From ee060cdc587d57a5808b4c37dfa122340985f6ee Mon Sep 17 00:00:00 2001
From: Simon Binder <simon@journeyapps.com>
Date: Mon, 27 Oct 2025 17:31:50 +0100
Subject: [PATCH 1/5] Prepare trusted publishing, update core extension

---
 .changeset/cold-forks-worry.md       |  5 +++
 .changeset/grumpy-shrimps-wear.md    |  5 +++
 .github/workflows/build-package.yaml |  9 ++---
 .github/workflows/dev-packages.yaml  | 57 ----------------------------
 .github/workflows/release.yml        | 27 +++++++++----
 build.sh                             |  2 +-
 6 files changed, 34 insertions(+), 71 deletions(-)
 create mode 100644 .changeset/cold-forks-worry.md
 create mode 100644 .changeset/grumpy-shrimps-wear.md
 delete mode 100644 .github/workflows/dev-packages.yaml

diff --git a/.changeset/cold-forks-worry.md b/.changeset/cold-forks-worry.md
new file mode 100644
index 0000000..fce36b6
--- /dev/null
+++ b/.changeset/cold-forks-worry.md
@@ -0,0 +1,5 @@
+---
+"@powersync/sql-js": patch
+---
+
+Use trusted publishing to publish this package.
diff --git a/.changeset/grumpy-shrimps-wear.md b/.changeset/grumpy-shrimps-wear.md
new file mode 100644
index 0000000..4738f94
--- /dev/null
+++ b/.changeset/grumpy-shrimps-wear.md
@@ -0,0 +1,5 @@
+---
+"@powersync/sql-js": patch
+---
+
+Update PowerSync core extension to version 0.4.8.
diff --git a/.github/workflows/build-package.yaml b/.github/workflows/build-package.yaml
index c14e85b..2a07d0b 100644
--- a/.github/workflows/build-package.yaml
+++ b/.github/workflows/build-package.yaml
@@ -9,19 +9,18 @@ jobs:
     name: Build Packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
 
       - name: Setup NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version-file: ".nvmrc"
 
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
-          version: 9
           run_install: false
 
       - name: Get pnpm store directory
@@ -29,7 +28,7 @@ jobs:
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
diff --git a/.github/workflows/dev-packages.yaml b/.github/workflows/dev-packages.yaml
deleted file mode 100644
index da611ca..0000000
--- a/.github/workflows/dev-packages.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-# Action to publish packages under the `next` tag for testing
-# Packages are versioned as `0.0.0-{tag}-DATETIMESTAMP`
-name: Create Dev Release
-
-on: workflow_dispatch
-
-jobs:
-  publish:
-    name: Publish Dev Packages
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup NodeJS
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: ".nvmrc"
-      - uses: pnpm/action-setup@v2
-        name: Install pnpm
-        with:
-          version: 9
-          run_install: false
-      - name: Add NPM auth
-        run: echo "//registry.npmjs.org/:_authToken=${{secrets.NPM_TOKEN}}" >> ~/.npmrc
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v3
-        name: Setup pnpm cache
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-      - name: Install dependencies
-        run: pnpm install
-
-      - name: Install sha3sum
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libdigest-sha3-perl
-
-      - name: Setup Emscripten
-        uses: mymindstorm/setup-emsdk@v14
-        with:
-          version: 4.0.10
-          actions-cache-folder: "emsdk-cache"
-
-      - name: Build
-        run: pnpm build
-
-      - name: Publish
-        run: |
-          pnpm changeset version --no-git-tag --snapshot dev
-          pnpm changeset publish --tag dev
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae289db..d72abd3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
+    # Dev publishing
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -13,23 +15,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version-file: ".nvmrc"
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
-          # Pnpm 9.4 introduces this https://github.com/pnpm/pnpm/pull/7633
-          # which causes workspace:^1.2.0 to be converted to 1.2.0^1.2.0
-          version: 9.3
+          version: latest
           run_install: false
       - name: Get pnpm store directory
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
@@ -50,9 +50,13 @@ jobs:
           version: 4.0.10
           actions-cache-folder: "emsdk-cache"
 
