diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
new file mode 100644
index 0000000..f535af1
--- /dev/null
+++ b/.github/workflows/create-release.yml
@@ -0,0 +1,90 @@
+name: Create release
+
+on:
+  push:
+    tags:
+    - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish-pypi:
+    runs-on: ubuntu-latest
+    name: PyPI Release
+    environment: release
+    permissions:
+      id-token: write  # for PyPI trusted publishing
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3"
+          cache: pip
+          cache-dependency-path: pyproject.toml
+
+      - name: Install build dependencies (pypa/build, twine)
+        run: |
+          pip install -U pip
+          pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Mint PyPI API token
+        id: mint-token
+        uses: actions/github-script@v7
+        with:
+          # language=JavaScript
+          script: |
+            // retrieve the ambient OIDC token
+            const oidc_request_token = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+            const oidc_request_url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+            const oidc_resp = await fetch(`${oidc_request_url}&audience=pypi`, {
+              headers: {Authorization: `bearer ${oidc_request_token}`},
+            });
+            const oidc_token = (await oidc_resp.json()).value;
+
+            // exchange the OIDC token for an API token
+            const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
+              method: 'post',
+              body: `{"token": "${oidc_token}"}` ,
+              headers: {'Content-Type': 'application/json'},
+            });
+            const api_token = (await mint_resp.json()).token;
+
+            // mask the newly minted API token, so that we don't accidentally leak it
+            core.setSecret(api_token)
+            core.setOutput('api-token', api_token)
+
+      - name: Upload to PyPI
+        env:
+          TWINE_NON_INTERACTIVE: "true"
+          TWINE_USERNAME: "__token__"
+          TWINE_PASSWORD: "${{ steps.mint-token.outputs.api-token }}"
+        run: |
+          twine check dist/*
+          twine upload dist/*
+
+  github-release:
+    runs-on: ubuntu-latest
+    name: GitHub release
+    environment: release
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get release version
+        id: get_version
+        uses: actions/github-script@v7
+        with:
+          script: core.setOutput('version', context.ref.replace("refs/tags/", ""))
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          name: "Release ${{ steps.get_version.outputs.version }}"
+          body: "${{ steps.get_version.outputs.version }}"