diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f8567ac..4182b6e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,13 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-22.04
+
+    environment:
+      name: pypi
+      url: https://pypi.org/p/edx-arch-experiments
+    permissions:
+      id-token: write  # used by pypi-publish
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
@@ -22,6 +29,3 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_UPLOAD_TOKEN }}
diff --git a/.github/workflows/test_publish.yml b/.github/workflows/test_publish.yml
index 8116ca6..788a3d0 100644
--- a/.github/workflows/test_publish.yml
+++ b/.github/workflows/test_publish.yml
@@ -6,6 +6,13 @@ on:
 jobs:
   test-publish:
     runs-on: ubuntu-22.04
+
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/edx-arch-experiments
+    permissions:
+      id-token: write  # used by pypi-publish
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
@@ -21,8 +28,6 @@ jobs:
       - name: Publish to PyPI (test server)
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_TEST_UPLOAD_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
           skip_existing: true