diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index b0590543ae..cd86da89ee 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -8,6 +8,8 @@ on:
     secrets:
       app-id:
       app-key:
+      pypi-username:
+      pypi-password:
 
     inputs:
       actions-version:
@@ -357,6 +359,73 @@ jobs:
           Size
         input: ${{ steps.artifact-sizes.outputs.value }}
 
+    - name: Filter non-dev Python artifacts
+      id: python-artifacts-nondev
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      uses: envoyproxy/toolshed/gh-actions/jq@9b8b4d2e89c1f649303636b913f184e9f8324937
+      with:
+        input: ${{ steps.artifacts.outputs.output }}
+        filter: |
+          to_entries
+          | map(select(.key | startswith("python:")))
+          | map(select(.key | contains("-dev-") | not))
+          | map(.value.path)
+    - name: Setup Python for PyPI publishing
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
+      with:
+        python-version: "3.12"
+    - name: >-
+        Publish Python packages to PyPI
+        ${{ (inputs.event == 'pull_request' || inputs.dry-run)
+             && '(dry-run)'
+             || ''  }}
+      id: pypi-publish
+      if: >-
+        fromJSON(steps.afterall.outputs.continue)
+        && ! fromJSON(steps.python.outputs.version).is_dev
+      env:
+        TWINE_USERNAME: ${{ secrets.pypi-username }}
+        TWINE_PASSWORD: ${{ secrets.pypi-password }}
+        TWINE_NON_INTERACTIVE: "1"
+      run: |
+        set -e
+        echo "Preparing to publish Python packages to PyPI..."
+        
+        # Get list of non-dev artifacts
+        ARTIFACTS='${{ steps.python-artifacts-nondev.outputs.value }}'
+        echo "Non-dev artifacts to publish:"
+        echo "$ARTIFACTS" | jq -r '.[]'
+        
+        if [ "$ARTIFACTS" = "[]" ] || [ -z "$ARTIFACTS" ]; then
+          echo "No non-dev artifacts to publish"
+          exit 0
+        fi
+        
+        # Install twine
+        pip install twine
+        
+        # Publish to PyPI
+        DRY_RUN="${{ inputs.event == 'pull_request' || inputs.dry-run }}"
+        if [ "$DRY_RUN" = "true" ]; then
+          echo "DRY RUN: Would publish the following packages:"
+          for artifact in $(echo "$ARTIFACTS" | jq -r '.[]'); do
+            echo "  - $artifact"
+            twine check "$artifact"
+          done
+        else
+          echo "Publishing packages to PyPI..."
+          for artifact in $(echo "$ARTIFACTS" | jq -r '.[]'); do
+            echo "Publishing $artifact..."
+            twine upload --non-interactive "$artifact"
+          done
+          echo "All packages published successfully"
+        fi
+
     - name: >-
         Publish actions release
         ${{ (inputs.event == 'pull_request' || inputs.dry-run)
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2151dc6d75..4ebf59257e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,6 +23,8 @@ jobs:
     secrets:
       app-id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
       app-key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
+      pypi-username: ${{ secrets.PYPI_USERNAME }}
+      pypi-password: ${{ secrets.PYPI_PASSWORD }}
     uses: ./.github/workflows/_publish.yml
     with:
       committer-email: "140627008+publish-envoy[bot]@users.noreply.github.com"