diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 2f3e6a8..8606d07 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -35,8 +35,11 @@ jobs:
         run: pre-commit run --all-files
   publish:
     if: success() && startsWith(github.ref, 'refs/tags')
-    name: Publish to PyPI
+    name: Publish release to PyPI
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -48,8 +51,5 @@ jobs:
         run: |
           python -m pip install --upgrade build
           python -m build
-      - name: Publish package distributions to PyPI
+      - name: Upload package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2c6c86e..bbe94dc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@ default_language_version:
   python: python3
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.2
+    rev: v0.3.5
     hooks:
       - id: ruff
         args: [ --fix ]
@@ -17,8 +17,13 @@ repos:
     rev: v8.18.2
     hooks:
       - id: gitleaks
+  - repo: https://github.com/pypa/pip-audit
+    rev: v2.7.2
+    hooks:
+      - id: pip-audit
+        args: ["--skip-editable"]
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]