diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fae4a42..2c0e017 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -41,6 +41,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Build OpenSSL
         run: |
           BASEDIR=$(pwd)
@@ -102,6 +103,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -114,7 +116,7 @@ jobs:
       - name: prepare build directory
         run: ./scripts/prepare.sh
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -137,6 +139,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -152,7 +155,7 @@ jobs:
         env:
           CIBW_ARCHS_LINUX: ${{ matrix.arch }}
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -171,6 +174,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -179,7 +183,7 @@ jobs:
       - name: prepare build directory
         run: ./scripts/prepare.ps1
       - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==${{ env.CIBW_VERSION }}
+        run: python -m pip install cibuildwheel=="${CIBW_VERSION}"
       - name: Build wheels
         working-directory: build
         run: python -m cibuildwheel --output-dir wheelhouse
@@ -201,6 +205,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up python
         uses: actions/setup-python@v5
         with:
@@ -223,6 +228,9 @@ jobs:
     runs-on: ubuntu-20.04
     if: github.event_name == 'push' && !(startsWith(github.ref, 'refs/tags/v'))
     environment: test-pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -232,8 +240,6 @@ jobs:
 
       - uses: pypa/gh-action-pypi-publish@v1.10.3
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
 
@@ -243,6 +249,9 @@ jobs:
     runs-on: ubuntu-20.04
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     environment: pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -251,6 +260,3 @@ jobs:
           path: dist
 
       - uses: pypa/gh-action-pypi-publish@v1.10.3
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}