diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
index 967eb62..5333280 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@@ -16,7 +16,7 @@ jobs:
     name: Release-plz release
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    # This environment gives access to CARGO_REGISTRY_TOKEN, and requires approval
+    # This environment releases crates on crates.io, requires approval
     environment: release 
     # only trigger this job if the push to main is from a merged PR with a "release" label
     if: >
@@ -25,6 +25,8 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'release')
     permissions:
       contents: write
+      # Required for trusted publishing, see https://release-plz.dev/docs/github/quickstart#2-set-the-cargo_registry_token-secret
+      id-token: write
     steps:
       - name: git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -43,7 +45,6 @@ jobs:
           command: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
 
   # Create a PR with the new versions and changelog, preparing the next release.
   release-plz-pr: