diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 7f551b5..a6edf58 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -49,6 +49,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+      attestations: write
 
     strategy:
       matrix:
@@ -76,6 +79,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true
diff --git a/CHANGES b/CHANGES
index 0c80d86..edb46da 100644
--- a/CHANGES
+++ b/CHANGES
@@ -29,10 +29,12 @@ $ uvx --from 'g' --prerelease allow g
 
 ## g 0.0.9 (unreleased)
 
-- _Notes on upcoming releases will be added here_
-
 <!-- Maintainers, insert changes / features for the next release here -->
 
+### CI
+
+- Migrate to PyPI Trusted Publisher (#43)
+
 ## g 0.0.8 (2025-11-01)
 
 ### Breaking changes