diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..9ff6d7fc
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,84 @@
+name: Wheel building and publishing
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - dev #check branch
+  release:
+    types:
+      - published
+
+jobs:
+  # may be useful to have a wheel building test here eventually (untested):
+  # test_wheel_building:
+  #   #
+  #   permissions:
+  #     contents: none
+  #   uses: someactionyml.yml #TODO: replace with wheel build action
+  #   if: (github.event_name == 'push') # || github.event_name == 'pull_request')
+  #   with:
+  #     upload_to_pypi: false
+  #     targets: |
+  #       - cp311-manylinux_x86_64
+
+  #   secrets:
+  #     pypi_token: ${{ secrets.pypi_token }} # consider using alternate strategy
+
+  build_wheels:
+    # This does the actual wheel building or if triggered manually via the workflow dispatch, or for a tag.
+    # this job does NOT publish the wheels
+    name: Build wheels on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-22.04, windows-2022, macos-11]
+    if: (github.repository == 'gumyr/build123d' && ( startsWith(github.ref, 'refs/tags/v') || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'Build all wheels')))
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build wheels
+        uses: pypa/cibuildwheel@v2.16.2
+
+      - uses: actions/upload-artifact@v3
+        with:
+          path: ./wheelhouse/*.whl
+
+  # Do we need sdist wheels?
+  # build_sdist:
+  #   name: Build source distribution
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+
+  #     - name: Build sdist
+  #       run: pipx run build --sdist
+
+  #     - uses: actions/upload-artifact@v3
+  #       with:
+  #         path: dist/*.tar.gz
+      
+  upload_pypi:
+    needs: [build_wheels] #, build_sdist]
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/build123d
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+    # if: github.event_name == 'release' && github.event.action == 'published'
+    # or, alternatively, upload to PyPI on every tag starting with 'v' (remove on: release above to use this)
+    if: (github.repository == 'gumyr/build123d' && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v'))
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          # unpacks default artifact into dist/
+          # if `name: artifact` is omitted, the action will create extra parent dir
+          name: artifact
+          path: dist
+
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          # To test: repository-url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/