diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 0287083..ce637b0 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -57,6 +57,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+      attestations: write
 
     strategy:
       matrix:
@@ -80,6 +83,5 @@ jobs:
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true
diff --git a/AGENTS.md b/AGENTS.md
index dc617e6..0297050 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -148,7 +148,7 @@ def test_custom_processor(settings):
 
 ### Imports
 
-- Prefer namespace imports (e.g., `import typing as t`), avoiding `from module import *`
+- Prefer namespace imports for stdlib (e.g., `import typing as t`); third-party packages may use `from X import Y`
 - Include `from __future__ import annotations` at the top of Python files
 
 ### Docstrings
diff --git a/CHANGES b/CHANGES
index 6e139d1..16a4bef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -37,6 +37,10 @@ $ uvx --from 'django-slugify-processor' --prerelease allow django-slugify-proces
 - _Add your latest changes from PRs here_
 <!-- END PLACEHOLDER - ADD NEW CHANGELOG ENTRIES BELOW THIS LINE -->
 
+### CI
+
+- Migrate to PyPI Trusted Publisher (#410)
+
 ### Documentation
 
 - Visual improvements to API docs from [gp-sphinx](https://gp-sphinx.git-pull.com)-based Sphinx packages (#417)