diff --git a/.github/workflows/mr-test.yml b/.github/workflows/mr-test.yml
new file mode 100644
index 0000000..1f47dac
--- /dev/null
+++ b/.github/workflows/mr-test.yml
@@ -0,0 +1,25 @@
+name: MR Checks
+on: [pull_request]
+
+jobs:
+  python-check:
+    runs-on: windows-2022
+    strategy:
+      max-parallel: 3
+      matrix:
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      with:
+        fetch-depth: 0
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        python -m pip install -U pip poetry nox
+        poetry --version
+        nox --version
+        nox -s preflight
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 4a876ca..638e213 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
       with:
@@ -26,12 +29,12 @@ jobs:
         python -m pip install -U pip poetry nox
         poetry --version
         poetry install
-    - name: Publish
-      env:
-        PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        poetry publish --build -u $PYPI_USERNAME -p $PYPI_PASSWORD
+    # Note that we don't need credentials.
+    # We rely on https://docs.pypi.org/trusted-publishers/.
+    - name: Upload to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        packages-dir: dist
     - name: Create release Version
       run: gh release create ${{ steps.vars.outputs.tag }} --generate-notes
       env: