^']+)'\", open('DEPS').read()).group(1))")
-        if ! [[ "$CHROMIUM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,3}$ ]]; then
-          echo "error: unexpected chromium_version format: $CHROMIUM_VERSION" >&2
-          exit 1
-        fi
-        curl -sfL "https://raw.githubusercontent.com/chromium/chromium/${CHROMIUM_VERSION}/DEPS" -o /tmp/chromium-DEPS
-        SISO_SHA=$(python3 -c "import re; print(re.search(r\"'siso_version':\s*'git_revision:([0-9a-f]+)'\", open('/tmp/chromium-DEPS').read()).group(1))")
-        if ! [[ "$SISO_SHA" =~ ^[0-9a-f]{40}$ ]]; then
-          echo "error: unexpected siso_version SHA: $SISO_SHA" >&2
-          exit 1
-        fi
-        PATCHES_HASH=$(find .github/siso-patches -type f -name '*.patch' | sort | xargs sha256sum | sha256sum | awk '{print $1}')
-        echo "siso-sha=${SISO_SHA}" >> "$GITHUB_OUTPUT"
-        echo "patches-hash=${PATCHES_HASH}" >> "$GITHUB_OUTPUT"
-        echo "Chromium ${CHROMIUM_VERSION} pins siso at ${SISO_SHA}"
-        echo "Patches hash: ${PATCHES_HASH}"
-    - name: Restore cached siso binary
-      id: cache-siso
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: siso-out/siso.exe
-        key: siso-windows-amd64-${{ steps.resolve.outputs.siso-sha }}-${{ steps.resolve.outputs.patches-hash }}
-    - name: Shallow clone chromium build repo at pinned revision
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      env:
-        SISO_SHA: ${{ steps.resolve.outputs.siso-sha }}
-      run: |
-        set -euo pipefail
-        mkdir chromium-build
-        cd chromium-build
-        git init -q
-        git remote add origin https://chromium.googlesource.com/build
-        git -c protocol.version=2 fetch --depth=1 origin "$SISO_SHA"
-        git checkout --detach FETCH_HEAD
-    - name: Apply in-tree siso patches
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      run: |
-        set -euo pipefail
-        cd chromium-build
-        git -c user.name=electron-ci -c user.email=ci@electronjs.org \
-          am --3way "${GITHUB_WORKSPACE}/.github/siso-patches"/*.patch
-    - name: Set up Go
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-      with:
-        go-version-file: chromium-build/siso/go.mod
-        cache: false
-    - name: Build siso (windows/amd64)
-      if: steps.cache-siso.outputs.cache-hit != 'true'
-      working-directory: chromium-build/siso
-      env:
-        CGO_ENABLED: '0'
-        GOOS: windows
-        GOARCH: amd64
-      run: |
-        mkdir -p "${GITHUB_WORKSPACE}/siso-out"
-        go build -trimpath -o "${GITHUB_WORKSPACE}/siso-out/siso.exe" .
-    - name: Upload siso artifact
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-      with:
-        name: siso-windows-amd64
-        path: siso-out/siso.exe
-        if-no-files-found: error
-        retention-days: 1
--- a/.github/workflows/pipeline-segment-electron-build.yml
+++ b/.github/workflows/pipeline-segment-electron-build.yml
@@ -48,18 +48,17 @@ on:
        required: true
        type: string
        default: '0'
+      strip-binaries: 
+        description: 'Strip the binaries before release (Linux only)'
+        required: false
+        type: boolean
+        default: false
      is-asan: 
        description: 'Building the Address Sanitizer (ASan) Linux build'
        required: false
        type: boolean
        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false

-permissions: {}

 concurrency:
  group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
@@ -68,13 +67,12 @@ concurrency:
 env:
  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
-  DD_API_KEY: ${{ secrets.DD_API_KEY }}
  ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
+  SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || inputs.target-platform == 'win' && '--custom-var=checkout_win=True' || '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
  ELECTRON_OUT_DIR: Default
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}

 jobs:
  build:
@@ -82,34 +80,20 @@ jobs:
      run:
        shell: bash
    runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      contents: read
    container: ${{ fromJSON(inputs.build-container) }}
    environment: ${{ inputs.environment }}
    env:
      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
    steps:
    - name: Create src dir
      run: |
        mkdir src
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Setup SSH Debugging
-      if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
-      uses: ./src/electron/.github/actions/ssh-debug
-      with:
-        tunnel: 'true'
-      env:
-        CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-        CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-        CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-        AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Free up space (macOS)
      if: ${{ inputs.target-platform == 'macos' }}
      uses: ./src/electron/.github/actions/free-space-macos
@@ -118,9 +102,9 @@ jobs:
      run: df -h
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
      with:
-        node-version: 22.21.x
+        node-version: 20.19.x
        cache: yarn
        cache-dependency-path: src/electron/yarn.lock
    - name: Install Dependencies
@@ -150,7 +134,7 @@ jobs:
    - name: Generate DEPS Hash
      run: |
        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
    - name: Restore src cache via AZCopy
@@ -162,7 +146,7 @@ jobs:
      if: ${{ inputs.target-platform == 'linux' }}
      uses: ./src/electron/.github/actions/restore-cache-aks
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -176,7 +160,7 @@ jobs:
        ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
    - name: Init Build Tools
      run: |
-        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }} --remote-build siso
+        e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }} --import ${{ inputs.gn-build-type }} --target-cpu ${{ inputs.target-arch }}
    - name: Run Electron Only Hooks
      run: |
        e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
@@ -186,25 +170,12 @@ jobs:
        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+    - name: Setup Number of Ninja Processes
+      run: |
+        echo "NUMBER_OF_NINJA_PROCESSES=${{ inputs.target-platform != 'macos' && '300' || '200' }}" >> $GITHUB_ENV
    - name: Free up space (macOS)
      if: ${{ inputs.target-platform == 'macos' }}
      uses: ./src/electron/.github/actions/free-space-macos
-    - name: Download custom siso binary (Windows)
-      if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-      with:
-        name: siso-windows-amd64
-        path: ${{ runner.temp }}/siso
-    - name: Set SISO_PATH (Windows)
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        SISO_BIN="${RUNNER_TEMP}/siso/siso.exe"
-        if [ ! -f "$SISO_BIN" ]; then
-          echo "error: expected siso binary at $SISO_BIN" >&2
-          exit 1
-        fi
-        echo "SISO_PATH=$SISO_BIN" >> "$GITHUB_ENV"
-        echo "Using custom siso binary at $SISO_BIN"
    - name: Build Electron
      if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' || inputs.target-variant == 'darwin') }}
      uses: ./src/electron/.github/actions/build-electron
@@ -214,6 +185,7 @@ jobs:
        artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
        is-release: '${{ inputs.is-release }}'
        generate-symbols: '${{ inputs.generate-symbols }}'
+        strip-binaries: '${{ inputs.strip-binaries }}'
        upload-to-storage: '${{ inputs.upload-to-storage }}'
        is-asan: '${{ inputs.is-asan }}'
    - name: Set GN_EXTRA_ARGS for MAS Build
--- a/.github/workflows/pipeline-segment-electron-gn-check.yml
+++ b/.github/workflows/pipeline-segment-electron-gn-check.yml
@@ -26,8 +26,6 @@ on:
        type: string
        default: testing

-permissions: {}
-
 concurrency:
  group: electron-gn-check-${{ inputs.target-platform }}-${{ github.ref }}
  cancel-in-progress: true
@@ -43,12 +41,10 @@ jobs:
      run:
        shell: bash
    runs-on: ${{ inputs.check-runs-on }}
-    permissions:
-      contents: read
    container: ${{ fromJSON(inputs.check-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -81,7 +77,7 @@ jobs:
    - name: Generate DEPS Hash
      run: |
        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
    - name: Restore src cache via AZCopy
@@ -115,7 +111,7 @@ jobs:
    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
--- a/.github/workflows/pipeline-segment-electron-publish.yml
+++ b/.github/workflows/pipeline-segment-electron-publish.yml
@@ -1,252 +0,0 @@
-# AUTOGENERATED FILE - DO NOT EDIT MANUALLY
-# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml
-
-name: Pipeline Segment - Electron Build
-on:
-  workflow_call:
-    inputs:
-      environment:
-        description: using the production or testing environment
-        required: false
-        type: string
-      target-platform:
-        type: string
-        description: Platform to run on, can be macos, win or linux
-        required: true
-      target-arch:
-        type: string
-        description: Arch to build for, can be x64, arm64, ia32 or arm
-        required: true
-      target-variant:
-        type: string
-        description: Variant to build for, no effect on non-macOS target platforms. Can
-          be darwin, mas or all.
-        default: all
-      build-runs-on:
-        type: string
-        description: What host to run the build
-        required: true
-      build-container:
-        type: string
-        description: JSON container information for aks runs-on
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: Whether this build job is a release job
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: The gn build type - testing or release
-        required: true
-        type: string
-        default: testing
-      generate-symbols:
-        description: Whether or not to generate symbols
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage:
-        description: Whether or not to upload build artifacts to external storage
-        required: true
-        type: string
-        default: "0"
-      is-asan:
-        description: Building the Address Sanitizer (ASan) Linux build
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: Enable SSH debugging
-        required: false
-        type: boolean
-        default: false
-permissions: {}
-concurrency:
-  group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch
-    }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{
-    github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-env:
-  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
-  DD_API_KEY: ${{ secrets.DD_API_KEY }}
-  ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
-  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' &&
-    '--custom-var=checkout_mac=True --custom-var=host_os=mac' ||
-    inputs.target-platform == 'win' && '--custom-var=checkout_win=True' ||
-    '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
-  ELECTRON_OUT_DIR: Default
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
-jobs:
-  build:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    container: ${{ fromJSON(inputs.build-container) }}
-    environment: ${{ inputs.environment }}
-    env:
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-    steps:
-      - name: Create src dir
-        run: |
-          mkdir src
-      - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Setup SSH Debugging
-        if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh ||
-          env.ACTIONS_STEP_DEBUG == 'true') }}
-        uses: ./src/electron/.github/actions/ssh-debug
-        with:
-          tunnel: "true"
-        env:
-          CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-          CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-          CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-          AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Check disk space after freeing up space
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: df -h
-      - name: Setup Node.js/npm
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
-        with:
-          node-version: 22.21.x
-          cache: yarn
-          cache-dependency-path: src/electron/yarn.lock
-      - name: Install Dependencies
-        uses: ./src/electron/.github/actions/install-dependencies
-      - name: Install AZCopy
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: brew install azcopy
-      - name: Set GN_EXTRA_ARGS for Linux
-        if: ${{ inputs.target-platform == 'linux' }}
-        run: >
-          if [ "${{ inputs.target-arch  }}" = "arm" ]; then
-            if [ "${{ inputs.is-release  }}" = true ]; then
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false symbol_level=1'
-            else
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false'
-            fi
-          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
-            GN_EXTRA_ARGS='target_cpu="arm64" fatal_linker_warnings=false enable_linux_installer=false'
-          elif [ "${{ inputs.is-asan }}" = true ]; then
-            GN_EXTRA_ARGS='is_asan=true'
-          fi
-
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Set Chromium Git Cookie
-        uses: ./src/electron/.github/actions/set-chromium-cookie
-      - name: Install Build Tools
-        uses: ./src/electron/.github/actions/install-build-tools
-      - name: Generate DEPS Hash
-        run: |
-          node src/electron/script/generate-deps-hash.js
-          DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
-          echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-          echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-      - name: Restore src cache via AZCopy
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-azcopy
-        with:
-          target-platform: ${{ inputs.target-platform }}
-      - name: Restore src cache via AKS
-        if: ${{ inputs.target-platform == 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-aks
-      - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Fix Sync
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/fix-sync
-        with:
-          target-platform: ${{ inputs.target-platform }}
-        env:
-          ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
-      - name: Init Build Tools
-        run: >
-          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
-          --import ${{ inputs.gn-build-type }} --target-cpu ${{
-          inputs.target-arch }} --remote-build siso
-      - name: Run Electron Only Hooks
-        run: |
-          e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
-      - name: Regenerate DEPS Hash
-        run: >
-          (cd src/electron && git checkout .) && node
-          src/electron/script/generate-deps-hash.js
-
-          echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-      - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-        run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Download custom siso binary (Windows)
-        if: ${{ inputs.target-platform == 'win' }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
-        with:
-          name: siso-windows-amd64
-          path: ${{ runner.temp }}/siso
-      - name: Set SISO_PATH (Windows)
-        if: ${{ inputs.target-platform == 'win' }}
-        run: |
-          SISO_BIN="${RUNNER_TEMP}/siso/siso.exe"
-          if [ ! -f "$SISO_BIN" ]; then
-            echo "error: expected siso binary at $SISO_BIN" >&2
-            exit 1
-          fi
-          echo "SISO_PATH=$SISO_BIN" >> "$GITHUB_ENV"
-          echo "Using custom siso binary at $SISO_BIN"
-      - name: Build Electron
-        if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'darwin') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' ||
-            inputs.target-platform }}
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          is-asan: ${{ inputs.is-asan }}
-      - name: Set GN_EXTRA_ARGS for MAS Build
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        run: |
-          echo "MAS_BUILD=true" >> $GITHUB_ENV
-          GN_EXTRA_ARGS='is_mas_build=true'
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Build Electron (MAS)
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: mas
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          step-suffix: (mas)
--- a/.github/workflows/pipeline-segment-electron-test.yml
+++ b/.github/workflows/pipeline-segment-electron-test.yml
@@ -25,26 +25,21 @@ on:
        required: false
        type: boolean
        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false

 concurrency:
  group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
  cancel-in-progress: ${{ github.ref_protected != true }}

-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read

 env:
  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
  ELECTRON_OUT_DIR: Default
  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
-  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
-  SENTRYCLI_SKIP_DOWNLOAD: 1

 jobs:
  test:
@@ -52,16 +47,12 @@ jobs:
      run:
        shell: bash
    runs-on: ${{ inputs.test-runs-on }}
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
    container: ${{ fromJSON(inputs.test-container) }}
    strategy:
      fail-fast: false
      matrix:
        build-type: ${{ inputs.target-platform == 'macos' && fromJSON('["darwin","mas"]') || (inputs.target-platform == 'win' && fromJSON('["win"]') || fromJSON('["linux"]')) }}
-        shard: ${{ case(inputs.target-platform == 'linux', fromJSON('[1, 2, 3]'), inputs.target-platform == 'macos' && inputs.target-arch == 'x64', fromJSON('[1, 2, 3]'), fromJSON('[1, 2]')) }}
+        shard: ${{ inputs.target-platform == 'linux' && fromJSON('[1, 2, 3]') || fromJSON('[1, 2]') }}
    env:
      BUILD_TYPE: ${{ matrix.build-type }}
      TARGET_ARCH: ${{ inputs.target-arch }}
@@ -71,16 +62,29 @@ jobs:
      if: ${{ inputs.target-arch == 'arm' && inputs.target-platform == 'linux' }}
      run: |
        cp $(which node) /mnt/runner-externals/node20/bin/
-        cp $(which node) /mnt/runner-externals/node24/bin/
+    - name: Install Git on Windows arm64 runners
+      if: ${{ inputs.target-arch == 'arm64' && inputs.target-platform == 'win' }}
+      shell: powershell
+      run: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force
+        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
+        iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+        choco install -y --no-progress git.install --params "'/GitAndUnixToolsOnPath'"
+        choco install -y --no-progress git
+        choco install -y --no-progress python --version 3.11.9
+        choco install -y --no-progress visualstudio2022-workload-vctools --package-parameters "--add Microsoft.VisualStudio.Component.VC.Tools.ARM64"
+        echo "C:\Program Files\Git\cmd" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        echo "C:\Program Files\Git\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        echo "C:\Python311" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        cp "C:\Python311\python.exe" "C:\Python311\python3.exe"
    - name: Setup Node.js/npm
      if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
      with:
-        node-version: 22.21.x
+        node-version: 20.19.x
    - name: Add TCC permissions on macOS
      if: ${{ inputs.target-platform == 'macos' }}
      run: |
-        epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
        configure_user_tccdb () {
          local values=$1
          local dbPath="$HOME/Library/Application Support/com.apple.TCC/TCC.db"
@@ -96,17 +100,14 @@ jobs:
        }

        userValuesArray=(
+            "'kTCCServiceMicrophone','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
            "'kTCCServiceCamera','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
            "'kTCCServiceBluetoothAlways','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceAppleEvents','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceCamera','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceBluetoothAlways','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
-            "'kTCCServiceScreenCapture','/bin/bash',1,2,3,1,NULL,NULL,NULL,'UNUSED',NULL,0,$epochdate"
        )
        for values in "${userValuesArray[@]}"; do
          # Sonoma and higher have a few extra values
          # Ref: https://github.com/actions/runner-images/blob/main/images/macos/scripts/build/configure-tccdb-macos.sh
-          if [ "$OSTYPE" = "darwin23" ] || [ "$OSTYPE" = "darwin24" ]; then
+          if [ "$OSTYPE" = "darwin23" ]; then
            configure_user_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
            configure_sys_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
          else
@@ -117,32 +118,12 @@ jobs:
    - name: Turn off the unexpectedly quit dialog on macOS
      if: ${{ inputs.target-platform == 'macos' }}
      run: defaults write com.apple.CrashReporter DialogType server
-    - name: Set xcode to 16.4
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Turn off screenshot nag on macOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: |
-        defaults write ~/Library/Group\ Containers/group.com.apple.replayd/ScreenCaptureApprovals.plist "/bin/bash" -date "3024-09-23 12:00:00 +0000"
-        src/electron/script/actions/screencapture-nag-remover.sh -a $(which bash)
-        src/electron/script/actions/screencapture-nag-remover.sh -a /opt/hca/hosted-compute-agent
-    - name: Setup SSH Debugging
-      if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
-      uses: ./src/electron/.github/actions/ssh-debug
-      with:
-        tunnel: 'true'
-      env:
-        CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-        CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-        CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-        AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Dependencies
      uses: ./src/electron/.github/actions/install-dependencies
    - name: Set Chromium Git Cookie
@@ -154,9 +135,7 @@ jobs:
        git config --global core.autocrlf false
        git config --global branch.autosetuprebase always
        git config --global core.fscache true
-        git config --global core.longpaths true
        git config --global core.preloadindex true
-        git config --global core.longpaths true
        git clone --filter=tree:0 https://chromium.googlesource.com/chromium/tools/depot_tools.git
        # Ensure depot_tools does not update.
        test -d depot_tools && cd depot_tools
@@ -170,59 +149,57 @@ jobs:
        echo "DISABLE_CRASH_REPORTER_TESTS=true" >> $GITHUB_ENV
        echo "IS_ASAN=true" >> $GITHUB_ENV
    - name: Download Generated Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: generated_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./generated_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
    - name: Download Src Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: src_artifacts_${{ env.ARTIFACT_KEY }}
        path: ./src_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
    - name: Restore Generated Artifacts
      run: ./src/electron/script/actions/restore-artifacts.sh
-    - name: Unzip Dist (win)
+    - name: Unzip Dist, Mksnapshot & Chromedriver (win)
      if: ${{ inputs.target-platform == 'win' }}
      shell: powershell
      run: |
        Set-ExecutionPolicy Bypass -Scope Process -Force
        cd src/out/Default
        Expand-Archive -Force dist.zip -DestinationPath ./
-    - name: Unzip Dist (unix)
+        Expand-Archive -Force chromedriver.zip -DestinationPath ./
+        Expand-Archive -Force mksnapshot.zip -DestinationPath ./
+    - name: Unzip Dist, Mksnapshot & Chromedriver (unix)
      if: ${{ inputs.target-platform != 'win' }}
      run: |
        cd src/out/Default
        unzip -:o dist.zip
+        unzip -:o chromedriver.zip
+        unzip -:o mksnapshot.zip
    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: |
-        cd src/electron
-        ./script/codesign/generate-identity.sh
-    # Only sign on x64 — arm64 builds are already ad-hoc signed, and re-signing
-    # with an untrusted cert breaks macOS system integrations (e.g. dock bounce).
-    # Autoupdater tests sign their own fixture copies via signApp().
-    - name: Sign Electron.app for macOS tests
      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
      run: |
-        identity=$(src/electron/script/codesign/get-trusted-identity.sh)
-        if [ -n "$identity" ]; then
-          codesign -s "$identity" --deep --force src/out/Default/Electron.app
-        fi
-
+        sudo security authorizationdb write com.apple.trust-settings.admin allow
+        cd src/electron
+        ./script/codesign/generate-identity.sh
+    - name: Install Datadog CLI
+      run: |
+        cd src/electron
+        node script/yarn global add @datadog/datadog-ci
    - name: Run Electron Tests
      shell: bash
-      timeout-minutes: 40
      env:
        MOCHA_REPORTER: mocha-multi-reporters
        MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
        ELECTRON_DISABLE_SECURITY_WARNINGS: 1
+        ELECTRON_SKIP_NATIVE_MODULE_TESTS: true
        DISPLAY: ':99.0'
        NPM_CONFIG_MSVS_VERSION: '2022'
      run: |
        cd src/electron
        export ELECTRON_TEST_RESULTS_DIR=`pwd`/junit
        # Get which tests are on this shard
-        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ case(inputs.target-platform == 'linux', 3, inputs.target-platform == 'macos' && inputs.target-arch == 'x64', 3, 2) }})
+        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ inputs.target-platform == 'linux' && 3 || 2 }})

