diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 683c5921..fde14172 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,12 +8,13 @@ on:
       - "v*"
 
 permissions:
+  id-token: write # Used to authenticate to PyPI via OIDC.
   contents: read
 
 jobs:
   deploy:
-
     runs-on: ubuntu-latest
+    environment: release
 
     steps:
       - name: Checkout repository
@@ -32,7 +33,6 @@ jobs:
       - name: Build package
         run: poetry build
 
-      - name: Publish package
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
-        run: poetry publish --no-interaction
+      # This uses PyPI's trusted publishing, so no token is required
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1