diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f51ce51..5e131187 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -134,3 +134,56 @@ jobs:
       if: ${{ needs.docker-build.result == 'success' }}
     - run: echo 'The triggering workflow failed (docker)' && false
       if: ${{ needs.docker-build.result != 'success' }}
+
+  build-package:
+    name: Build distribution 📦
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.x"
+    - name: Install pypa/build
+      run: >-
+        python3 -m
+        pip install
+        build
+        setuptools
+        wheel
+        twine
+        --user
+    - name: Bump package version with local extension
+      run: etc/ci/bump-package-version.sh ".dev$(date +%s)"
+    - name: Build a binary wheel and a source tarball
+      run: make dist PYTHON=python3
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v3
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish-to-testpypi:
+    name: Publish Python 🐍 distribution 📦 to TestPyPI
+    needs:
+    - build-package
+    runs-on: ubuntu-latest
+
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/coq-tools
+
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..387b5284
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,131 @@
+name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
+
+on:
+  release:
+    types: [published] # Only publish to pip when we formally publish a release
+  # For more on how to formally release on Github, read https://help.github.com/en/articles/creating-releases
+
+jobs:
+  build:
+    name: Build distribution 📦
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.x"
+    - name: Install pypa/build
+      run: >-
+        python3 -m
+        pip install
+        build
+        setuptools
+        wheel
+        twine
+        --user
+    - name: Build a binary wheel and a source tarball
+      run: make dist PYTHON=python3
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v3
+      with:
+        name: python-package-distributions
+        path: dist/
+
+  publish-to-pypi:
+    name: >-
+      Publish Python 🐍 distribution 📦 to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/coq-tools
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    name: >-
+      Sign the Python 🐍 distribution 📦 with Sigstore
+      and upload them to GitHub Release
+    needs:
+    - publish-to-pypi
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/gh-action-sigstore-python@v1.2.3
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
+
+  bump-package-version:
+    name: Bump package version
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Bump Package version
+      id: bumpPackageViaPush
+      run: |
+        etc/ci/bump-package-version.sh
+        remote_repo="https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+        git config http.sslVerify false
+        git config user.name "Automated Publisher"
+        git config user.email "actions@users.noreply.github.com"
+        git remote add publisher "${remote_repo}"
+        git remote update
+        git show-ref # useful for debugging
+        git branch --verbose
+
+        git checkout -b temp
+        git branch -D master || true
+        git checkout -b master publisher/master
+        git add pyproject.toml
+        timestamp=$(date -u)
+        git commit -m "Automated Package Version Bump: ${timestamp} ${GITHUB_SHA}"
+        git push publisher master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      if: always()
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        title: 'Package Version Bump'
+        body: >
+          This PR is auto-generated by
+          [create-pull-request](https://github.com/peter-evans/create-pull-request).
