diff --git a/.github/workflows/deploy_pypi.yml b/.github/workflows/deploy_pypi.yml
deleted file mode 100644
index cdde5eb..0000000
--- a/.github/workflows/deploy_pypi.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Publish DSO to PyPI
-on:
-  release:
-    types: [published]
-
-jobs:
-  release:
-    name: Upload release to PyPI
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
-      url: https://pypi.org/p/dso
-
-    steps:
-      - uses: actions/checkout@v4
-        name: Check out source-code repository
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-          cache: pip
-
-      - name: Install python dependencies
-        run: |
-          python -m pip install --upgrade pip setuptools wheel build
-          pip install .
-
-      - name: Build the distribution
-        run: python setup.py sdist bdist_wheel
-
-      - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..351ea80
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,29 @@
+name: Release to PyPI
+
+on:
+  release:
+    types: [published]
+
+# Use "trusted publishing", see https://docs.pypi.org/trusted-publishers/
+jobs:
+  release:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/dso # TODO update once settled on a name
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          filter: blob:none
+          fetch-depth: 0
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.x"
+          cache: "pip"
+      - run: pip install build
+      - run: python -m build
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1