        # Run tests
        if [ "${{ inputs.target-platform }}" != "linux" ]; then
@@ -235,7 +212,7 @@ jobs:
              export ELECTRON_FORCE_TEST_SUITE_EXIT="true"
            fi
          fi
-          node script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+          node script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
        else
          chown :builduser .. && chmod g+w ..
          chown -R :builduser . && chmod -R g+w .
@@ -252,29 +229,11 @@ jobs:
            export MOCHA_TIMEOUT=180000
            echo "Piping output to ASAN_SYMBOLIZE ($ASAN_SYMBOLIZE)"
            cd electron
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
          else
-            if [ "${{ inputs.target-arch }}" = "arm" ]; then
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            else 
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            fi
-            
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
          fi
        fi
-    - name: Take screenshot on timeout or cancellation
-      if: ${{ inputs.target-platform != 'linux' && (cancelled() || failure()) }}
-      shell: bash
-      run: |
-        screenshot_dir="src/electron/spec/artifacts"
-        mkdir -p "$screenshot_dir"
-        screenshot_file="$screenshot_dir/screenshot-timeout-$(date +%Y%m%d%H%M%S).png"
-        if [ "${{ inputs.target-platform }}" = "macos" ]; then
-          screencapture -x "$screenshot_file" || true
-        elif [ "${{ inputs.target-platform }}" = "win" ]; then
-          powershell -command "Add-Type -AssemblyName System.Windows.Forms; \$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; \$bitmap = New-Object System.Drawing.Bitmap(\$screen.Width, \$screen.Height); \$graphics = [System.Drawing.Graphics]::FromImage(\$bitmap); \$graphics.CopyFromScreen(\$screen.Location, [System.Drawing.Point]::Empty, \$screen.Size); \$bitmap.Save('$screenshot_file')" || true
-        fi
-
    - name: Upload Test results to Datadog
      env:
        DD_ENV: ci
@@ -284,14 +243,13 @@ jobs:
        DD_TAGS: "os.architecture:${{ inputs.target-arch }},os.family:${{ inputs.target-platform }},os.platform:${{ inputs.target-platform }},asan:${{ inputs.is-asan }}"
      run: |
        if ! [ -z $DD_API_KEY ] && [ -f src/electron/junit/test-results-main.xml ]; then
-          cd src/electron
-          export DATADOG_PATH=`node script/yarn.js bin datadog-ci`
-          $DATADOG_PATH junit upload junit/test-results-main.xml
-        fi
+          export DATADOG_PATH=`node src/electron/script/yarn global bin`
+          $DATADOG_PATH/datadog-ci junit upload src/electron/junit/test-results-main.xml
+        fi          
      if: always() && !cancelled()
    - name: Upload Test Artifacts
-      if: always()
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+      if: always() && !cancelled()
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
      with:
        name: test_artifacts_${{ env.ARTIFACT_KEY }}_${{ matrix.shard }}
        path: src/electron/spec/artifacts
--- a/.github/workflows/pipeline-segment-node-nan-test.yml
+++ b/.github/workflows/pipeline-segment-node-nan-test.yml
@@ -26,8 +26,6 @@ on:
        type: string
        default: testing

-permissions: {}
-
 concurrency:
  group: electron-node-nan-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
  cancel-in-progress: ${{ github.ref_protected != true }}
@@ -36,15 +34,11 @@ env:
  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
  ELECTRON_OUT_DIR: Default
  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
-  SENTRYCLI_SKIP_DOWNLOAD: 1

 jobs:
  node-tests:
    name: Run Node.js Tests
-    runs-on: electron-arc-centralus-linux-amd64-8core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-8core
    timeout-minutes: 30
    env: 
      TARGET_ARCH: ${{ inputs.target-arch }}
@@ -52,7 +46,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -67,12 +61,12 @@ jobs:
    - name: Install Dependencies
      uses: ./src/electron/.github/actions/install-dependencies
    - name: Download Generated Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
        path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
    - name: Download Src Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: src_artifacts_linux_${{ env.TARGET_ARCH }}
        path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -98,9 +92,7 @@ jobs:
        done
  nan-tests:
    name: Run Nan Tests
-    runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-4core
    timeout-minutes: 30
    env: 
      TARGET_ARCH: ${{ inputs.target-arch }}
@@ -108,7 +100,7 @@ jobs:
    container: ${{ fromJSON(inputs.test-container) }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -123,12 +115,12 @@ jobs:
    - name: Install Dependencies
      uses: ./src/electron/.github/actions/install-dependencies
    - name: Download Generated Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
        path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
    - name: Download Src Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
      with:
        name: src_artifacts_linux_${{ env.TARGET_ARCH }}
        path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -140,16 +132,10 @@ jobs:
        unzip -:o dist.zip
    - name: Setup Linux for Headless Testing
      run: sh -e /etc/init.d/xvfb start
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
    - name: Run Nan Tests
      run: |
        cd src
        node electron/script/nan-spec-runner.js
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
    - name: Wait for active SSH sessions
      shell: bash
      if: always() && !cancelled()
--- a/.github/workflows/pull-request-labeled.yml
+++ b/.github/workflows/pull-request-labeled.yml
@@ -4,10 +4,6 @@ on:
  pull_request_target:
    types: [labeled]

-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
 permissions: {}

 jobs:
@@ -15,25 +11,20 @@ jobs:
    name: backport/requested label added
    if: github.event.label.name == 'backport/requested 🗳'
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Trigger Slack workflow
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
        with:
          webhook: ${{ secrets.BACKPORT_REQUESTED_SLACK_WEBHOOK_URL }} 
          webhook-type: webhook-trigger
          payload: |
            {
-              "base_ref": ${{ toJSON(github.event.pull_request.base.ref) }},
-              "title": ${{ toJSON(github.event.pull_request.title) }},
-              "url": ${{ toJSON(github.event.pull_request.html_url) }},
-              "user": ${{ toJSON(github.event.pull_request.user.login) }}
+              "url": "${{ github.event.pull_request.html_url }}"
            }
  pull-request-labeled-deprecation-review-complete:
    name: deprecation-review/complete label added
    if: github.event.label.name == 'deprecation-review/complete ✅'
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
--- a/.github/workflows/pull-request-opened-synchronized.yml
+++ b/.github/workflows/pull-request-opened-synchronized.yml
@@ -1,39 +0,0 @@
-name: Pull Request Opened/Synchronized
-
-on:
-  pull_request_target:
-    types: [opened, synchronize]
-
-# SECURITY: This workflow uses pull_request_target and has access to secrets.
-# Do NOT checkout or run code from the PR head. All code execution must use
-# the base branch only. Adding a ref to PR head would expose secrets to
-# untrusted code.
-permissions: {}
-
-jobs:
-  check-signed-commits:
-    name: Check signed commits in PR
-    if: ${{ !contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
-    runs-on: ubuntu-slim
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
-        with:
-          comment: |
-            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
-            for all incoming PRs. To get your PR merged, please sign those commits 
-            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
-            (`git push --force-with-lease`)
-
-            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
-
-      - name: Add needs-signed-commits label
-        if: ${{ failure() }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: |
-          gh pr edit $PR_URL --add-label needs-signed-commits
--- a/.github/workflows/rerun-apply-patches.yml
+++ b/.github/workflows/rerun-apply-patches.yml
@@ -1,71 +0,0 @@
-name: Rerun PR Apply Patches
-
-on:
-  push:
-    branches:
-      - main
-      - '[1-9][0-9]-x-y'
-    paths:
-      - 'DEPS'
-      - 'patches/**'
-
-permissions: {}
-
-jobs:
-  rerun-apply-patches:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-      checks: read
-      contents: read
-      pull-requests: read
-    steps:
-      - name: Find PRs and Rerun Apply Patches
-        env:
-          GH_REPO: ${{ github.repository }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          BRANCH="${GITHUB_REF#refs/heads/}"
-
-          # Find all open PRs targeting this branch
-          PRS=$(gh pr list --base "$BRANCH" --state open --limit 250 --json number)
-
-          echo "$PRS" | jq -c '.[]' | while read -r pr; do
-            PR_NUMBER=$(echo "$pr" | jq -r '.number')
-            echo "Processing PR #${PR_NUMBER}"
-
-            # Find the Apply Patches workflow check for this PR
-            CHECK=$(gh pr view "$PR_NUMBER" --json statusCheckRollup --jq '[.statusCheckRollup[] | select(.workflowName == "Apply Patches" and .name == "apply-patches")] | first')
-
-            if [ -z "$CHECK" ] || [ "$CHECK" = "null" ]; then
-              echo "  No Apply Patches workflow found for PR #${PR_NUMBER}"
-              continue
-            fi
-
-            CONCLUSION=$(echo "$CHECK" | jq -r '.conclusion')
-            if [ "$CONCLUSION" = "SKIPPED" ]; then
-              echo "  apply-patches job was skipped for PR #${PR_NUMBER} (no patches)"
-              continue
-            fi
-
-            LINK=$(echo "$CHECK" | jq -r '.detailsUrl')
-
-            # Extract the run ID from the link (format: .../runs/RUN_ID/job/JOB_ID)
-            RUN_ID=$(echo "$LINK" | grep -oE 'runs/[0-9]+' | cut -d'/' -f2)
-
-            if [ -z "$RUN_ID" ]; then
-              echo "  Could not extract run ID from link: ${LINK}"
-              continue
-            fi
-
-            # Check if the workflow is currently in progress
-            RUN_STATUS=$(gh run view "$RUN_ID" --json status --jq '.status')
-
-            if [ "$RUN_STATUS" = "in_progress" ] || [ "$RUN_STATUS" = "queued" ] || [ "$RUN_STATUS" = "waiting" ]; then
-              echo "  Workflow run ${RUN_ID} is ${RUN_STATUS}, cancelling..."
-              gh run cancel "$RUN_ID" --force
-              gh run watch "$RUN_ID"
-            fi
-
-            gh run rerun "$RUN_ID"
-          done
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -22,13 +22,13 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      # This is a pre-submit / pre-release.
      - name: "Run analysis"
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
@@ -42,7 +42,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
@@ -50,6 +50,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.29.5
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
        with:
          sarif_file: results.sarif
--- a/.github/workflows/semantic.yml
+++ b/.github/workflows/semantic.yml
@@ -7,7 +7,8 @@ on:
      - edited
      - synchronize

-permissions: {}
+permissions:
+  contents: read

 jobs:
  main:
@@ -18,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/stable-prep-items.yml
+++ b/.github/workflows/stable-prep-items.yml
@@ -11,7 +11,6 @@ jobs:
  check-stable-prep-items:
    name: Check Stable Prep Items
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -10,14 +10,13 @@ permissions: {}
 jobs:
  stale:
    runs-on: ubuntu-latest
-    permissions: {}
    steps:
      - name: Generate GitHub App token
        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # tag: v10.1.1
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
        with:
          repo-token: ${{ steps.generate-token.outputs.token }}
          days-before-stale: 90
@@ -28,11 +27,10 @@ jobs:
            This issue has been automatically marked as stale. **If this issue is still affecting you, please leave any comment** (for example, "bump"), and we'll keep it open. If you have any new additional information—in particular, if this is still reproducible in the [latest version of Electron](https://www.electronjs.org/releases/stable) or in the [beta](https://www.electronjs.org/releases/beta)—please include it with your comment!
          close-issue-message: >
            This issue has been closed due to inactivity, and will not be monitored.  If this is a bug and you can reproduce this issue on a [supported version of Electron](https://www.electronjs.org/docs/latest/tutorial/electron-timelines#timeline) please open a new issue and include instructions for reproducing the issue.
-          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt,upgrade-follow-up,tracking-upstream"
+          exempt-issue-labels: "discussion,security \U0001F512,enhancement :sparkles:,status/confirmed,stale-exempt"
          only-pr-labels: not-a-real-label
  pending-repro:
    runs-on: ubuntu-latest
-    permissions: {}
    if: ${{ always() }}
    needs: stale
    steps:
@@ -41,7 +39,7 @@ jobs:
        id: generate-token
        with:
          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # tag: v10.1.1
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # tag: v9.1.0
        with:
          repo-token: ${{ steps.generate-token.outputs.token }}
          days-before-stale: -1
--- a/.github/workflows/update-website-docs.yml
+++ b/.github/workflows/update-website-docs.yml
@@ -1,39 +0,0 @@
-name: Update Website Docs
-
-on:
-  release:
-    types: [published]
-
-permissions: {}
-
-jobs:
-  update-website-docs:
-    name: Update Website Docs
-    runs-on: ubuntu-latest
-    environment: website-docs-updater
-    permissions:
-      contents: read
-      id-token: write # needed for secret-service-action
-    steps:
-      - name: Get GitHub App token
-        id: secret-service
-        uses: electron/secret-service-action@3476425e8b30555aac15b1b7096938e254b0e155 # v1.0.0
-      - name: Check if this release is the latest
-        id: check-if-latest-release
-        env:
-          GH_REPO: electron/electron
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          LATEST_RELEASE_TAG="$(gh release view --json tagName --jq '.tagName')"
-          if [ "$LATEST_RELEASE_TAG" = "${GITHUB_REF#refs/tags/}" ]; then
-            echo "isLatestRelease=true" >> $GITHUB_OUTPUT
-          else
-            echo "isLatestRelease=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Trigger website docs update
-        if: ${{ steps.check-if-latest-release.outputs.isLatestRelease == 'true' }}
-        env:
-          GH_REPO: electron/website
-          GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).WEBSITE_DOCS_UPDATER_APP_TOKEN }}
-        run: |
-          gh workflow run update-docs.yml -f sha=$GITHUB_SHA
--- a/.github/workflows/windows-publish.yml
+++ b/.github/workflows/windows-publish.yml
@@ -6,7 +6,7 @@ on:
      build-image-sha:
        type: string
        description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '424eedbf277ad9749ffa9219068aa72ed4a5e373'
        required: true
      upload-to-storage:
        description: 'Uploads to Azure storage'
@@ -18,13 +18,9 @@ on:
        type: boolean
        default: false

-permissions: {}
-
 jobs:
  checkout-windows:
-    runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
+    runs-on: electron-arc-linux-amd64-32core
    container:
      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
      options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -40,7 +36,7 @@ jobs:
      build-image-sha: ${{ inputs.build-image-sha }}
    steps:
    - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      with:
        path: src/electron
        fetch-depth: 0
@@ -50,25 +46,12 @@ jobs:
        generate-sas-token: 'true'
        target-platform: win

-  # Build the patched siso binary in parallel with checkout-windows; the
-  # publish-*-win jobs consume it via SISO_PATH.
-  build-siso-windows:
-    if: github.repository == 'electron/electron'
-    uses: ./.github/workflows/pipeline-segment-build-siso-windows.yml
-    permissions:
-      contents: read
-
  publish-x64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
      target-platform: win
      target-arch: x64
      is-release: true
@@ -78,16 +61,11 @@ jobs:
    secrets: inherit

  publish-arm64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
      target-platform: win
      target-arch: arm64
      is-release: true
@@ -97,16 +75,11 @@ jobs:
    secrets: inherit

  publish-x86-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    needs: [checkout-windows, build-siso-windows]
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    needs: checkout-windows
    with:
      environment: production-release
-      build-runs-on: electron-arc-centralus-windows-amd64-16core
+      build-runs-on: electron-arc-windows-amd64-16core
      target-platform: win
      target-arch: x86
      is-release: true
--- a/.gitignore
+++ b/.gitignore
@@ -42,7 +42,6 @@ spec/.hash

 # Generated native addon files
 /spec/fixtures/native-addon/echo/build/
-/spec/fixtures/native-addon/dialog-helper/build/

 # If someone runs tsc this is where stuff will end up
 ts-gen
@@ -54,5 +53,3 @@ ts-gen
 patches/mtime-cache.json

 spec/fixtures/logo.png
-
-.yarn/install-state.gz
--- a/.markdownlint-cli2.jsonc
+++ b/.markdownlint-cli2.jsonc
@@ -21,9 +21,7 @@
        "ul",
        "unknown",
        "Tabs",
-        "TabItem",
-        "DocCardList",
-        "kbd"
+        "TabItem"
      ]
    },
    "no-newline-in-links": true
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-22
+20
--- a/.yarn/releases/yarn-4.12.0.cjs
+++ b/.yarn/releases/yarn-4.12.0.cjs
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -1,16 +0,0 @@
-enableScripts: false
-
-nmHoistingLimits: workspaces
-
-nodeLinker: node-modules
-
-npmMinimalAgeGate: 10080
-
-npmPreapprovedPackages:
-  - "@electron/*"
-
-httpProxy: "${HTTP_PROXY:-}"
-
-httpsProxy: "${HTTPS_PROXY:-}"
-
-yarnPath: .yarn/releases/yarn-4.12.0.cjs
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -4,9 +4,9 @@ import("//build/config/win/manifest.gni")
 import("//components/os_crypt/sync/features.gni")
 import("//components/spellcheck/spellcheck_build_features.gni")
 import("//content/public/app/mac_helpers.gni")
-import("//content/public/common/features.gni")
 import("//extensions/buildflags/buildflags.gni")
 import("//pdf/features.gni")
+import("//ppapi/buildflags/buildflags.gni")
 import("//printing/buildflags/buildflags.gni")
 import("//testing/test.gni")
 import("//third_party/electron_node/node.gni")
@@ -38,13 +38,12 @@ if (is_mac) {
  import("build/rules.gni")

  assert(
-      mac_deployment_target == "12.0",
-      "Chromium has updated the mac_deployment_target, please update this assert and flag this as a breaking change (docs/breaking-changes.md)")
+      mac_deployment_target == "11.0",
+      "Chromium has updated the mac_deployment_target, please update this assert, update the supported versions documentation (docs/tutorial/support.md) and flag this as a breaking change")
 }

 if (is_linux) {
  import("//build/config/linux/pkg_config.gni")
-  import("//electron/build/linux/strip_binary.gni")
  import("//tools/generate_stubs/rules.gni")

  pkg_config("gio_unix") {
@@ -105,25 +104,21 @@ electron_mac_bundle_id = branding.mac_bundle_id
 if (override_electron_version != "") {
  electron_version = override_electron_version
 } else {
-  # When building from a source code tarball there is no git tag available and
+  # When building from source code tarball there is no git tag available and
  # builders must explicitly pass override_electron_version in gn args.
-  #
-  # Resolve the real locations of packed-refs and HEAD via git so that this
-  # also works when electron/ is a `git worktree` (where .git is a file, not a
-  # directory, and GN's read_file cannot follow the gitdir indirection).
-  electron_git_ref_paths =
-      exec_script("script/get-git-ref-paths.py", [], "list lines")
-
  # This read_file call will assert if there is no git information, without it
  # gn will generate a malformed build configuration and ninja will get into
  # infinite loop.
-  read_file(electron_git_ref_paths[0], "string")
+  read_file(".git/packed-refs", "string")

  # Set electron version from git tag.
  electron_version = exec_script("script/get-git-version.py",
                                 [],
                                 "trim string",
-                                 electron_git_ref_paths)
+                                 [
+                                   ".git/packed-refs",
+                                   ".git/HEAD",
+                                 ])
 }

 if (is_mas_build) {
@@ -450,7 +445,6 @@ source_set("electron_lib") {
    "shell/services/node/public/mojom",
    "//base:base_static",
    "//base/allocator:buildflags",
-    "//build/util:chromium_git_revision",
    "//chrome:strings",
    "//chrome/app:command_ids",
    "//chrome/app/resources:platform_locale_settings",
@@ -458,7 +452,7 @@ source_set("electron_lib") {
    "//components/certificate_transparency",
    "//components/compose:buildflags",
    "//components/embedder_support:user_agent",
-    "//components/input",
+    "//components/input:input",
    "//components/language/core/browser",
    "//components/net_log",
    "//components/network_hints/browser",
@@ -472,7 +466,6 @@ source_set("electron_lib") {
    "//components/pref_registry",
    "//components/prefs",
    "//components/security_state/content",
-    "//components/tracing:tracing_metrics",
    "//components/upload_list",
    "//components/user_prefs",
    "//components/viz/host",
@@ -486,14 +479,13 @@ source_set("electron_lib") {
    "//device/bluetooth",
    "//device/bluetooth/public/cpp",
    "//gin",
-    "//gpu/ipc/client",
    "//media/capture/mojom:video_capture",
    "//media/mojo/mojom",
    "//media/mojo/mojom:web_speech_recognition",
    "//net:extras",
    "//net:net_resources",
    "//printing/buildflags",
-    "//services/device/public/cpp/bluetooth",
+    "//services/device/public/cpp/bluetooth:bluetooth",
    "//services/device/public/cpp/geolocation",
    "//services/device/public/cpp/hid",
    "//services/device/public/mojom",
@@ -507,7 +499,6 @@ source_set("electron_lib") {
    "//third_party/blink/public/platform/media",
    "//third_party/boringssl",
    "//third_party/electron_node:libnode",
-    "//third_party/highway:libhwy",
    "//third_party/inspector_protocol:crdtp",
    "//third_party/leveldatabase",
    "//third_party/libyuv",
@@ -527,15 +518,10 @@ source_set("electron_lib") {
    "//v8:v8_libplatform",
  ]

-  if (v8_use_external_startup_data && use_v8_context_snapshot) {
-    deps += [ ":mksnapshot_checksum_gen" ]
-  }
-
  public_deps = [
    "//base",
    "//base:i18n",
    "//content/public/app",
-    "//ui/base/unowned_user_data",
  ]

  include_dirs = [
@@ -595,13 +581,7 @@ source_set("electron_lib") {
  }

  if (is_mac) {
-    # Disable C++ modules to resolve linking error when including MacOS SDK
-    # headers from third_party/electron_node/deps/uv/include/uv/darwin.h
-    # TODO(samuelmaddock): consider revisiting this in the future
-    use_libcxx_modules = false
-
    deps += [
-      "//components/os_crypt/common:keychain_password_mac",
      "//components/remote_cocoa/app_shim",
      "//components/remote_cocoa/browser",
      "//content/browser:mac_helpers",
@@ -670,7 +650,6 @@ source_set("electron_lib") {
      "//ui/events/devices/x11",
      "//ui/events/platform/x11",
      "//ui/gtk:gtk_config",
-      "//ui/linux:display_server_utils",
      "//ui/linux:linux_ui",
      "//ui/linux:linux_ui_factory",
      "//ui/wm",
@@ -703,7 +682,7 @@ source_set("electron_lib") {
    deps += [
      "//components/app_launch_prefetch",
      "//components/crash/core/app:crash_export_thunks",
-      "//third_party/libxml:xml_writer",
+      "//ui/native_theme:native_theme_browser",
      "//ui/wm",
      "//ui/wm/public",
    ]
@@ -748,7 +727,7 @@ source_set("electron_lib") {
      "shell/common/extensions/api:extensions_features",
      "//chrome/browser/resources:component_extension_resources",
      "//components/guest_view/common:mojom",
-      "//components/update_client",
+      "//components/update_client:update_client",
      "//components/zoom",
      "//extensions/browser",
      "//extensions/browser/api:api_provider",
@@ -770,13 +749,11 @@ source_set("electron_lib") {
  if (enable_pdf_viewer) {
    deps += [
      "//chrome/browser/resources/pdf:resources",
-      "//chrome/browser/ui:browser_element_identifiers",
      "//components/pdf/browser",
      "//components/pdf/browser:interceptors",
      "//components/pdf/common:constants",
      "//components/pdf/common:util",
      "//components/pdf/renderer",
-      "//components/user_education/webui",
      "//pdf",
      "//pdf:content_restriction",
    ]
@@ -795,18 +772,6 @@ source_set("electron_lib") {
  }
 }