+        labels: automated pr
+      if: failure() && steps.bumpPackageViaPush.outcome == 'failure'
diff --git a/etc/ci/bump-package-version.sh b/etc/ci/bump-package-version.sh
new file mode 100755
index 00000000..8deb3474
--- /dev/null
+++ b/etc/ci/bump-package-version.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -e
+
+TOML_PATH="pyproject.toml"
+SETUP_PATH="setup.py"
+quote="'"
+dquote='"'
+
+VERSION_LINE="$(grep 'version\s*=\s*' "${TOML_PATH}")"
+SETUP_VERSION_LINE="$(grep 'version\s*=\s*' "${SETUP_PATH}")"
+SETUP_VERSION_NUMBER="$(echo "${SETUP_VERSION_LINE}" | grep -o "version\s*=\s*[${quote}${dquote}][^${quote}${dquote}]*[${quote}${dquote}]" | sed "s/version\s*=\s*//g; s/[${quote}${dquote}]//g; s/\s//g")"
+FULL_VERSION_NUMBER="$(echo "${VERSION_LINE}" | sed 's/version\s*=\s*//g; s/"//g; s/\s//g')"
+VERSION_NUMBER="${FULL_VERSION_NUMBER%%+*}"
+if [ -z "$1" ]; then
+    # https://stackoverflow.com/a/4486087/377022
+    NEW_VERSION_NUMBER="$(awk -F. '/[0-9]+\./{$NF++;print}' OFS=. <<< "${VERSION_NUMBER}")"
+elif [[ "$1" == .* ]] || [[ "$1" == +* ]]; then
+    NEW_VERSION_NUMBER="${VERSION_NUMBER}$1"
+else
+    NEW_VERSION_NUMBER="${VERSION_NUMBER}+$1"
+fi
+NEW_VERSION_LINE="$(echo "${VERSION_LINE}" | sed "s/${FULL_VERSION_NUMBER}/${NEW_VERSION_NUMBER}/g")"
+NEW_SETUP_VERSION_LINE="$(echo "${SETUP_VERSION_LINE}" | sed "s/\(version\s*=\s*[${quote}${dquote}]\)[^${quote}${dquote}]*\([${quote}${dquote}]\)/\1${NEW_VERSION_NUMBER}\2/g")"
+echo "Updating ${TOML_PATH} from version ${FULL_VERSION_NUMBER} to ${NEW_VERSION_NUMBER}"
+sed "s/${VERSION_LINE}/${NEW_VERSION_LINE}/g" -i "${TOML_PATH}"
+echo "Updating ${SETUP_PATH} from version ${SETUP_VERSION_NUMBER} to ${NEW_VERSION_NUMBER}"
+sed "s/${SETUP_VERSION_LINE}/${NEW_SETUP_VERSION_LINE}/g" -i "${SETUP_PATH}"
+
+# sanity check
+AGAIN_VERSION_LINE="$(grep 'version\s*=\s*' "${TOML_PATH}")"
+AGAIN_VERSION_NUMBER="$(echo "${AGAIN_VERSION_LINE}" | sed 's/version\s*=\s*//g; s/"//g; s/\s//g')"
+if [ "${NEW_VERSION_NUMBER}" != "${AGAIN_VERSION_NUMBER}" ]; then
+    echo "ERROR: Tried to change '${FULL_VERSION_NUMBER}' to '${NEW_VERSION_NUMBER}' in ${TOML_PATH},"
+    echo "  but somehow ended up with '${AGAIN_VERSION_NUMBER}'."
+    exit 1
+fi
+AGAIN_SETUP_VERSION_LINE="$(grep 'version\s*=\s*' "${SETUP_PATH}")"
+AGAIN_SETUP_VERSION_NUMBER="$(echo "${AGAIN_SETUP_VERSION_LINE}" | grep -o "version\s*=\s*[${quote}${dquote}][^${quote}${dquote}]*[${quote}${dquote}]" | sed "s/version\s*=\s*//g; s/[${quote}${dquote}]//g; s/\s//g")"
+if [ "${NEW_VERSION_NUMBER}" != "${AGAIN_SETUP_VERSION_NUMBER}" ]; then
+    echo "ERROR: Tried to change '${SETUP_VERSION_NUMBER}' to '${NEW_VERSION_NUMBER}' in ${SETUP_PATH},"
+    echo "  but somehow ended up with '${AGAIN_SETUP_VERSION_NUMBER}'."
+    exit 1
+fi
diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 00000000..b8efbabc
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,22 @@
+[project]
+name = "coq-tools"
+version = "0.0.1"
+authors = [
+  { name="Jason Gross", email="jgross@mit.edu" },
+]
+description = "Some scripts to help manipulate Coq developments and minimize error-producing Coq code"
+readme = "README.md"
+requires-python = ">=3.5"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+]
+
+[project.urls]
+"Homepage" = "https://github.com/JasonGross/coq-tools"
+"Bug Tracker" = "https://github.com/JasonGross/coq-tools/issues"
+
+[build-system]
+requires = ["setuptools", "wheel"]
+build-backend = "setuptools.build_meta"