diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 54841f3..204b568 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,7 +6,7 @@ updates:
     schedule:
       interval: "weekly"
     groups:
-      github-actions-refresh:
+      github-actions:
         patterns:
           - "*"
 
@@ -15,6 +15,6 @@ updates:
     schedule:
       interval: "weekly"
     groups:
-      uv-lockfile-maintenance:
+      uv-lockfile:
         patterns:
           - "*"
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
new file mode 100644
index 0000000..1d20fd9
--- /dev/null
+++ b/.github/workflows/publish-pypi.yml
@@ -0,0 +1,52 @@
+name: Publish Release to PyPI
+permissions:
+  contents: read
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  pypi-publish:
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+
+      - name: Build sdist and wheel
+        run: >
+          export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) &&
+          uv build
+
+      - name: Upload sdist and wheel as artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      - name: Install produced wheel
+        run: |
+          uv pip install dist/*.whl --system
+
+      - name: Verify installation
+        run: |
+          python -m hextools --version