diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c0c136f9..c6614195 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,6 +10,15 @@ permissions:
 jobs:
   publish:
     runs-on: ubuntu-latest
+
+    permissions:
+      # This permission is used for trusted publishing:
+      # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
+      #
+      # Trusted publishing has to also be configured on PyPI for each package:
+      # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+      id-token: write
+
     steps:
     - uses: actions/checkout@v4