diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index 86578d06..c9fc88d0 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -67,3 +67,9 @@ PyPI publishing requires a Trusted Publisher configured on PyPI for:
 - project: `fbuild`
 - repository: `FastLED/fbuild`
 - workflow: `.github/workflows/release-auto.yml`
+- environment: `pypi`
+
+The PyPI publish job declares the `pypi` GitHub environment so PyPI receives an
+OIDC token with `environment: pypi`. The Trusted Publisher entry on PyPI must
+match that environment exactly; otherwise PyPI rejects the exchange with
+`invalid-publisher`.
diff --git a/.github/workflows/release-auto.yml b/.github/workflows/release-auto.yml
index 47bff152..162fa74e 100644
--- a/.github/workflows/release-auto.yml
+++ b/.github/workflows/release-auto.yml
@@ -283,6 +283,10 @@ jobs:
     needs: [prepare, build-pypi]
     if: needs.prepare.outputs.should_release == 'true'
     runs-on: ubuntu-24.04
+    environment: pypi
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: Download PyPI distributions