diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml
index 04669376..ea138002 100644
--- a/.github/workflows/pypi.yaml
+++ b/.github/workflows/pypi.yaml
@@ -7,17 +7,18 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
       - name: Set up Python and uv
         uses: astral-sh/setup-uv@v4
         with:
           python-version: "3.13"
       - name: Build and publish
-        env:
-          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
         run: |
           uv venv
           uv build
+      - name: Publish package distributions to PyPI
+        run: |
           uv publish
diff --git a/.github/workflows/testpypi-release.yaml b/.github/workflows/testpypi-release.yaml
index 26971b5c..d0d8520a 100644
--- a/.github/workflows/testpypi-release.yaml
+++ b/.github/workflows/testpypi-release.yaml
@@ -26,16 +26,10 @@ jobs:
         with:
           python-version: "3.13"
 
-      # - name: Disable local versions
-      #   run: |
-      #     python .github/workflows/configure-testpypi-version.py pyproject.toml
-      #     git update-index --assume-unchanged pyproject.toml
-      #     cat pyproject.toml
-
       - name: Build tarball and wheels
         run: |
           git clean -xdf
-          uv build
+          SETUPTOOLS_SCM_OVERRIDES_FOR_FLOX='local_scheme = "no-local-version"' uv build
 
       - name: Check built artifacts
         run: |
@@ -57,14 +51,26 @@ jobs:
   test-built-dist:
     needs: build-artifacts
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
     steps:
-      - uses: actions/setup-python@v5
-        name: Install Python
+      # need pyproject.toml for uv publish --index testpypi
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0 # Fetch all history for all branches and tags.
+
+      - name: Set up Python and uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          python-version: "3.13"
 
-      - uses: actions/download-artifact@v4
+      - name: Get built artifact
+        uses: actions/download-artifact@v4
         with:
           name: releases
           path: dist
+
       - name: List contents of built dist
         run: |
           ls -ltrh
@@ -74,9 +80,6 @@ jobs:
         run: |
           pip install dist/flox*.whl
 
-      # - name: Publish package to TestPyPI
-      #   uses: pypa/gh-action-pypi-publish@v1.6.4
-      #   with:
-      #     password: ${{ secrets.TESTPYPI_TOKEN }}
-      #     repository_url: https://test.pypi.org/legacy/
-      #     verbose: true
+      - name: Publish package to TestPyPI
+        run: |
+          uv publish --index testpypi
diff --git a/pyproject.toml b/pyproject.toml
index 8066582b..314692c3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -313,3 +313,9 @@ types = [
     "types-requests",
     "types-setuptools",
 ]
+
+[[tool.uv.index]]
+name = "testpypi"
+url = "https://test.pypi.org/simple/"
+publish-url = "https://test.pypi.org/legacy/"
+explicit = true