diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index fc29fc0..3b536c9 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -32,8 +32,13 @@ jobs:
       run: tox
 
   publish:
+    name: upload release to PyPI
     runs-on: ubuntu-latest
     needs: test
+    environment: release
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@v3
 
@@ -47,11 +52,9 @@ jobs:
         python -m pip install --upgrade pip
         python -m pip install poetry poetry poetry-plugin-export
 
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: "__token__"
-        TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-      run: |
-        poetry build
-        poetry publish
+    - name: Build
+      run: poetry build
+
+    - name: publish
+      uses: pypa/gh-action-pypi-publish@release/v1