diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..530068f
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,34 @@
+name: publish
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/aztec-py
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Build package
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install build
+          python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/PRODUCTION_CHECKLIST.md b/PRODUCTION_CHECKLIST.md
index 9dcfda1..00cafa8 100644
--- a/PRODUCTION_CHECKLIST.md
+++ b/PRODUCTION_CHECKLIST.md
@@ -32,6 +32,8 @@ Use this checklist before shipping a new `aztec-py` version to production.
 - [ ] Confirm `README.md` examples still execute.
 - [ ] Verify version metadata in `pyproject.toml`.
 - [ ] Build artifacts from clean working tree.
+- [ ] PyPI Trusted Publisher is configured for `.github/workflows/publish.yml` (environment: `pypi`).
+- [ ] Tag/version alignment checked before publish (`vX.Y.Z` matches `pyproject.toml`).
 
 ## 5. Post-Release Smoke Checks