diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a86faba..0043beb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -74,6 +74,11 @@ jobs:
     needs: [build_sdist, build_wheels]
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
+    environment:
+      name: publish-to-pypi
+      url: https://pypi.org/p/opentype-sanitizer
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted publishing.
 
     steps:
     - uses: actions/download-artifact@v4
@@ -81,7 +86,5 @@ jobs:
         path: dist
         merge-multiple: true
 
-    - uses: pypa/gh-action-pypi-publish@v1.12.0
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}
+    - name: Publish package distributions to PyPI
+      uses: pypa/gh-action-pypi-publish@v1.13.0