diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..be0851b
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,69 @@
+name: Publish to PyPI
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/publish.yml
+  release:
+    types:
+      - released
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build distributions
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+
+      - name: Build package
+        env:
+          SETUPTOOLS_SCM_OVERRIDES_FOR_DOTTXT: '{local_scheme=["fail-on-uncommitted-changes", "no-local-version"]}'
+        run: |
+          uv build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: python-package-distributions
+          path: dist/
+          if-no-files-found: error
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # For trusted publishing
+    environment:
+      name: ${{ case(github.event_name == 'release', 'pypi', 'test-pypi') }}
+      url: ${{ case(github.event_name == 'release', 'https://pypi.org/p/dottxt',
+               'https://test.pypi.org/p/dottxt') }}
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
+        with:
+          # Same version/content can't be reuploaded, so skip the files if this happens in testing
+          skip-existing: ${{ github.event_name != 'release' }}
+          attestations: true
+          repository-url: ${{ case(github.event_name == 'release', 'https://upload.pypi.org/legacy/',
+                                   'https://test.pypi.org/legacy/') }}