diff --git a/.github/workflows/test.yml b/.github/workflows/build-test-deploy.yml
similarity index 72%
rename from .github/workflows/test.yml
rename to .github/workflows/build-test-deploy.yml
index 2783110a..b4562703 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/build-test-deploy.yml
@@ -1,5 +1,3 @@
-name: Python tests
-
 # This file tests the claimed support range of PyBIDS including
 #
 # * Operating systems: Linux, OSX
@@ -9,6 +7,9 @@ on:
     branches:
       - master
       - maint/*
+      - test-pypi-uploads
+    tags:
+      - '*'
   pull_request: {}
   schedule:
     # 8am EST / 9am EDT Mondays
@@ -112,3 +113,44 @@ jobs:
         with:
           files: cov.xml
           token: ${{ secrets.CODECOV_TOKEN }}
+
+  test-publish:
+    name: Push package to test.pypi.org
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+
+  publish:
+    name: Publish released package to pypi.org
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    runs-on: ubuntu-latest
+    needs: [test, test-publish]
+    permissions:
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
deleted file mode 100644
index bc08f4ed..00000000
--- a/.github/workflows/package.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: Packaging
-
-on:
-  push:
-    branches:
-      - master
-      - maint/*
-      - rel/*
-    tags:
-      - '*'
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  package:
-    # Build packages and upload
-    runs-on: ${{ matrix.os }}
-    permissions:
-      # IMPORTANT: this permission is mandatory for trusted publishing
-      id-token: write
-    strategy:
-      matrix:
-        include:
-          - os: ubuntu-latest
-            python-version: "3.10"
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-          fetch-depth: 0
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-      - name: Display Python version
-        run: python -c "import sys; print(sys.version)"
-      - name: Install build
-        run: python -m pip install build
-      - name: Build sdist and wheel
-        run: python -m build
-      - name: Test PyPI upload
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
-          skip-existing: true
-      - name: Upload to PyPI (on tags)
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1