diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml
index 2c853ca0462..bfa6af79daa 100644
--- a/.github/workflows/pypi_upload.yml
+++ b/.github/workflows/pypi_upload.yml
@@ -10,12 +10,16 @@ on:
 
 permissions:
   contents: read
+  id-token: write # Required for PyPI trusted publishing
 
 jobs:
   main:
     name: sdist + pure wheel
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -28,19 +32,19 @@ jobs:
           python-version: "3.13"
           allow-prereleases: true
 
-      - name: Install latest pip, build, twine
+      - name: Install latest pip, build
         run: |
           python -m pip install --upgrade --disable-pip-version-check pip
-          python -m pip install --upgrade build twine
+          python -m pip install --upgrade build
 
       - name: Build wheel and source distributions
         run: python -m build
 
       - if: github.event_name == 'release'
-        name: Upload to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: twine upload --verbose -u '__token__' dist/*
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
 
   generate_wheels_matrix:
     name: generate wheels matrix
@@ -91,6 +95,10 @@ jobs:
     name: mypyc wheels ${{ matrix.only }}
     needs: generate_wheels_matrix
     runs-on: ${{ matrix.os }}
+    if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
     strategy:
       fail-fast: false
       matrix:
@@ -112,10 +120,11 @@ jobs:
           path: ./wheelhouse/*.whl
 
       - if: github.event_name == 'release'
-        name: Upload wheels to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: pipx run twine upload --verbose -u '__token__' wheelhouse/*.whl
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: wheelhouse/
+          verbose: true
 
   update-stable-branch:
     name: Update stable branch
diff --git a/CHANGES.md b/CHANGES.md
index 61ac78fa0ef..692529c2d46 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -45,6 +45,8 @@
 
 <!-- For example, Docker, GitHub Actions, pre-commit, editors -->
 
+- Upgraded PyPI upload workflow to use Trusted Publishing (#4611)
+
 ### Documentation
 
 <!-- Major changes to documentation and policies. Small docs changes