-action("mksnapshot_checksum_gen") {
-  script = "build/checksum_header.py"
-
-  outputs = [ "$target_gen_dir/snapshot_checksum.h" ]
-  inputs = [ "$root_out_dir/$v8_context_snapshot_filename" ]
-  args = rebase_path(inputs)
-
-  args += rebase_path(outputs)
-
-  deps = [ "//tools/v8_context_snapshot" ]
-}
-
 electron_paks("packed_resources") {
  if (is_mac) {
    output_dir = "$root_gen_dir/electron_repack"
@@ -850,7 +815,7 @@ if (is_mac) {
      sources = []
      public_deps = []
      sources += [ "$root_out_dir/libffmpeg.dylib" ]
-      public_deps += [ "//third_party/ffmpeg" ]
+      public_deps += [ "//third_party/ffmpeg:ffmpeg" ]
      outputs = [ "{{bundle_contents_dir}}/Libraries/{{source_file_part}}" ]
    }
  } else {
@@ -1265,7 +1230,7 @@ if (is_mac) {
    }

    if (use_v8_context_snapshot) {
-      public_deps = [ "//tools/v8_context_snapshot" ]
+      public_deps = [ "//tools/v8_context_snapshot:v8_context_snapshot" ]
    }

    if (is_linux) {
@@ -1444,18 +1409,6 @@ dist_zip("electron_dist_zip") {
    ":licenses",
  ]
  if (is_linux) {
-    if (is_official_build) {
-      data_deps += [
-        ":strip_chrome_crashpad_handler",
-        ":strip_chrome_sandbox",
-        ":strip_electron_binary",
-        ":strip_libEGL_shlib",
-        ":strip_libGLESv2_shlib",
-        ":strip_libffmpeg_shlib",
-        ":strip_libvk_swiftshader_shlib",
-      ]
-    }
-
    data_deps += [ "//sandbox/linux:chrome_sandbox" ]
  }
  deps = data_deps
@@ -1501,16 +1454,6 @@ group("electron_mksnapshot") {

 dist_zip("electron_mksnapshot_zip") {
  data_deps = mksnapshot_deps
-  if (is_linux && is_official_build) {
-    data_deps += [
-      ":strip_libEGL_shlib",
-      ":strip_libGLESv2_shlib",
-      ":strip_libffmpeg_shlib",
-      ":strip_libvk_swiftshader_shlib",
-      ":strip_mksnapshot_binary",
-      ":strip_v8_context_snapshot_generator_binary",
-    ]
-  }
  deps = data_deps
  outputs = [ "$root_build_dir/mksnapshot.zip" ]
 }
@@ -1610,7 +1553,6 @@ action("node_version_header") {
 action("generate_node_headers") {
  deps = [ ":generate_config_gypi" ]
  script = "script/node/generate_node_headers.py"
-  args = [ rebase_path("$root_gen_dir") ]
  outputs = [ "$root_gen_dir/node_headers.json" ]
 }

@@ -1636,101 +1578,3 @@ group("copy_node_headers") {
 group("node_headers") {
  public_deps = [ ":tar_node_headers" ]
 }
-
-group("testing_build") {
-  public_deps = [
-    ":electron_dist_zip",
-    ":electron_mksnapshot_zip",
-    ":node_headers",
-  ]
-}
-
-group("release_build") {
-  public_deps = [ ":testing_build" ]
-  if (is_official_build) {
-    public_deps += [ ":electron_symbols" ]
-  }
-  if (is_linux) {
-    public_deps += [
-      ":hunspell_dictionaries_zip",
-      ":libcxx_headers_zip",
-      ":libcxx_objects_zip",
-      ":libcxxabi_headers_zip",
-    ]
-  }
-}
-
-if (is_linux && is_official_build) {
-  strip_binary("strip_electron_binary") {
-    binary_input = "$root_out_dir/$electron_project_name"
-    symbol_output = "$root_out_dir/debug/$electron_project_name.debug"
-    compress_debug_sections = true
-    deps = [ ":electron_app" ]
-  }
-
-  strip_binary("strip_chrome_crashpad_handler") {
-    binary_input = "$root_out_dir/chrome_crashpad_handler"
-    symbol_output = "$root_out_dir/debug/chrome_crashpad_handler.debug"
-    compress_debug_sections = true
-    deps = [ "//components/crash/core/app:chrome_crashpad_handler" ]
-  }
-
-  strip_binary("strip_chrome_sandbox") {
-    binary_input = "$root_out_dir/chrome_sandbox"
-    symbol_output = "$root_out_dir/debug/chrome-sandbox.debug"
-    compress_debug_sections = true
-    deps = [ "//sandbox/linux:chrome_sandbox" ]
-  }
-
-  strip_binary("strip_libEGL_shlib") {
-    binary_input = "$root_out_dir/libEGL.so"
-    symbol_output = "$root_out_dir/debug/libEGL.so.debug"
-    compress_debug_sections = true
-    deps = [ "//third_party/angle:libEGL" ]
-  }
-
-  strip_binary("strip_libGLESv2_shlib") {
-    binary_input = "$root_out_dir/libGLESv2.so"
-    symbol_output = "$root_out_dir/debug/libGLESv2.so.debug"
-    compress_debug_sections = true
-    deps = [ "//third_party/angle:libGLESv2" ]
-  }
-
-  strip_binary("strip_libffmpeg_shlib") {
-    binary_input = "$root_out_dir/libffmpeg.so"
-    symbol_output = "$root_out_dir/debug/libffmpeg.so.debug"
-    compress_debug_sections = true
-    deps = [ "//third_party/ffmpeg" ]
-  }
-
-  strip_binary("strip_libvk_swiftshader_shlib") {
-    binary_input = "$root_out_dir/libvk_swiftshader.so"
-    symbol_output = "$root_out_dir/debug/libvk_swiftshader.so.debug"
-    compress_debug_sections = true
-    deps = [ "//third_party/swiftshader/src/Vulkan:swiftshader_libvulkan" ]
-  }
-
-  strip_binary("strip_mksnapshot_binary") {
-    _binary_path = rebase_path(
-            get_label_info(
-                    ":v8_context_snapshot_generator($v8_snapshot_toolchain)",
-                    "root_out_dir") + "/mksnapshot",
-            root_build_dir)
-    binary_input = "$root_out_dir/$_binary_path"
-    symbol_output = "$root_out_dir/debug/${_binary_path}.debug"
-    compress_debug_sections = true
-    deps = mksnapshot_deps
-  }
-
-  strip_binary("strip_v8_context_snapshot_generator_binary") {
-    _binary_path = rebase_path(
-            get_label_info(
-                    ":v8_context_snapshot_generator($v8_snapshot_toolchain)",
-                    "root_out_dir") + "/v8_context_snapshot_generator",
-            root_build_dir)
-    binary_input = "$root_out_dir/$_binary_path"
-    symbol_output = "$root_out_dir/debug/${_binary_path}.debug"
-    compress_debug_sections = true
-    deps = mksnapshot_deps
-  }
-}
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,250 +0,0 @@
-# Electron Development Guide
-
-## Project Overview
-
-Electron is a framework for building cross-platform desktop applications using web technologies. It embeds Chromium for rendering and Node.js for backend functionality.
-
-## Directory Structure
-
-```text
-electron/                 # This repo (run `e` commands here)
-├── shell/               # Core C++ application code
-│   ├── browser/         # Main process implementation (107+ API modules)
-│   ├── renderer/        # Renderer process code
-│   ├── common/          # Shared code between processes
-│   ├── app/             # Application entry points
-│   └── services/        # Node.js service integration
-├── lib/                 # TypeScript/JavaScript library code
-│   ├── browser/         # Main process JS (47 API implementations)
-│   ├── renderer/        # Renderer process JS
-│   └── common/          # Shared JS modules
-├── patches/             # Patches for upstream dependencies
-│   ├── chromium/        # ~159 patches to Chromium
-│   ├── node/            # ~48 patches to Node.js
-│   └── ...              # Other targets (v8, boringssl, etc.)
-├── spec/                # Test suite (1189+ TypeScript test files)
-├── docs/                # API documentation and guides
-├── build/               # Build configuration
-├── script/              # Build and automation scripts
-└── chromium_src/        # Chromium source overrides
-../                      # Parent directory is Chromium source
-```
-
-## Build Tools Setup
-
-Electron uses `@electron/build-tools` for development. The `e` command is the primary CLI.
-
-**Installation:**
-
-```bash
-npm i -g @electron/build-tools
-```
-
-**Configuration location:** `~/.electron_build_tools/configs/`
-
-## Essential Commands
-
-### Configuration Management
-
-| Command | Purpose |
-|---------|---------|
-| `e init <name> --root=<path> --bootstrap testing` | Create new build config and sync |
-| `e use <name>` | Switch to a different build configuration |
-| `e show current` | Display active configuration name |
-| `e show configs` | List all available configurations |
-
-### Build & Development Loop
-
-| Command | Purpose |
-|---------|---------|
-| `e sync` | Fetch/update all source code and apply patches |
-| `e sync --3` | Sync with 3-way merge (required for Chromium upgrades) |
-| `e build` | Build Electron (runs GN + Ninja) |
-| `e build -k 999` | Build and continue on errors (up to 999) |
-| `e build -t <target>` | Build specific target (e.g., `electron:node_headers`) |
-| `e start` | Run the built Electron executable |
-| `e start --version` | Verify Electron launches and print version |
-| `e test` | Run the test suite |
-| `e debug` | Run Electron in debugger (lldb on macOS, gdb on Linux) |
-
-### Patch Management
-
-| Command | Purpose |
-|---------|---------|
-| `e patches <target>` | Export patches for a target (chromium, node, v8, etc.) |
-| `e patches all` | Export all patches from all targets |
-| `e patches --list-targets` | List available patch targets |
-
-## Typical Development Workflow
-
-```bash
-# 1. Ensure you're on the right config
-e show current
-
-# 2. Sync to get latest code
-e sync
-
-# 3. Make your changes in shell/ or lib/ or ../
-
-# 4. Build
-e build
-
-# 5. Test your changes (Leave the user to do this, don't run these commands unless asked)
-e start
-e test
-
-# 6. If you modified patched files in Chromium:
-cd ..  # Go to Chromium repo
-git add <files>
-git commit -m "description of change"
-cd electron
-e patches chromium  # Export the patch
-```
-
-## Patches System
-
-Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) to add features or modify behavior.
-
-**How patches work:**
-
-```text
-patches/{target}/*.patch  →  [e sync --3]  →  target repo commits
-                          ←  [e patches]   ←
-```
-
-**Patch configuration:** `patches/config.json` maps patch directories to target repos.
-
-**Key rules:**
-
- Fix existing patches 99% of the time rather than creating new ones
- Preserve original authorship in TODO comments
- Never change TODO assignees (`TODO(name)` must retain original name)
- Each patch file includes commit message explaining its purpose
-
-**Creating/modifying patches:**
-
-1. Make changes in the target repo (e.g., `../` for Chromium)
-2. Create a git commit
-3. Run `e patches <target>` to export
-
-**Fixing patch conflicts on an existing PR:**
-
-If asked to fix a patch conflict on a branch that already has an open PR, check the PR's failed **Apply Patches** CI run for an `update-patches` artifact before running `e sync` locally. CI has already performed the 3-way merge and exported the resolved patch diff — applying it is much faster than a full local sync.
-
-```bash
-# Find the failed Apply Patches run for the PR and download the artifact
-gh run list --repo electron/electron --branch <pr-branch> --workflow "Apply Patches" --limit 1
-gh run download <run-id> --repo electron/electron --name update-patches
-
-# Apply the CI-generated fix, then push
-git am update-patches.patch
-git push
-```
-
-If no artifact exists (e.g. the 3-way merge itself failed), fall back to `e sync --3` and resolve manually.
-
-## Testing
-
-**Test location:** `spec/` directory
-
-**Running tests:**
-
-```bash
-e test                    # Run full test suite
-```
-
-**Test frameworks:** Mocha, Chai, Sinon
-
-## Build Configuration
-
-**GN build arguments:** Located in `build/args/`:
-
- `testing.gn` - Debug/testing builds
- `release.gn` - Release builds
- `all.gn` - Common arguments for all builds
-
-**Main build file:** `BUILD.gn`
-
-**Feature flags:** `buildflags/buildflags.gni`
-
-## Chromium Upgrade Workflow
-
-When working on the `roller/chromium/main` branch to upgrade Chromium activate the "Electron Chromium Upgrade" skill.
-
-## Node.js Upgrade Workflow
-
-When working on the `roller/node/main` branch to upgrade Node.js activate the "Electron Node.js Upgrade" skill.
-
-## Pull Requests
-
-PR bodies must always include a `Notes:` section as the **last line** of the body. This is a consumer-facing release note for Electron app developers — describe the user-visible fix or change, not internal implementation details. Use `Notes: none` if there is no user-facing change.
-
-## Code Style
-
-**C++:** Follows Chromium style, enforced by clang-format
-**TypeScript/JavaScript:** ESLint configuration in `.eslintrc.json`
-
-**Linting:**
-
-```bash
-npm run lint              # Run all linters
-npm run lint:clang-format # C++ formatting
-```
-
-## Key Files
-
-| File | Purpose |
-|------|---------|
-| `BUILD.gn` | Main GN build configuration |
-| `DEPS` | Dependency versions and checkout paths |
-| `patches/config.json` | Patch target configuration |
-| `filenames.gni` | Source file lists by platform |
-| `package.json` | Node.js dependencies and scripts |
-
-## Environment Variables
-
-| Variable | Purpose |
-|----------|---------|
-| `GN_EXTRA_ARGS` | Additional GN arguments (useful in CI) |
-| `ELECTRON_RUN_AS_NODE=1` | Run Electron as Node.js |
-
-## Useful Git Commands for Chromium
-
-```bash
-# Find CL that changed a file
-cd ..
-git log --oneline -10 -- {file}
-git blame -L {start},{end} -- {file}
-
-# Look for Chromium CL reference in commit
-git log -1 {commit_sha}  # Find "Reviewed-on:" line
-
-# Find which patch affects a file
-grep -l "filename.cc" patches/chromium/*.patch
-```
-
-## CI/CD
-
-GitHub Actions workflows in `.github/workflows/`:
-
- `build.yml` - Main build workflow
- `pipeline-electron-lint.yml` - Linting
- `pipeline-segment-electron-test.yml` - Testing
-
-## Common Issues
-
-**Patch conflict during sync:**
-
- Use `e sync --3` for 3-way merge
- Check if file was renamed/moved upstream
- Verify patch is still needed
-
-**Build error in patched file:**
-
- Find the patch: `grep -l "filename" patches/chromium/*.patch`
- Match existing patch style (#if 0 guards, BUILDFLAG conditionals, etc.)
-
-**Remote build issues:**
-
- Try `e build --no-remote` to build locally
- Check reclient/siso configuration in your build config
--- a/11
+++ b/11
@@ -2,11 +2,11 @@ gclient_gn_args_from = 'src'

