diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 55303b9..cd9e642 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -8,23 +8,230 @@ on:
   push:
     branches: [main, master, preprod, prod]
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, closed]
 name: Python
 jobs:
   flake8:
     name: Flake8
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 5
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
       - name: Flake8
         uses: docker://public.ecr.aws/u9q7y3l4/github-actions-flake8
   black:
     name: Black
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 5
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
       - name: Black
         uses: docker://public.ecr.aws/u9q7y3l4/github-actions-black
+  test:
+    name: Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - run: |
+          git config --global credential.helper 'cache --timeout=315360000'
+          (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | git credential approve
+          (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | base64
+          git clone https://github.com/mobsuccess-devops/mobsuccess-python
+        name: GitHub Credentials
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+      - name: Install dependencies
+        run: sudo apt-get install libffi7
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.mobsuccess/venv/*/*
+            !~/.mobsuccess/venv/*/.pip-version-*
+            venv
+          key: ${{ runner.os }}-venv-test-${{ hashFiles('requirements*.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-venv-test-
+      - name: Configure AWS Credentials (eu-central-1)
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact
+          aws-region: eu-central-1
+          role-duration-seconds: 900
+      - name: Login CodeArtifact
+        run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python
+      - run: make test
+  pyright:
+    name: Pyright
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - run: |
+          git config --global credential.helper 'cache --timeout=315360000'
+          (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | git credential approve
+          (echo protocol=https; echo host=github.com; echo username=${{ secrets.MS_READ_PACKAGES_GITHUB_PAT }}; echo password=) | base64
+          git clone https://github.com/mobsuccess-devops/mobsuccess-python
+        name: GitHub Credentials
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+      - name: Install dependencies
+        run: sudo apt-get install libffi7
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.mobsuccess/venv/*/*
+            !~/.mobsuccess/venv/*/.pip-version-*
+            venv
+          key: ${{ runner.os }}-venv-pyright-${{ hashFiles('requirements*.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-venv-pyright-
+      - name: Configure AWS Credentials (eu-central-1)
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact
+          aws-region: eu-central-1
+          role-duration-seconds: 900
+      - name: Login CodeArtifact
+        run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python
+      - run: make pyright
+  check_stubs:
+    name: Check Stubs
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          if [ -n "$(find . -name '*.pyi')" ]; then
+            echo "This repository must not contain *.pyi files"
+            exit 1
+          fi
+  prepare-publish:
+    name: Prepare Publish
+    runs-on: ubuntu-22.04
+    timeout-minutes: 1
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
+    outputs:
+      version-postfix: ${{ steps.prepare.outputs.version-postfix }}
+      role: ${{ steps.prepare.outputs.role }}
+      aws-account-id: ${{ steps.prepare.outputs.aws-account-id }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Prepare
+        id: prepare
+        run: |
+          role=arn:aws:iam::983851922138:role/GHA,$(basename $GITHUB_REPOSITORY)
+          aws_account_id=983851922138
+          case ${{github.ref}} in
+            refs/heads/master)
+              echo "version-postfix: <empty>"
+              echo "::set-output name=version-postfix::"
+              ;;
+            *)
+              pr_number=${{github.event.number}}
+              if [ -z "$pr_number" ]; then
+                pr_number=${{github.event.issue.number}}
+              fi
+              echo "version-postfix: .dev$pr_number"
+              echo "::set-output name=version-postfix::.dev$pr_number"
+              ;;
+          esac
+          echo role: $role
+          echo "::set-output name=role::$role"
+          echo "::set-output name=aws-account-id::$aws_account_id"
+  publish:
+    runs-on: ubuntu-22.04
+    needs: [prepare-publish]
+    name: Publish
+    timeout-minutes: 5
+    if: github.event_name != 'pull_request' || github.event.action != 'closed'
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+      - name: Install dependencies
+        run: sudo apt-get install libffi7
+      - run: |
+          python3 -m venv venv
+          source venv/bin/activate
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ${{ env.pythonLocation }}
+            venv
+          key: ${{ env.pythonLocation }}-${{ hashFiles('requirements*.txt') }}
+      - name: Configure AWS Credentials (eu-central-1)
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::983851922138:role/GHA,CodeArtifact
+          aws-region: eu-central-1
+          role-duration-seconds: 900
+      - name: Login CodeArtifact
+        run: aws codeartifact login --tool pip --domain mobsuccess --domain-owner 983851922138 --repository python
+      - run: source venv/bin/activate && for r in requirements*.txt; do pip install -r $r; done
+      - uses: aws-actions/setup-sam@v1
+      - uses: aws-actions/configure-aws-credentials@v1
+        name: Configure AWS Credentials (eu-central-1)
+        with:
+          role-to-assume: ${{needs.prepare-publish.outputs.role}}
+          aws-region: eu-central-1
+          role-duration-seconds: 900
+      - name: Build and publish
+        run: |
+          export TWINE_USERNAME=aws
+          export TWINE_PASSWORD=`aws codeartifact get-authorization-token --domain mobsuccess --domain-owner ${{ needs.prepare-publish.outputs.aws-account-id }} --query authorizationToken --output text`
+          export TWINE_REPOSITORY_URL=`aws codeartifact get-repository-endpoint --domain mobsuccess --domain-owner ${{ needs.prepare-publish.outputs.aws-account-id }} --repository python --format pypi --query repositoryEndpoint --output text`
+          export PYTHON_PACKAGE_VERSION_POSTFIX=.$GITHUB_RUN_ID${{needs.prepare-publish.outputs.version-postfix}}
+          echo PYTHON_PACKAGE_VERSION_POSTFIX=$PYTHON_PACKAGE_VERSION_POSTFIX
+          if [ -e Makefile ] && grep -q ^stubs: Makefile; then source venv/bin/activate && make stubs; fi
+          source venv/bin/activate && python setup.py sdist bdist_wheel
+          package_name=$(grep ^Name: *.egg-info/PKG-INFO | sed -e 's/^.*: //')
+          package_version=$(grep ^Version: *.egg-info/PKG-INFO | sed -e 's/^.*: //')
+          aws codeartifact delete-package-versions --domain mobsuccess --repo python --format pypi --package "$package_name" --versions "$package_version" || true
+          source venv/bin/activate && twine upload --verbose dist/*
+  notify:
+    needs:
+      [
+        flake8,
+        black,
+        test,
+        pyright,
+        check_stubs,
+        publish,
+      ]
+    if: failure()
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Notify
+        uses: mobsuccess-devops/github-actions-notify@master
+        with:
+          notify-type: "workflow-failure"
+          slack-token: ${{ secrets.SLACK_TOKEN_MSBOT }}
+          slack-channel: ${{ vars.SLACK_CHANNEL_NOTIFY_WORKFLOW_FAIL }}
+          platform-pat: ${{ secrets.MS_PLATFORM_LIST_USERS_PAT }}
 # DO NOT EDIT: END