diff --git a/.cruft.json b/.cruft.json
index 71b44b0..30028e9 100644
--- a/.cruft.json
+++ b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/cthoyt/cookiecutter-snekpack",
-  "commit": "12edfcfa5f519467b5d834f0d4e706fb7cf4f065",
+  "commit": "f217081a86752e77b638d76e92a1f536a4906733",
   "checkout": null,
   "context": {
     "cookiecutter": {
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..439db4c
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+github:
+  - cthoyt
diff --git a/.github/workflows/cruft.yml b/.github/workflows/cruft.yml
index 7442c9f..07aa4d2 100644
--- a/.github/workflows/cruft.yml
+++ b/.github/workflows/cruft.yml
@@ -2,9 +2,7 @@
 
 name: Update repository with Cruft
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -13,6 +11,9 @@ on:
 
 jobs:
   update:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ebf81a3..29de0f4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -4,6 +4,10 @@
 
 name: Tests
 
+# by default, give the GITHUB_TOKEN no permissions
+# See https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 on:
   push:
     branches: [ main ]
@@ -13,6 +17,11 @@ on:
 jobs:
   lint:
     name: Code Quality
+    permissions:
+      # give only read-only access to the contents of the repository
+      # this is the only permission this job requires, so keep it to the least privilege
+      # i.e., not to issues, discussions, actions, etc.
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -31,6 +40,8 @@ jobs:
 
   docs:
     name: Documentation
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -56,6 +67,8 @@ jobs:
         run: uvx -p ${{ matrix.python-version }} --with tox-uv tox -e docs-test
   tests:
     name: Tests
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
diff --git a/pyproject.toml b/pyproject.toml
index 4397441..5a74e35 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,12 +26,15 @@ classifiers = [
     "Framework :: Pytest",
     "Framework :: tox",
     "Framework :: Sphinx",
+    "Natural Language :: English",
     "Programming Language :: Python",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
     "Programming Language :: Python :: 3 :: Only",
+    "Typing :: Typed",
 ]
 keywords = [
     "snekpack", # please keep this keyword to credit the cookiecutter-snekpack template
@@ -87,6 +90,12 @@ Documentation = "https://pystow.readthedocs.io"
 
 [tool.setuptools]
 package-dir = { "" = "src" }
+# This fix is here as a final tombstone before getting rid of setuptools and
+# replacing with uv's build backend. It appears that the setuptools team hasn't
+# prioritized fixing the fully breaking bug in metadata emission described in
+# https://github.com/pypa/setuptools/issues/4759. Luckily, the license
+# is inferred from the trove classifier for MIT license.
+license-files = []
 
 [tool.setuptools.packages.find]
 # this implicitly sets `packages = ":find"`
@@ -96,11 +105,9 @@ where = ["src"]  # list of folders that contain the packages (["."] by default)
 [tool.setuptools.package-data]
 "*" = ["*.*"]
 
-
 [project.scripts]
 pystow = "pystow.cli:main"
 
-
 [tool.cruft]
 skip = [
     "**/__init__.py",
diff --git a/tox.ini b/tox.ini
index 056fcb6..5809449 100644
--- a/tox.ini
+++ b/tox.ini
@@ -224,7 +224,7 @@ commands =
 # 7. Add your token to keyring with `keyring set https://upload.pypi.org/legacy/ __token__`
 
 [testenv:release]
-description = Release the code to PyPI so users can pip install it
+description = Release the code to PyPI so users can pip install it, using credentials from keyring
 skip_install = true
 deps =
     {[testenv:build]deps}
@@ -234,6 +234,19 @@ commands =
     {[testenv:build]commands}
     uv publish --username __token__ --keyring-provider subprocess --publish-url https://upload.pypi.org/legacy/
 
+[testenv:release-via-env]
+description = Release the code to PyPI so users can pip install it, using credentials from the environment.
+skip_install = true
+deps =
+    {[testenv:build]deps}
+    uv
+commands =
+    {[testenv:build]commands}
+    uv publish --publish-url https://upload.pypi.org/legacy/
+passenv =
+    UV_PUBLISH_USERNAME
+    UV_PUBLISH_PASSWORD
+
 [testenv:finish]
 description =
     Run a workflow that removes -dev from the version, creates a tagged release on GitHub,