diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 955d3aa..615c385 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,6 +68,8 @@ jobs:
     defaults:
       run:
         working-directory: python
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v3
       - uses: arduino/setup-protoc@v1
@@ -93,8 +95,6 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
         with:
-          user: __token__
-          password: ${{ secrets.TESTPYPI_API_TOKEN }}
           packages_dir: python/foxglove-schemas-flatbuffer/dist
           repository_url: https://test.pypi.org/legacy/
           skip_existing: true
@@ -106,16 +106,12 @@ jobs:
           startsWith(github.ref, 'refs/tags/releases/python/foxglove-schemas-flatbuffer/v')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
           packages_dir: python/foxglove-schemas-flatbuffer/dist
 
       - name: Publish foxglove-schemas-protobuf to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
         with:
-          user: __token__
-          password: ${{ secrets.TESTPYPI_API_TOKEN }}
           packages_dir: python/foxglove-schemas-protobuf/dist
           repository_url: https://test.pypi.org/legacy/
           skip_existing: true
@@ -127,8 +123,6 @@ jobs:
           startsWith(github.ref, 'refs/tags/releases/python/foxglove-schemas-protobuf/v')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
           packages_dir: python/foxglove-schemas-protobuf/dist
 
   ros: