diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8dbee62a..0bf0b3a7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -58,6 +58,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      id-token: write
+      attestations: write
 
     strategy:
       matrix:
@@ -80,6 +83,5 @@ jobs:
       - name: Publish package
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          skip_existing: true
+          attestations: true
+          skip-existing: true
diff --git a/AGENTS.md b/AGENTS.md
index e8447377..41439811 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -186,7 +186,7 @@ def test_sync(
 
 ### Imports
 
-- Use namespace imports: `import enum` instead of `from enum import Enum`
+- Use namespace imports for stdlib: `import enum` instead of `from enum import Enum`; third-party packages may use `from X import Y`
 - For typing, use `import typing as t` and access via namespace: `t.NamedTuple`, etc.
 - Use `from __future__ import annotations` at the top of all Python files
 
diff --git a/CHANGES b/CHANGES
index 6e4016dd..ef2067b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -18,7 +18,9 @@ $ uv add libvcs --prerelease allow
 
 <!-- Maintainers, insert changes / features for the next release here -->
 
-_Upcoming changes will be written here._
+### CI
+
+- Migrate to PyPI Trusted Publisher (#499)
 
 ## libvcs 0.38.1 (2025-12-06)