diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
new file mode 100644
index 0000000..2b8f8aa
--- /dev/null
+++ b/.github/workflows/pypi-package.yml
@@ -0,0 +1,45 @@
+name: Build & maybe upload PyPI package
+
+on:
+  push:
+  pull_request:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  # Always build & lint package.
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: hynek/build-and-inspect-python-package@v1
+
+  # Upload to real PyPI on GitHub Releases.
+  release-pypi:
+    name: Publish to PyPI
+    environment: release-pypi
+    # Only run for published releases.
+    if: github.repository_owner == 'python' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v3
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1