diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml
index ea13767eeeb..e3af471122f 100644
--- a/.github/workflows/pypi_upload.yml
+++ b/.github/workflows/pypi_upload.yml
@@ -10,12 +10,16 @@ on:
 
 permissions:
   contents: read
+  id-token: write # Required for PyPI trusted publishing
 
 jobs:
   main:
     name: sdist + pure wheel
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
 
     steps:
       - uses: actions/checkout@v4
@@ -26,19 +30,19 @@ jobs:
           python-version: "3.13"
           allow-prereleases: true
 
-      - name: Install latest pip, build, twine
+      - name: Install latest pip, build
         run: |
           python -m pip install --upgrade --disable-pip-version-check pip
-          python -m pip install --upgrade build twine
+          python -m pip install --upgrade build
 
       - name: Build wheel and source distributions
         run: python -m build
 
       - if: github.event_name == 'release'
-        name: Upload to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: twine upload --verbose -u '__token__' dist/*
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
 
   generate_wheels_matrix:
     name: generate wheels matrix
@@ -84,6 +88,10 @@ jobs:
     name: mypyc wheels ${{ matrix.only }}
     needs: generate_wheels_matrix
     runs-on: ${{ matrix.os }}
+    if: github.event_name == 'release'
+    environment:
+      name: release
+      url: https://pypi.org/p/black
     strategy:
       fail-fast: false
       matrix:
@@ -103,10 +111,11 @@ jobs:
           path: ./wheelhouse/*.whl
 
       - if: github.event_name == 'release'
-        name: Upload wheels to PyPI via Twine
-        env:
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
-        run: pipx run twine upload --verbose -u '__token__' wheelhouse/*.whl
+        name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: wheelhouse/
+          verbose: true
 
   update-stable-branch:
     name: Update stable branch
diff --git a/CHANGES.md b/CHANGES.md
index 8d8808c2573..0ba64f96887 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -49,6 +49,7 @@
 <!-- For example, Docker, GitHub Actions, pre-commit, editors -->
 
 - Fix the version check in the vim file to reject Python 3.8 (#4567)
+- Upgraded PyPI upload workflow to use Trusted Publishing (#4611)
 
 ### Documentation