diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3348356..cc1cb15 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,49 +9,92 @@
 name: Upload package
 
 on:
-  release:
-    types: [created]
   push:
-    tags:
-      - '*'
+  pull_request:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FORCE_COLOR: 1
 
 jobs:
-  deploy:
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+
+  test-package:
+    name: Test package
+    if: |
+      github.event.repository.fork == false
+      && (
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
+        || github.event.action == 'published'
+      )
+    needs: build-package
+    uses: ./.github/workflows/tests.yml
+
+  # Publish to TestPyPI for every tag.
+  release-test-pypi:
+    name: Publish to TestPyPI
+    if: |
+      github.event.repository.fork == false
+      && github.event_name == 'push'
+      && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    needs: test-package
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+
+      - name: Publish to Test PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  release-pypi:
+    name: Publish to PyPI
+    # Only run for published releases.
+    if: |
+      github.event.repository.fork == false
+      && github.event.action == 'published'
     runs-on: ubuntu-latest
+    needs: test-package
+
     environment:
       name: release
-      url: https://pypi.org/p/tzdata
+      url: >-
+        https://pypi.org/project/tzdata/${{
+          github.event.release.tag_name
+        }}
+
     permissions:
       id-token: write
+
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        persist-credentials: false
-    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -U tox
-    - name: Create tox environments
-      run: |
-        tox -p -e py,build --notest
-    - name: Run tests
-      run: |
-        tox -e py
-    - name: Build package
-      run: |
-        tox -e build
-    - name: Publish package (TestPyPI)
-      if: github.event_name == 'push'
-      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
-      with:
-        repository-url: https://test.pypi.org/legacy/
-        verbose: true
-    - name: Publish package
-      if: github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
-      with:
-        verbose: true
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 20eb70c..842e181 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -5,6 +5,7 @@ on:
     branches:
       - master
   pull_request:
+  workflow_call:
   workflow_dispatch:
 
 permissions: {}
@@ -50,7 +51,7 @@ jobs:
     runs-on: "ubuntu-latest"
     strategy:
       matrix:
-        toxenv: ["build", "precommit", "typing", "docs"]
+        toxenv: ["precommit", "typing", "docs"]
     env:
       TOXENV: ${{ matrix.toxenv }}
 
diff --git a/pyproject.toml b/pyproject.toml
index aaf3b62..7f6be2a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -2,6 +2,12 @@
 requires = ["setuptools>=40.8.0", "wheel"]
 build-backend = "setuptools.build_meta"
 
+[tool.check-wheel-contents]
+# The wheel contains duplicate files.
+# This is by design, see https://github.com/eggert/tz/blob/main/backward
+# Let's ignore the warning:
+ignore = ["W002"]
+
 [tool.isort]
 atomic=true
 force_grid_wrap=0
diff --git a/tox.ini b/tox.ini
index 83e7708..fe186b4 100644
--- a/tox.ini
+++ b/tox.ini
@@ -70,15 +70,3 @@ deps =
 commands =
     sphinx-build -d "{toxworkdir}/docs_doctree" "{toxinidir}/docs" \
                     "{toxinidir}/docs/_output" {posargs: -j auto --color -bhtml}
-
-[testenv:build]
-description = Build a wheel and source distribution
-skip_install = True
-deps =
-    build
-    twine
-commands =
-    python -c "from pathlib import Path; \
-               [x.unlink(missing_ok=True) for x in Path('{toxinidir}/dist').glob('*')]"
-    python -m build -o {toxinidir}/dist {toxinidir}
-    twine check {toxinidir}/dist/*