diff --git a/.github/workflows/test_build.yml b/.github/workflows/test_build.yml
index 43ed111b..47e30cff 100644
--- a/.github/workflows/test_build.yml
+++ b/.github/workflows/test_build.yml
@@ -22,11 +22,11 @@ jobs:
             py_version: "3.13"
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.py_version }}
     - name: Install dependencies
@@ -44,16 +44,14 @@ jobs:
         poe test
 
   build:
-    permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     runs-on: ubuntu-latest
     needs: test
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Set up Python 3.10
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: "3.10"
     - name: Install dependencies
@@ -65,11 +63,25 @@ jobs:
       run: |
         poe build
     - name: Save built package
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: package
         path: |
           dist
-    - name: Publish to PyPi
-      if: ${{ github.ref_type	== 'tag' }}
+
+  upload:
+    name: Publish to PyPi
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+    runs-on: ubuntu-latest
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v6
+      with:
+        name: package
+        path: dist/
+    - name: Publish distribution to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
+