+      - name: Build
+        run: pnpm build
+
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
+        if: ${{ github.event_name == 'push' }}
         with:
           # Update the monorepo lockfile after versioning
           version: pnpm changeset:version
@@ -60,4 +64,11 @@ jobs:
           publish: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Dev publish
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          pnpm changeset version --no-git-tag --snapshot dev
+          pnpm changeset publish --tag dev
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/build.sh b/build.sh
index db09137..a1f6d32 100755
--- a/build.sh
+++ b/build.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-POWERSYNC_CORE_VERSION="0.4.6"
+POWERSYNC_CORE_VERSION="0.4.8"
 SQLITE_PATH="sql.js"
 
 if [ -d "$SQLITE_PATH" ]; then

From b6fec75317345d9f21c7db883c5104ed3b385329 Mon Sep 17 00:00:00 2001
From: Simon Binder <simon@journeyapps.com>
Date: Mon, 27 Oct 2025 17:33:28 +0100
Subject: [PATCH 2/5] Add OIDC permissions

---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d72abd3..77ba75a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,10 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   release:
     name: Release

From f2105ff158633c56a3988968de24b10459daec11 Mon Sep 17 00:00:00 2001
From: Simon Binder <simon@journeyapps.com>
Date: Mon, 27 Oct 2025 17:41:17 +0100
Subject: [PATCH 3/5] Include version

---
 .github/workflows/build-package.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-package.yaml b/.github/workflows/build-package.yaml
index 2a07d0b..fde1314 100644
--- a/.github/workflows/build-package.yaml
+++ b/.github/workflows/build-package.yaml
@@ -21,6 +21,7 @@ jobs:
       - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
+          version: latest
           run_install: false
 
       - name: Get pnpm store directory

From afd25920b171dc108dc17522093579d5c16fbeb6 Mon Sep 17 00:00:00 2001
From: Simon Binder <simon@journeyapps.com>
Date: Mon, 27 Oct 2025 17:57:27 +0100
Subject: [PATCH 4/5] Switch to corepack

---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index e9d286f..ee99cc0 100644
--- a/package.json
+++ b/package.json
@@ -30,5 +30,6 @@
   },
   "devDependencies": {
     "@changesets/cli": "^2.29.5"
-  }
+  },
+  "packageManager": "pnpm@10.19.0+sha512.c9fc7236e92adf5c8af42fd5bf1612df99c2ceb62f27047032f4720b33f8eacdde311865e91c411f2774f618d82f320808ecb51718bfa82c060c4ba7c76a32b8"
 }

From e16611c5f6eaf431e9ad6cb3bcfdf0e4926e2f7f Mon Sep 17 00:00:00 2001
From: Simon Binder <simon@journeyapps.com>
Date: Mon, 27 Oct 2025 18:00:31 +0100
Subject: [PATCH 5/5] Install pnpm before node

---
 .github/workflows/build-package.yaml | 11 +++++------
 .github/workflows/release.yml        | 10 +++++-----
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build-package.yaml b/.github/workflows/build-package.yaml
index fde1314..64b444d 100644
--- a/.github/workflows/build-package.yaml
+++ b/.github/workflows/build-package.yaml
@@ -13,17 +13,16 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Setup NodeJS
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: ".nvmrc"
-
       - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
-          version: latest
           run_install: false
 
+      - name: Setup NodeJS
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+
       - name: Get pnpm store directory
         shell: bash
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 77ba75a..1b9e619 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,15 +20,15 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v5
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: ".nvmrc"
       - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
-          version: latest
           run_install: false
+
+      - name: Setup NodeJS
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
       - name: Get pnpm store directory
         shell: bash
         run: |