diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..d57929b
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/release.yaml b/.github/release.yaml
new file mode 100644
index 0000000..386ce98
--- /dev/null
+++ b/.github/release.yaml
@@ -0,0 +1,6 @@
+changelog:
+  exclude:
+    authors:
+      - dependabot
+      - pre-commit-ci
+      - github-actions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..a004ff9
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,49 @@
+# Upload a Python Package using Twine when a release is created
+
+name: Build
+on:  # yamllint disable-line rule:truthy
+  release:
+    types: [published]
+  push:
+    branches: ["main", "maint/*"]
+  pull_request:
+    branches: ["main", "maint/*"]
+
+permissions:
+  contents: read
+
+jobs:
+  package:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+      - run: python -m build --sdist --wheel
+      - run: twine check --strict dist/*
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+  pypi-upload:
+    needs: package
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release'
+    permissions:
+      id-token: write  # for trusted publishing
+    environment:
+      name: pypi
+      url: https://pypi.org/p/mne
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        if: github.event_name == 'release'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a8a1d14..2d5ec0b 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -46,7 +46,26 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python }}
+      - run: pip install --upgrade pip setuptools
+      # TODO: shouldn't need to install NumPy first or pin it (distutils gone in 2.0), bad build reqs
+      - run: pip install --upgrade "numpy<2" s3cmd mne scikit-learn nose pytest pytest-cov "mne<0.24" nibabel
+      # TODO: Relax this pin
+      # TODO: Remove nose dependency
+      - run: pip install --no-build-isolation -ve .
+      - run: openssl aes-256-cbc -K "${{ secrets.encrypted_73bd2a498087_key }}" -iv "${{ secrets.encrypted_73bd2a498087_iv }}" -in .s3cfg.enc -out ~/.s3cfg -d
+      - run: python -c "from pathlib import Path; assert (Path('~').expanduser() / '.s3cfg').is_file()"
+      - run: mkdir ~/mne-hcp-data
+      - run: s3cmd get s3://mne-hcp-testing-data/mne-hcp-testing.tar.gz ~/mne-hcp-data/
+      - run: cd ~/mne-hcp-data/ && tar -xvzf mne-hcp-testing.tar.gz
+      - run: find ~/mne-hcp-data/mne-hcp-testing/105923 -name "*" > output.txt && cat output.txt | wc -l && head output.txt
+      - run: mkdir -p "${{ env.SUBJECTS_DIR}}" && python -c "import mne; mne.datasets.fetch_fsaverage(subjects_dir='${{ env.SUBJECTS_DIR }}')"
+      # TODO: Move this to the top (toward bottom to speed up testing of steps above)
       - uses: pyvista/setup-headless-display-action@main
         with:
           qt: true
           pyvista: false
+      - run: pytest -rfEXs --cov-report= --tb=short --durations 30 -v --cov=hcp --cov-report xml hcp
+      - uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+        if: success()