diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c578045d..2f10b051 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,6 @@
 name: CI
 
-on: 
+on:
   push:
   workflow_dispatch:
 
@@ -75,6 +75,9 @@ jobs:
   gem-publish:
     runs-on: ubuntu-latest
     if: (github.event_name == 'push' && contains(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch'
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -92,8 +95,10 @@ jobs:
         run: |
           bundle exec rake build
 
+      - name: Configure RubyGems credentials (OIDC trusted publishing)
+        # rubygems/configure-rubygems-credentials@v1.0.0
+        uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44
+
       - name: Publish to RubyGems
         run: |
           gem push pkg/*.gem --host https://rubygems.org/
-        env:
-          GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}