diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index e8a10cd..0979ade 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -4,9 +4,14 @@ on:
     branches:
       - main
     paths:
-      - "src/pytest_nhsd_apim/**"
-      - "pyproject.toml"
-      - "setup.py"
+      - 'src/pytest_nhsd_apim/**'
+      - 'pyproject.toml'
+      - 'setup.py'
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -19,15 +24,6 @@ jobs:
         with:
           python-version: 3.13
 
-      - name: install gnome-keyring
-        run: |
-          sudo apt-get update
-          echo "Available versions of gnome-keyring:"
-          apt-cache policy gnome-keyring
-
-          echo "Installing default candidate version"
-          sudo apt-get install -y gnome-keyring
-
       - name: install deps
         run: make install-deps
 
@@ -40,8 +36,6 @@ jobs:
       - name: check build
         run: twine check dist/*
 
-      - name: set poetry credentials
-        run: poetry config pypi-token.pypi ${{ secrets.PYPI_TOKEN }}
+      - name: Publish to PyPI (OIDC)
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
 
-      - name: publish
-        run: poetry publish
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100755
index 0000000..f988e0c
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,10 @@
+repos:
+- repo: local
+  hooks:
+  - id: scan-secrets
+    name: Scan secrets
+    entry: ./scripts/githooks/scan-secrets.sh
+    env:
+      check: staged-changes
+    language: script
+    pass_filenames: false
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
deleted file mode 100755
index de8831c..0000000
--- a/scripts/config/pre-commit.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-repos:
-- repo: local
-  hooks:
-  - id: scan-secrets
-    name: Scan secrets
-    entry: ./scripts/githooks/scan-secrets.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-file-format
-    name: Check file format
-    entry: ./scripts/githooks/check-file-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-markdown-format
-    name: Check Markdown format
-    entry: ./scripts/githooks/check-markdown-format.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: check-english-usage
-    name: Check English usage
-    entry: ./scripts/githooks/check-english-usage.sh
-    args: ["check=staged-changes"]
-    language: script
-    pass_filenames: false
-- repo: local
-  hooks:
-  - id: lint-terraform
-    name: Lint Terraform
-    entry: ./scripts/githooks/check-terraform-format.sh
-    language: script
-    pass_filenames: false
\ No newline at end of file
diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh
old mode 100644
new mode 100755