 vars = {
  'chromium_version':
-    '146.0.7680.188',
+    '138.0.7190.0',
  'node_version':
-    'v24.14.1',
+    'v22.16.0',
  'nan_version':
-    '675cefebca42410733da8a454c8d9391fcebfbc2',
+    'e14bdcd1f72d62bca1d541b66da43130384ec213',
  'squirrel.mac_version':
    '0e5d146ba13101a1302d59ea6e6e0b3cace4ae38',
  'reactiveobjc_version':
@@ -30,6 +30,9 @@ vars = {
  # The path of the sysroots.json file.
  'sysroots_json_path': 'electron/script/sysroots.json',

+  # KEEP IN SYNC WITH utils.js FILE
+  'yarn_version': '1.15.2',
+
  # To be able to build clean Chromium from sources.
  'apply_patches': True,

@@ -152,7 +155,7 @@ hooks = [
    'action': [
      'python3',
      '-c',
-      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["node", ".yarn/releases/yarn-4.12.0.cjs", "install", "--immutable"]);',
+      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["python3", "script/lib/npx.py", "yarn@' + (Var("yarn_version")) + '", "install", "--frozen-lockfile"]);',
    ],
  },
  {
--- a/README.md
+++ b/README.md
@@ -37,9 +37,9 @@ For more installation options and troubleshooting tips, see

 Each Electron release provides binaries for macOS, Windows, and Linux.

-* macOS (Monterey and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
+* macOS (Big Sur and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
 * Windows (Windows 10 and up): Electron provides `ia32` (`x86`), `x64` (`amd64`), and `arm64` binaries for Windows. Windows on ARM support was added in Electron 5.0.8. Support for Windows 7, 8 and 8.1 was [removed in Electron 23, in line with Chromium's Windows deprecation policy](https://www.electronjs.org/blog/windows-7-to-8-1-deprecation-notice).
-* Linux: The prebuilt binaries of Electron are built on Ubuntu 22.04. They have also been verified to work on:
+* Linux: The prebuilt binaries of Electron are built on Ubuntu 20.04. They have also been verified to work on:
  * Ubuntu 18.04 and newer
  * Fedora 32 and newer
  * Debian 10 and newer
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,12 +8,6 @@ The Electron team will send a response indicating the next steps in handling you

 Report security bugs in third-party modules to the person or team maintaining the module. You can also report a vulnerability through the [npm contact form](https://www.npmjs.com/support) by selecting "I'm reporting a security vulnerability".

-## Escalation
-
-If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
-
-If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
-
 ## The Electron Security Notification Process

 For context on Electron's security notification process, please see the [Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md#notifications) section of the Security WG's [Membership and Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md) Governance document.
--- a/build/.eslintrc.json
+++ b/build/.eslintrc.json
@@ -1,8 +1,8 @@
 {
  "plugins": [
-    "import"
+    "unicorn"
  ],
  "rules": {
-    "import/enforce-node-protocol-usage": ["error", "always"]
+    "unicorn/prefer-node-protocol": "error"
  }
 }
--- a/build/args/all.gn
+++ b/build/args/all.gn
@@ -2,7 +2,7 @@ is_electron_build = true
 root_extra_deps = [ "//electron" ]

 # Registry of NMVs --> https://github.com/nodejs/node/blob/main/doc/abi_version_registry.json
-node_module_version = 145
+node_module_version = 136

 v8_promise_internal_field_count = 1
 v8_embedder_string = "-electron.0"
@@ -19,15 +19,15 @@ proprietary_codecs = true

 enable_printing = true

-# Refs https://chromium-review.googlesource.com/c/chromium/src/+/6986517
-# CI is using MacOS 15.5 which doesn't have the required modulemaps.
-use_clang_modules = false
-
 # Removes DLLs from the build, which are only meant to be used for Chromium development.
 # See https://github.com/electron/electron/pull/17985
 angle_enable_vulkan_validation_layers = false
 dawn_enable_vulkan_validation_layers = false

+# Removes dxc dll's that are only used experimentally.
+# See https://bugs.chromium.org/p/chromium/issues/detail?id=1474897
+dawn_use_built_dxc = false
+
 # These are disabled because they cause the zip manifest to differ between
 # testing and release builds.
 # See https://chromium-review.googlesource.com/c/chromium/src/+/2774898.
@@ -51,6 +51,9 @@ is_cfi = false
 use_qt5 = false
 use_qt6 = false

+# Disables the builtins PGO for V8
+v8_builtins_profiling_log_file = ""
+
 # https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md
 # TODO(vertedinde): hunt down dangling pointers on Linux
 enable_dangling_raw_ptr_checks = false
@@ -67,8 +70,6 @@ v8_expose_public_symbols = true
 # sensitive content by enterprise users.
 enterprise_cloud_content_analysis = false

-# We don't use anything from here, and it causes target collisions
-enable_linux_installer = false
-
-# Disable "Save to Drive" feature in PDF viewer
-enable_pdf_save_to_drive = false
+# TODO: remove dependency on legacy ipc
+# https://issues.chromium.org/issues/40943039
+content_enable_legacy_ipc = true
--- a/build/checksum_header.py
+++ b/build/checksum_header.py
@@ -1,37 +0,0 @@
-#!/usr/bin/env python3
-
-import os
-import sys
-import hashlib
-
-dir_path = os.path.dirname(os.path.realpath(__file__))
-
-TEMPLATE_H = """
-#ifndef ELECTRON_SNAPSHOT_CHECKSUM_H_
-#define ELECTRON_SNAPSHOT_CHECKSUM_H_
-
-namespace electron::snapshot_checksum {
-
-inline constexpr std::string_view kChecksum = "{checksum}";
-
-}  // namespace electron::snapshot_checksum
-
-#endif  // ELECTRON_SNAPSHOT_CHECKSUM_H_
-"""
-
-def calculate_sha256(filepath):
-    sha256_hash = hashlib.sha256()
-    with open(filepath, "rb") as f:
-        for byte_block in iter(lambda: f.read(4096), b""):
-            sha256_hash.update(byte_block)
-    return sha256_hash.hexdigest()
-
-input_file = sys.argv[1]
-output_file = sys.argv[2]
-
-checksum = calculate_sha256(input_file)
-
-checksum_h = TEMPLATE_H.replace("{checksum}", checksum)
-
-with open(output_file, 'w') as f:
-    f.write(checksum_h)
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@@ -9,6 +9,5 @@
  "embedded_asar_integrity_validation": "0",
  "only_load_app_from_asar": "0",
  "load_browser_process_specific_v8_snapshot": "0",
-  "grant_file_protocol_extra_privileges": "1",
-  "wasm_trap_handlers": "1"
+  "grant_file_protocol_extra_privileges": "1"
 }
--- a/build/linux/strip_binary.gni
+++ b/build/linux/strip_binary.gni
@@ -1,70 +0,0 @@
-# Copyright 2021 The Chromium Authors
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# This has been adapted from https://source.chromium.org/chromium/chromium/src/+/main:build/linux/strip_binary.gni;drc=c220a41e0422d45f1657c28146d32e99cc53640b
-# The notable difference is it has an option to compress the debug sections
-
-import("//build/config/clang/clang.gni")
-import("//build/toolchain/toolchain.gni")
-
-# Extracts symbols from a binary into a symbol file.
-#
-# Args:
-#   binary_input: Path to the binary containing symbols to extract, e.g.:
-#       "$root_out_dir/chrome"
-#   symbol_output: Desired output file for symbols, e.g.:
-#       "$root_out_dir/chrome.debug"
-#   stripped_binary_output: Desired output file for stripped file, e.g.:
-#       "$root_out_dir/chrome.stripped"
-#   compress_debug_sections: If true, compress the extracted debug sections
-template("strip_binary") {
-  forward_variables_from(invoker,
-                         [
-                           "deps",
-                           "testonly",
-                         ])
-  action("${target_name}") {
-    llvm_strip_binary = "${clang_base_path}/bin/llvm-strip"
-    llvm_objcopy_binary = "${clang_base_path}/bin/llvm-objcopy"
-    script = "//electron/build/linux/strip_binary.py"
-
-    if (defined(invoker.stripped_binary_output)) {
-      stripped_binary_output = invoker.stripped_binary_output
-    } else {
-      stripped_binary_output = invoker.binary_input + ".stripped"
-    }
-    if (defined(invoker.symbol_output)) {
-      symbol_output = invoker.symbol_output
-    } else {
-      symbol_output = invoker.binary_input + ".debug"
-    }
-
-    inputs = [
-      invoker.binary_input,
-      llvm_strip_binary,
-      llvm_objcopy_binary,
-    ]
-    outputs = [
-      symbol_output,
-      stripped_binary_output,
-    ]
-    args = [
-      "--llvm-strip-binary-path",
-      rebase_path(llvm_strip_binary, root_build_dir),
-      "--llvm-objcopy-binary-path",
-      rebase_path(llvm_objcopy_binary, root_build_dir),
-      "--symbol-output",
-      rebase_path(symbol_output, root_build_dir),
-      "--stripped-binary-output",
-      rebase_path(stripped_binary_output, root_build_dir),
-      "--binary-input",
-      rebase_path(invoker.binary_input, root_build_dir),
-    ]
-
-    if (defined(invoker.compress_debug_sections) &&
-        invoker.compress_debug_sections) {
-      args += [ "--compress-debug-sections" ]
-    }
-  }
-}
--- a/build/linux/strip_binary.py
+++ b/build/linux/strip_binary.py
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright 2021 The Chromium Authors
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# This has been adapted from https://source.chromium.org/chromium/chromium/src/+/main:build/linux/strip_binary.py;drc=c220a41e0422d45f1657c28146d32e99cc53640b
-# The notable difference is it has an option to compress the debug sections
-
-import argparse
-import subprocess
-import sys
-
-
-def main() -> int:
-  parser = argparse.ArgumentParser(description="Strip binary using LLVM tools.")
-  parser.add_argument("--llvm-strip-binary-path",
-                      help="Path to llvm-strip executable.")
-  parser.add_argument("--llvm-objcopy-binary-path",
-                      required=True,
-                      help="Path to llvm-objcopy executable.")
-  parser.add_argument("--binary-input", help="Input ELF binary.")
-  parser.add_argument("--symbol-output",
-                      help="File to write extracted debug info (.debug).")
-  parser.add_argument("--compress-debug-sections",
-                      action="store_true",
-                      help="Compress extracted debug info.")
-  parser.add_argument("--stripped-binary-output",
-                      help="File to write stripped binary.")
-  args = parser.parse_args()
-
-  # Replicate the behavior of:
-  # eu-strip <binary_input> -o <stripped_binary_output> -f <symbol_output>
-
-  objcopy_args = [
-      "--only-keep-debug",
-      args.binary_input,
-      args.symbol_output,
-  ]
-
-  if args.compress_debug_sections:
-    objcopy_args.insert(0, "--compress-debug-sections")
-
-  subprocess.check_output([args.llvm_objcopy_binary_path] + objcopy_args)
-  subprocess.check_output([
-      args.llvm_strip_binary_path,
-      "--strip-debug",
-      "--strip-unneeded",
-      "-o",
-      args.stripped_binary_output,
-      args.binary_input,
-  ])
-  subprocess.check_output([
-      args.llvm_objcopy_binary_path,
-      f"--add-gnu-debuglink={args.symbol_output}",
-      args.stripped_binary_output,
-  ])
-
-  return 0
-
-
-if __name__ == "__main__":
-  sys.exit(main())
--- a/build/rules.gni
+++ b/build/rules.gni
@@ -67,6 +67,10 @@ template("mac_xib_bundle_data") {
    ibtool_flags = [
      "--minimum-deployment-target",
      mac_deployment_target,
+
+      # TODO(rsesek): Enable this once all the bots are on Xcode 7+.
+      # "--target-device",
+      # "mac",
    ]
  }

