diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d23f9ed..9f920f4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -35,6 +35,9 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
     needs: test
     if: startsWith(github.ref, 'refs/tags/')
     permissions:
@@ -51,10 +54,27 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install hatch
+    - name: mint API token
+      id: mint-token
+      run: |
+        # retrieve the ambient OIDC token
+        resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+        "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+        oidc_token=$(jq -r '.value' <<< "${resp}")
+
+        # exchange the OIDC token for an API token
+        resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
+        api_token=$(jq -r '.token' <<< "${resp}")
+
+        # mask the newly minted API token, so that we don't accidentally leak it
+        echo "::add-mask::${api_token}"
+
+        # see the next step in the workflow for an example of using this step output
+        echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
     - name: Build and publish on PyPI
       env:
-        HATCH_INDEX_USER: ${{ secrets.HATCH_INDEX_USER }}
-        HATCH_INDEX_AUTH: ${{ secrets.HATCH_INDEX_AUTH }}
+        HATCH_INDEX_USER: __token__
+        HATCH_INDEX_AUTH: ${{ steps.mint-token.outputs.api-token }}
       run: |
         hatch build
         hatch publish