diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ff1f31c..c7af776 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,9 +4,16 @@ on:
   release:
     types: [created]
 
+permissions:
+  id-token: write  # Required for trusted publishing to PyPI
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for trusted publishing to PyPI
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
@@ -57,11 +64,9 @@ jobs:
           python -m twine check dist/*
 
       - name: Publish to TestPyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        run: |
-          python -m twine upload --repository testpypi dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
 
       - name: Verify TestPyPI installation
         run: |
@@ -78,8 +83,4 @@ jobs:
           echo "✓ TestPyPI package verified successfully!"
 
       - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-        run: |
-          python -m twine upload dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1