diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 9af52f2..dabb56b 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -53,7 +53,7 @@ jobs:
           PY
 
       - name: Install build tooling
-        run: python -m pip install --upgrade build twine
+        run: python -m pip install --upgrade pip build twine
 
       # Defense-in-depth: refuse to publish if any production dep has a known
       # CVE.  CI runs the same audit on every PR (.github/workflows/ci.yml),