diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7dac7f55..fe684d0c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -156,12 +156,16 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    steps:
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install twine==6.0.1
+    permissions:
+      id-token: write   # Required for OIDC trusted publishing
+      actions: read     # Required for actions/download-artifact
+      contents: read    # Required for repository access
 
+    environment:
+      name: publish
+      url: https://pypi.org/p/singlestoredb
+
+    steps:
       - name: Download Linux wheels and sdist
         uses: actions/download-artifact@v4
         with:
@@ -180,14 +184,9 @@ jobs:
           name: artifacts-macOS
           path: dist
 
-      - name: Publish PyPI package
+      - name: Publish to PyPI
         if: ${{ github.event_name == 'release' || github.event.inputs.publish_pypi == 'true' }}
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: "${{ secrets.PYPI_TOKEN }}"
-        run: |
-          ls ./dist/*
-          twine upload ./dist/*
+        uses: pypa/gh-action-pypi-publish@release/v1
 
 #     - name: Publish Conda package
 #       if: ${{ github.event_name == 'release' || github.event.inputs.publish_anaconda == 'true' }}