diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 9a2668590..73f75f5a6 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -136,6 +136,7 @@ jobs:
     if: github.triggering_actor == 'mgkwill' || github.triggering_actor == 'PhilippPlank' || github.triggering_actor == 'tim-shea'
     permissions:
       contents: write
+      id-token: write
     needs: [build-artifacts, test-artifact-install, test-artifact-use]
    
     steps:
@@ -181,12 +182,29 @@ jobs:
           generateReleaseNotes: true
           makeLatest: true
 
+      - name: Mint Github API token
+        id: mint-token
+        run: |
+          # retrieve the ambient OIDC token
+          resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
+          oidc_token=$(jq '.value' <<< "${resp}")
+
+          # exchange the OIDC token for an API token
+          resp=$(curl -X POST https://pypi.org/_/oidc/github/mint-token -d "{\"token\": \"${oidc_token}\"}")
+          api_token=$(jq '.token' <<< "${resp}")
+
+          # mask the newly minted API token, so that we don't accidentally leak it
+          echo "::add-mask::${api_token}"
+
+          # see the next step in the workflow for an example of using this step output
+          echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
+
       - name: Publish to PyPI
-        if: steps.check-version.outputs.prerelease != 'true'
+        # if: steps.check-version.outputs.prerelease != 'true'
         env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
+          POETRY_PYPI_TOKEN_PYPI: ${{ steps.mint-token.outputs.api-token }}
         run: |
           mkdir dist
           cp lava* dist/.
-          # poetry config repositories.testpypi https://test.pypi.org/legacy/
           poetry publish --dry-run