--- a/build/siso/backend.star
+++ b/build/siso/backend.star
@@ -1,21 +0,0 @@
-# -*- bazel-starlark -*-
-
-load("@builtin//struct.star", "module")
-
-def __platform_properties(ctx):
-    container_image = "docker://gcr.io/chops-public-images-prod/rbe/siso-chromium/linux@sha256:d7cb1ab14a0f20aa669c23f22c15a9dead761dcac19f43985bf9dd5f41fbef3a"
-    return {
-        "default": {
-            "OSFamily": "Linux",
-            "container-image": container_image,
-        },
-        "large": {
-            "OSFamily": "Linux",
-            "container-image": container_image,
-        },
-    }
-
-backend = module(
-    "backend",
-    platform_properties = __platform_properties,
-)
--- a/build/siso/main.star
+++ b/build/siso/main.star
@@ -1,66 +0,0 @@
-load("@builtin//encoding.star", "json")
-load("@builtin//path.star", "path")
-load("@builtin//runtime.star", "runtime")
-load("@builtin//struct.star", "module")
-load("@config//main.star", upstream_init = "init")
-load("@config//win_sdk.star", "win_sdk")
-load("@config//gn_logs.star", "gn_logs")
-
-def init(ctx):
-    mod = upstream_init(ctx)
-    step_config = json.decode(mod.step_config)
-
-    # Buildbarn doesn't support input_root_absolute_path so disable that
-    for rule in step_config["rules"]:    
-      input_root_absolute_path = rule.get("input_root_absolute_path", False)
-      if input_root_absolute_path:
-        rule.pop("input_root_absolute_path", None)
-
-    # Only wrap clang rules with a remote wrapper if not on Linux. These are currently only
-    # needed for X-Compile builds, which run on Windows and Mac.
-    if runtime.os != "linux":
-      for rule in step_config["rules"]:
-        if rule["name"].startswith("clang/") or rule["name"].startswith("clang-cl/"):
-          rule["remote_wrapper"] = "../../buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper"
-          if "inputs" not in rule:
-            rule["inputs"] = []
-          rule["inputs"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
-          rule["inputs"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
-
-      if "executables" not in step_config:
-        step_config["executables"] = []
-      step_config["executables"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
-      step_config["executables"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
-
-    if runtime.os == "darwin":
-      # Update platforms to match our default siso config instead of reclient configs.
-      step_config["platforms"].update({
-          "clang": step_config["platforms"]["default"],
-          "clang_large": step_config["platforms"]["default"],          
-      })      
-
-    if runtime.os == "windows":
-      # Add additional Windows SDK headers needed by Electron      
-      win_toolchain_dir = win_sdk.toolchain_dir(ctx)
-      if win_toolchain_dir:
-        sdk_version = gn_logs.read(ctx).get("windows_sdk_version")
-        step_config["input_deps"][win_toolchain_dir + ":headers"].extend([
-          # third_party/electron_node/deps/uv/include/uv/win.h includes mswsock.h
-          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/mswsock.h"),
-          # third_party/electron_node/src/debug_utils.cc includes lm.h
-          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/Lm.h"),          
-        ])
-      
-      # Update platforms to match our default siso config instead of reclient configs.
-      step_config["platforms"].update({
-          "clang-cl": step_config["platforms"]["default"],
-          "clang-cl_large": step_config["platforms"]["default"],
-          "lld-link": step_config["platforms"]["default"],
-      })
-
-    return module(
-      "config",
-      step_config = json.encode(step_config),
-      filegroups = mod.filegroups,
-      handlers = mod.handlers,
-    )
--- a/build/webpack/webpack.config.base.js
+++ b/build/webpack/webpack.config.base.js
@@ -121,7 +121,6 @@ if ((globalThis.process || binding.process).argv.includes("--profile-electron-in
          'electron/main$': electronAPIFile,
          'electron/renderer$': electronAPIFile,
          'electron/common$': electronAPIFile,
-          'electron/utility$': electronAPIFile,
          // Force timers to resolve to our dependency that doesn't use window.postMessage
          timers: path.resolve(electronRoot, 'node_modules', 'timers-browserify', 'main.js')
        },
@@ -144,9 +143,7 @@ if ((globalThis.process || binding.process).argv.includes("--profile-electron-in
            transpileOnly: onlyPrintingGraph,
            ignoreDiagnostics: [
              // File '{0}' is not under 'rootDir' '{1}'.
-              6059,
-              // Private field '{0}' must be declared in an enclosing class.
-              1111
+              6059
            ]
          }
        }]
--- a/build/zip.py
+++ b/build/zip.py
@@ -41,8 +41,6 @@ PATHS_TO_SKIP = [
  'resources/inspector',
  'gen/third_party/devtools-frontend/src',
  'gen/ui/webui',
-  # Skip because these get zipped separately in script/zip-symbols.py
-  'debug',
 ]

 def skip_path(dep, dist_zip, target_cpu):
@@ -82,11 +80,6 @@ def main(argv):
      dep = dep.strip()
      if not skip_path(dep, dist_zip, target_cpu):
        dist_files.add(dep)
-  # On Linux, filter out any files which have a .stripped companion
-  if sys.platform == 'linux':
-    dist_files = {
-      dep for dep in dist_files if f"{dep.removeprefix('./')}.stripped" not in dist_files
-    }
  if sys.platform == 'darwin' and not should_flatten:
    execute(['zip', '-r', '-y', dist_zip] + list(dist_files))
  else:
@@ -103,13 +96,10 @@ def main(argv):
          dirname = os.path.dirname(dep)
          arcname = (
            os.path.join(dirname, 'chrome-sandbox')
-            if basename.removesuffix('.stripped') == 'chrome_sandbox'
+            if basename == 'chrome_sandbox'
            else dep
          )
          name_to_write = arcname
-          # On Linux, strip the .stripped suffix from the name before zipping
-          if sys.platform == 'linux':
-            name_to_write = name_to_write.removesuffix('.stripped')
          if should_flatten:
            if flatten_relative_to:
              if name_to_write.startswith(flatten_relative_to):
--- a/chromium_src/BUILD.gn
+++ b/chromium_src/BUILD.gn
@@ -23,8 +23,6 @@ static_library("chrome") {
    "//chrome/browser/browser_process.h",
    "//chrome/browser/devtools/devtools_contents_resizing_strategy.cc",
    "//chrome/browser/devtools/devtools_contents_resizing_strategy.h",
-    "//chrome/browser/devtools/devtools_dispatch_http_request_params.cc",
-    "//chrome/browser/devtools/devtools_dispatch_http_request_params.h",
    "//chrome/browser/devtools/devtools_embedder_message_dispatcher.cc",
    "//chrome/browser/devtools/devtools_embedder_message_dispatcher.h",
    "//chrome/browser/devtools/devtools_eye_dropper.cc",
@@ -68,8 +66,6 @@ static_library("chrome") {
    "//chrome/browser/picture_in_picture/picture_in_picture_occlusion_tracker.h",
    "//chrome/browser/picture_in_picture/picture_in_picture_occlusion_tracker_observer.cc",
    "//chrome/browser/picture_in_picture/picture_in_picture_occlusion_tracker_observer.h",
-    "//chrome/browser/picture_in_picture/picture_in_picture_widget_fade_animator.cc",
-    "//chrome/browser/picture_in_picture/picture_in_picture_widget_fade_animator.h",
    "//chrome/browser/picture_in_picture/picture_in_picture_window_manager.cc",
    "//chrome/browser/picture_in_picture/picture_in_picture_window_manager.h",
    "//chrome/browser/picture_in_picture/picture_in_picture_window_manager_uma_helper.cc",
@@ -78,8 +74,14 @@ static_library("chrome") {
    "//chrome/browser/picture_in_picture/scoped_picture_in_picture_occlusion_observation.h",
    "//chrome/browser/platform_util.cc",
    "//chrome/browser/platform_util.h",
+    "//chrome/browser/predictors/preconnect_manager.cc",
+    "//chrome/browser/predictors/preconnect_manager.h",
    "//chrome/browser/predictors/predictors_features.cc",
    "//chrome/browser/predictors/predictors_features.h",
+    "//chrome/browser/predictors/proxy_lookup_client_impl.cc",
+    "//chrome/browser/predictors/proxy_lookup_client_impl.h",
+    "//chrome/browser/predictors/resolve_host_client_impl.cc",
+    "//chrome/browser/predictors/resolve_host_client_impl.h",
    "//chrome/browser/process_singleton.h",
    "//chrome/browser/process_singleton_internal.cc",
    "//chrome/browser/process_singleton_internal.h",
@@ -126,12 +128,8 @@ static_library("chrome") {
    "//chrome/browser/ui/views/overlay/hang_up_button.h",
    "//chrome/browser/ui/views/overlay/minimize_button.cc",
    "//chrome/browser/ui/views/overlay/minimize_button.h",
-    "//chrome/browser/ui/views/overlay/overlay_controls_fade_animation.cc",
-    "//chrome/browser/ui/views/overlay/overlay_controls_fade_animation.h",
    "//chrome/browser/ui/views/overlay/overlay_window_image_button.cc",
    "//chrome/browser/ui/views/overlay/overlay_window_image_button.h",
-    "//chrome/browser/ui/views/overlay/overlay_window_live_caption_button.cc",
-    "//chrome/browser/ui/views/overlay/overlay_window_live_caption_button.h",
    "//chrome/browser/ui/views/overlay/playback_image_button.cc",
    "//chrome/browser/ui/views/overlay/playback_image_button.h",
    "//chrome/browser/ui/views/overlay/resize_handle_button.cc",
@@ -146,10 +144,6 @@ static_library("chrome") {
    "//chrome/browser/ui/views/overlay/toggle_microphone_button.h",
    "//chrome/browser/ui/views/overlay/video_overlay_window_views.cc",
    "//chrome/browser/ui/views/overlay/video_overlay_window_views.h",
-    "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_bounds_change_animation.cc",
-    "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_bounds_change_animation.h",
-    "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_tucker.cc",
-    "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_tucker.h",
    "//chrome/browser/ui/webui/accessibility/accessibility_ui.cc",
    "//chrome/browser/ui/webui/accessibility/accessibility_ui.h",
    "//chrome/browser/usb/usb_blocklist.cc",
@@ -213,7 +207,7 @@ static_library("chrome") {
    "//components/enterprise/common/proto:connectors_proto",
    "//components/enterprise/obfuscation/core:enterprise_obfuscation",
    "//components/safe_browsing/core/browser/db:safebrowsing_proto",
-    "//components/vector_icons",
+    "//components/vector_icons:vector_icons",
    "//ui/base/accelerators/global_accelerator_listener",
    "//ui/snapshot",
    "//ui/views/controls/webview",
@@ -223,8 +217,8 @@ static_library("chrome") {
    sources += [
      "//chrome/browser/platform_util_aura.cc",
      "//chrome/browser/ui/views/eye_dropper/eye_dropper_aura.cc",
-      "//ui/native_window_tracker/native_window_tracker_aura.cc",
-      "//ui/native_window_tracker/native_window_tracker_aura.h",
+      "//ui/views/native_window_tracker_aura.cc",
+      "//ui/views/native_window_tracker_aura.h",
    ]
    deps += [ "//components/eye_dropper" ]
  }
@@ -245,10 +239,6 @@ static_library("chrome") {
      "//chrome/browser/ui/views/dark_mode_manager_linux.cc",
      "//chrome/browser/ui/views/dark_mode_manager_linux.h",
    ]
-    sources += [
-      "//chrome/browser/ui/views/frame/browser_frame_view_paint_utils_linux.cc",
-      "//chrome/browser/ui/views/frame/browser_frame_view_paint_utils_linux.h",
-    ]
    public_deps += [ "//components/dbus" ]
  }

