diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index f980f86..f38496d 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -1,17 +1,28 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+# This workflow does the following:
+#
+#   - run tests and lint with a variety of Python versions on windows, linux and macos [1]
+#   - build the tufup package [2]
+#   - publish to test.pypi.org [2]
+#   - publish to pypi.org [2]
+#
+# Notes:
+#
+#   - to skip the workflow, add [skip ci] to the commit message [3]
+#
+# References
+#
+# [1]: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+# [2]: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
+# [3]: https://docs.github.com/en/actions/managing-workflow-runs/skipping-workflow-runs
+
 
 name: Python package
 
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-  workflow_dispatch:
+on: [push, workflow_dispatch]
   
 jobs:
-  build:
+  test:
+    # based on [1]
     strategy:
       fail-fast: false
       matrix:
@@ -37,3 +48,81 @@ jobs:
     - name: Test with unittest
       run: |
         python -m unittest
+
+  build:
+    # based on [2]
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - name: Install pypa/build
+        run: |
+          python3 -m pip install build --user
+      - name: Build a binary wheel and a source tarball
+        run: python3 -m build
+      - name: Verify current tag matches hardcoded __version__
+        run: |
+          if [[ $GITHUB_REF_TYPE == 'tag' ]]
+          then 
+            python3 -m pip install .
+            tufup_version=$(python -c 'import tufup; print(tufup.__version__)')
+            if [[ $GITHUB_REF_NAME != "v$tufup_version" ]]
+            then 
+              echo "tag ($GITHUB_REF_NAME) does not match tufup.__version__ (v$tufup_version)"
+              exit 1
+            fi
+          fi
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-testpypi:
+    # based on [2]
+    # to install from test.pypi:
+    #   pip install tufup --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple
+    needs: [test, build]
+    runs-on: ubuntu-latest
+    # only publish to test.pypi on tag pushes
+    if: startsWith(github.ref, 'refs/tags/')
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/tufup
+    permissions:
+      id-token: write
+    steps:
+      - name: Download the distribution packages
+        uses: actions/download-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distributions to test.pypi.org
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  publish-to-pypi:
+    # this requires manual confirmation on github
+    # based on [2]
+    needs: [test, build, publish-to-testpypi]
+    runs-on: ubuntu-latest
+    # only publish to pypi on tag pushes
+    if: startsWith(github.ref, 'refs/tags/')
+    environment:
+      name: pypi
+      url: https://pypi.org/p/tufup
+    permissions:
+      id-token: write
+    steps:
+      - name: Download the distribution packages
+        uses: actions/download-artifact@v3
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish distributions to pypi.org
+        uses: pypa/gh-action-pypi-publish@release/v1