diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 00fbdd1f..9a99c75f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,28 +9,29 @@ on:
 jobs:
   publish:
     if: github.repository == 'pytest-dev/pytest-html'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-        persist-credentials: false
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
-    - name: Use Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: '24.x'
+      - name: Use Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: "24.x"
+          cache: "npm"
 
-    - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2
+      - name: Build and Check Package
+        uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
 
-    - name: Download Package
-      uses: actions/download-artifact@v7
-      with:
-        name: Packages
-        path: dist
+      - name: Download Package
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: Packages
+          path: dist
 
-    - name: Publish package to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.pypi_password }}
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0