diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a6be300..7b0a5b6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,10 +9,15 @@ jobs:
   publish:
     runs-on: ubuntu-24.04
     environment: release
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Trusted publishing crates.io
+        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
+        id: auth
       - name: Install Nix
         uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
         with:
@@ -20,5 +25,20 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
 
+      - name: Verify tag version matches Cargo.toml version
+        run: |
+          TAG_VERSION="${{ steps.get_tag.outputs.tag }}"
+          CLEAN_TAG_VERSION="${TAG_VERSION#v}"
+          CARGO_VERSION=$(nix develop -c -- toml get Cargo.toml package.version)
+          echo "Tag version: $CLEAN_TAG_VERSION"
+          echo "Cargo.toml version: $CARGO_VERSION"
+          if [ "$CLEAN_TAG_VERSION" != "$CARGO_VERSION" ]; then
+            echo "Tag version does not match Cargo.toml version"
+            exit 1
+          fi
+        shell: bash
+
       - name: Cargo publish
         run: nix develop -c -- cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
diff --git a/flake.nix b/flake.nix
index 48b3476..bceee08 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,6 +46,7 @@
                 rustToolchain
                 pkgs.nixd
                 pkgs.nil
+                pkgs.toml-cli
               ];
             };
           };