diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 204ce39..bafc9b8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -147,19 +147,6 @@ jobs:
 
       - run: tox run -e docs
 
-  package:
-    name: Build & verify package
-    runs-on: ubuntu-latest
-    env:
-      SETUPTOOLS_SCM_PRETEND_VERSION: ""
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - uses: hynek/build-and-inspect-python-package@v1
-
   install-dev:
     name: Verify dev env
     runs-on: ${{ matrix.os }}
@@ -182,7 +169,6 @@ jobs:
       - coverage
       - docs
       - install-dev
-      - package
       - system-package
 
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
new file mode 100644
index 0000000..05bae4d
--- /dev/null
+++ b/.github/workflows/pypi-package.yml
@@ -0,0 +1,69 @@
+---
+name: Build & maybe upload PyPI package
+
+on:
+  push:
+    branches: [main]
+    tags: ["*"]
+  pull_request:
+    branches: [main]
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  # Always build & lint package.
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: hynek/build-and-inspect-python-package@v1
+
+  # Upload to Test PyPI on every commit on main.
+  # XXX: our name is currently squatted by a third party on test.pypi.org.
+  # release-test-pypi:
+  #   name: Publish in-dev package to test.pypi.org
+  #   environment: release-test-pypi
+  #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+  #   runs-on: ubuntu-latest
+  #   needs: build-package
+
+  #   steps:
+  #     - name: Download packages built by build-and-inspect-python-package
+  #       uses: actions/download-artifact@v3
+  #       with:
+  #         name: Packages
+  #         path: dist
+
+  #     - name: Upload package to Test PyPI
+  #       uses: pypa/gh-action-pypi-publish@release/v1
+  #       with:
+  #         repository-url: https://test.pypi.org/legacy/
+
+  # Upload to real PyPI on GitHub Releases.
+  release-pypi:
+    name: Publish released package to pypi.org
+    environment: release-pypi
+    if: github.event.action == 'published'
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v3
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1