diff --git a/.github/workflows/python-publish-pypi.yaml b/.github/workflows/python-publish-pypi.yaml
index 3d75e7f..fd28bab 100644
--- a/.github/workflows/python-publish-pypi.yaml
+++ b/.github/workflows/python-publish-pypi.yaml
@@ -1,47 +1,36 @@
-name: "Publish Python 🐍 distributions 📦 to PyPI"
+name: Publish Python 🐍 distributions 📦 to PyPI
 
 on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
   release:
-    types: [published]
+    types:
+      - published
 
 jobs:
   build:
-    name: "Build distribution 📦"
+    name: Build distribution 📦
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
 
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - name: "Set up Python 3.x"
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: "pyproject.toml"
-
-      - name: "Install pypa/build"
-        run: >-
-          python -m
-          pip install
-          build
-          --user
-
-      - name: "Build a binary wheel and a source tarball"
-        run: >-
-          python -m
-          build
-          --outdir dist/
-
-      - name: "Upload packages"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+      - name: Build and inspect Python 🐍 package 📦
+        uses: hynek/build-and-inspect-python-package@2dbbf2b252d3a3c7cec7a810e3ed5983bd17b13a # v2.8.0
         with:
-          name: python-package-distributions
-          path: dist/
+          attest-build-provenance-github: ${{ startswith(github.event.ref, 'refs/tags/') }}
 
   publish-to-pypi:
-    name: "Publish Python 🐍 distribution 📦 to PyPI"
+    name: Publish Python 🐍 distribution 📦 to PyPI
     needs: build
+    if: ${{ startswith(github.event.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
     environment:
       name: pypi
@@ -50,13 +39,13 @@ jobs:
       id-token: write
 
     steps:
-    - name: "Download dists"
+    - name: Download dists
       uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
-        name: python-package-distributions
+        name: Packages
         path: dist/
 
-    - name: "Publish distribution 📦 to PyPI"
+    - name: Publish distribution 📦 to PyPI
       uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
       with:
           verbose: true