@@ -284,8 +274,6 @@ static_library("chrome") {
      "//chrome/browser/process_singleton_mac.mm",
      "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.h",
      "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.mm",
-      "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.h",
-      "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.mm",
    ]
    deps += [ ":system_media_capture_permissions_mac_conflict" ]
  }
@@ -387,8 +375,6 @@ static_library("chrome") {
        "//chrome/browser/pdf/chrome_pdf_stream_delegate.h",
        "//chrome/browser/pdf/pdf_extension_util.cc",
        "//chrome/browser/pdf/pdf_extension_util.h",
-        "//chrome/browser/pdf/pdf_help_bubble_handler_factory.cc",
-        "//chrome/browser/pdf/pdf_help_bubble_handler_factory.h",
        "//chrome/browser/pdf/pdf_viewer_stream_manager.cc",
        "//chrome/browser/pdf/pdf_viewer_stream_manager.h",
        "//chrome/browser/plugins/pdf_iframe_navigation_throttle.cc",
@@ -397,8 +383,6 @@ static_library("chrome") {
      deps += [
        "//components/pdf/browser",
        "//components/pdf/renderer",
-        "//ui/base/interaction",
-        "//ui/webui/resources/cr_components/help_bubble:mojo_bindings",
      ]
    }
  } else {
@@ -512,17 +496,15 @@ source_set("chrome_spellchecker") {
  ]
 }

-if (is_mac) {
-  # These sources create an object file conflict with one in |:chrome|, so they
-  # must live in a separate target.
-  # Conflicting sources:
-  #   //chrome/browser/media/webrtc/system_media_capture_permissions_stats_mac.mm
-  #   //chrome/browser/permissions/system/system_media_capture_permissions_mac.mm
-  source_set("system_media_capture_permissions_mac_conflict") {
-    sources = [
-      "//chrome/browser/permissions/system/system_media_capture_permissions_mac.h",
-      "//chrome/browser/permissions/system/system_media_capture_permissions_mac.mm",
-    ]
-    deps = [ "//chrome/common" ]
-  }
+# These sources create an object file conflict with one in |:chrome|, so they
+# must live in a separate target.
+# Conflicting sources:
+#   //chrome/browser/media/webrtc/system_media_capture_permissions_stats_mac.mm
+#   //chrome/browser/permissions/system/system_media_capture_permissions_mac.mm
+source_set("system_media_capture_permissions_mac_conflict") {
+  sources = [
+    "//chrome/browser/permissions/system/system_media_capture_permissions_mac.h",
+    "//chrome/browser/permissions/system/system_media_capture_permissions_mac.mm",
+  ]
+  deps = [ "//chrome/common" ]
 }
--- a/default_app/.eslintrc.json
+++ b/default_app/.eslintrc.json
@@ -1,8 +1,8 @@
 {
  "plugins": [
-    "import"
+    "unicorn"
  ],
  "rules": {
-    "import/enforce-node-protocol-usage": ["error", "always"]
+    "unicorn/prefer-node-protocol": "error"
  }
 }
--- a/default_app/default_app.ts
+++ b/default_app/default_app.ts
@@ -1,5 +1,5 @@
 import { shell } from 'electron/common';
-import { app, dialog, BrowserWindow, ipcMain, Menu } from 'electron/main';
+import { app, dialog, BrowserWindow, ipcMain } from 'electron/main';

 import * as path from 'node:path';
 import * as url from 'node:url';
@@ -11,52 +11,12 @@ app.on('window-all-closed', () => {
  app.quit();
 });

-const isMac = process.platform === 'darwin';
-
-app.whenReady().then(() => {
-  const helpMenu: Electron.MenuItemConstructorOptions = {
-    role: 'help',
-    submenu: [
-      {
-        label: 'Learn More',
-        click: async () => {
-          await shell.openExternal('https://electronjs.org');
-        }
-      },
-      {
-        label: 'Documentation',
-        click: async () => {
-          const version = process.versions.electron;
-          await shell.openExternal(`https://github.com/electron/electron/tree/v${version}/docs#readme`);
-        }
-      },
-      {
-        label: 'Community Discussions',
-        click: async () => {
-          await shell.openExternal('https://discord.gg/electronjs');
-        }
-      },
-      {
-        label: 'Search Issues',
-        click: async () => {
-          await shell.openExternal('https://github.com/electron/electron/issues');
-        }
-      }
-    ]
-  };
-
-  const macAppMenu: Electron.MenuItemConstructorOptions = { role: 'appMenu' };
-  const template: Electron.MenuItemConstructorOptions[] = [
-    ...(isMac ? [macAppMenu] : []),
-    { role: 'fileMenu' },
-    { role: 'editMenu' },
-    { role: 'viewMenu' },
-    { role: 'windowMenu' },
-    helpMenu
-  ];
-
-  Menu.setApplicationMenu(Menu.buildFromTemplate(template));
-});
+function decorateURL (url: string) {
+  // safely add `?utm_source=default_app
+  const parsedUrl = new URL(url);
+  parsedUrl.searchParams.append('utm_source', 'default_app');
+  return parsedUrl.toString();
+}

 // Find the shortest path to the electron binary
 const absoluteElectronPath = process.execPath;
@@ -109,7 +69,7 @@ async function createWindow (backgroundColor?: string) {
  mainWindow.on('ready-to-show', () => mainWindow!.show());

  mainWindow.webContents.setWindowOpenHandler(details => {
-    shell.openExternal(details.url);
+    shell.openExternal(decorateURL(details.url));
    return { action: 'deny' };
  });

--- a/default_app/main.ts
+++ b/default_app/main.ts
@@ -110,12 +110,11 @@ async function loadApplicationPackage (packagePath: string) {
      } else if (packageJson.name) {
        app.name = packageJson.name;
      }
-
-      // Set application's desktop name (Linux). These usually match the executable name,
-      // so use it as the default to ensure the app gets the correct icon in the taskbar and application switcher.
-      const desktopName = packageJson.desktopName || `${path.basename(process.execPath)}.desktop`;
-      app.setDesktopName(desktopName);
-
+      if (packageJson.desktopName) {
+        app.setDesktopName(packageJson.desktopName);
+      } else {
+        app.setDesktopName(`${app.name}.desktop`);
+      }
      // Set v8 flags, deliberately lazy load so that apps that do not use this
      // feature do not pay the price
      if (packageJson.v8Flags) {
@@ -256,7 +255,7 @@ async function startRepl () {
 if (option.file && !option.webdriver) {
  const file = option.file;
  // eslint-disable-next-line n/no-deprecated-api
-  const protocol = URL.canParse(file) ? new URL(file).protocol : null;
+  const protocol = url.parse(file).protocol;
  const extension = path.extname(file);
  if (protocol === 'http:' || protocol === 'https:' || protocol === 'file:' || protocol === 'chrome:') {
    await loadApplicationByURL(file);
--- a/default_app/styles.css
+++ b/default_app/styles.css
@@ -41,7 +41,7 @@ h4 {
  transform-origin: 50% 50%;
 }

-.hero-icon.loop-3 {
+hero-icon.loop-3 {
  transform: translate(79px, 21px);
  opacity: 1;
 }
--- a/docs/.eslintrc.json
+++ b/docs/.eslintrc.json
@@ -1,8 +1,8 @@
 {
  "extends": "standard",
  "plugins": [
-    "import",
-    "markdown"
+    "markdown",
+    "unicorn"
  ],
  "overrides": [
    {
@@ -30,6 +30,6 @@
    "no-undef": "off",
    "no-unused-expressions": "off",
    "no-unused-vars": "off",
-    "import/enforce-node-protocol-usage": ["error", "always"]
+    "unicorn/prefer-node-protocol": "error"
  }
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
deepak1556	45ba741580	chore: remove interface bound checks	2025-06-17 18:05:09 +09:00
Robo	ef040ffad6	chore: update spec/api-utility-process-spec.ts Co-authored-by: David Sanders <dsanders11@ucsbalum.com>	2025-06-17 17:27:54 +09:00
deepak1556	95033edacd	chore: update spec	2025-06-16 12:31:22 +09:00
Niklas Wenzel	dd4b11d89f	docs: update breaking changes	2025-06-15 23:16:22 +02:00
deepak1556	2fdf78e4e6	fix: utilityProcess running user script after process.exit is called	2025-06-15 19:26:06 +09:00