diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 371a33bb1..1a1722c12 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,28 +5,36 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
-  release:
-    name: release
+  check-package:
+    name: Build & inspect our package.
     runs-on: ubuntu-latest
     if: ${{ github.repository }} == 'dask/dask-ml'
     steps:
-      - uses: actions/checkout@v2
-
-      - name: Set up Python 3.x
-        uses: actions/setup-python@v2
+      - uses: actions/checkout@v4
         with:
-          python-version: "3.x"
+          fetch-depth: 0
+      - uses: hynek/build-and-inspect-python-package@v2
 
-      - name: Install release dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install setuptools wheel twine
+  release-pypi:
+    permissions:
+      id-token: write
+      contents: read
+    name: Publish released package to pypi.org
+    environment: release-pypi
+    if: github.event.action == 'published'
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
 
-      - name: Build and publish package
-        env:
-          TWINE_USERNAME: "__token__"
-          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
-        run: |
-          python setup.py sdist bdist_wheel
-          twine upload dist/*
\ No newline at end of file
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1