diff --git a/.github/workflows/release-wheels.yml b/.github/workflows/release-wheels.yml
index b65c6f94..7309e572 100644
--- a/.github/workflows/release-wheels.yml
+++ b/.github/workflows/release-wheels.yml
@@ -16,6 +16,12 @@ jobs:
 
   upload_pypi:
     needs: [build_wheels, build_sdist]
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing & sigstore
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pycares
     if: github.event_name == 'release' && github.event.action == 'published'
     runs-on: ubuntu-latest
     steps:
@@ -26,6 +32,3 @@ jobs:
       - run: ls -lR dist
       - name: Upload to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.pypi_password }}