diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ab3cc6b..f87cb45 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,16 +5,37 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]" 2>/dev/null || pip install -e . && pip install pytest
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
   publish:
+    name: Publish to PyPI
+    needs: test
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: read
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.7
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - name: Set up Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
 
@@ -25,4 +46,6 @@ jobs:
         run: python -m build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        with:
+          attestations: true
diff --git a/README.md b/README.md
index e38b6f1..e367e7a 100644
--- a/README.md
+++ b/README.md
@@ -109,6 +109,12 @@ See [cueapi-python](https://github.com/cueapi/cueapi-python) for the full SDK an
 
 ---
 
+## Releases
+
+Releases are published to PyPI with PEP 740 attestations via GitHub Actions Trusted Publishing.
+
+---
+
 ## License
 
 MIT. See [LICENSE](LICENSE).
diff --git a/pyproject.toml b/pyproject.toml
index 258ca70..8510119 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "cueapi"
-version = "0.1.3"
+version = "0.1.4"
 description = "CLI for CueAPI - the scheduling API for AI agents"
 readme = "README.md"
 license = { text = "MIT" }