Trusted publishing for npm packages setup for cdt-gdb-adapter and other packages

Summary

NPM changed token policies in December 2025. Now recommended way is to use OIDC. I saw other EF IT tickets dealing with the fallout before.

A couple of packages I am aware of that we maintain and that may need Trusted Publishing to be set up (couldn't see it for example for the first in the list):

• https://www.npmjs.com/package/cdt-gdb-adapter
• https://www.npmjs.com/package/cdt-amalgamator
• https://www.npmjs.com/package/@eclipse-cdt-cloud/vscode-ui-components

I have only time to test the first in the list (release imminent). Pending PR to adjust the workflow here: https://github.com/eclipse-cdt-cloud/cdt-gdb-adapter/pull/499

But it might make sense to set things up for the other in the list, too.

Corresponding GitHub repositories are:

• https://github.com/eclipse-cdt-cloud/cdt-gdb-adapter
• https://github.com/eclipse-cdt-cloud/cdt-amalgamator
• https://github.com/eclipse-cdt-cloud/vscode-ui-components

Is this something you can help with?

Thanks, Jens

Steps to reproduce

Try to publish a release.

What is the current bug behavior?

Latest failed action run here: https://github.com/eclipse-cdt-cloud/cdt-gdb-adapter/actions/runs/22404471843/job/64864478726

What is the expected correct behavior?

Publish succeeds

Relevant logs and/or screenshots

(Add a link to or paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Priority

• Urgent
• High
• Medium
• Low

Severity

• Blocker
• Major
• Normal
• Low

Impact

Found while trying to make a release. But release can be delayed for a couple of days.