diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 124390e..c2ca7e9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,10 +9,12 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   create_tag:
     name: Publish artifacts of build
+    environment: release
     runs-on: ubuntu-latest
     if: |
       github.repository_owner == 'bytecodealliance'
@@ -79,10 +81,15 @@ jobs:
         files: "dist/*"
         tag_name: v${{ steps.tag.outputs.version }}
 
+
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
+      if: steps.tag.outputs.push_tag == 'yes'
+
     - run: |
         rm -rf dist main.log
         rustc ci/publish.rs
         ./publish publish
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
       if: steps.tag.outputs.push_tag == 'yes'