From 743450bf0f493e783a382f1923969cd07616f1c9 Mon Sep 17 00:00:00 2001
From: Ed Harrod <echarrod@users.noreply.github.com>
Date: Sat, 4 Apr 2026 18:26:13 +0100
Subject: [PATCH 1/4] release: bump version to 0.3.0, add release instructions
 and publish workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 48 +++++++++++++++++++++++++++++++++++
 CONTRIBUTING.md               | 37 +++++++++++++++++++++++++++
 luno_python/__init__.py       |  2 +-
 pyproject.toml                |  1 -
 4 files changed, 86 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..e546623
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,48 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install build dependencies
+        run: python -m pip install --upgrade pip build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Upload distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write  # required for trusted publishing
+
+    steps:
+      - name: Download distribution artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index ea40d7e..56eba34 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -64,3 +64,40 @@ git commit --no-verify
 ```bash
 pytest
 ```
+
+## Releasing
+
+This project is published to [PyPI](https://pypi.org/project/luno-python/). Releases are made by maintainers with repository write access and PyPI publish access.
+
+### Steps
+
+1. **Decide the version number** following [Semantic Versioning](https://semver.org/):
+   - Patch (`x.y.Z`): backwards-compatible bug fixes
+   - Minor (`x.Y.0`): new backwards-compatible functionality
+   - Major (`X.0.0`): breaking changes
+
+2. **Bump the version** in `luno_python/__init__.py`:
+   ```python
+   VERSION = "x.y.z"
+   ```
+
+3. **Commit and push** the version bump on a branch, then open and merge a PR:
+   ```bash
+   git checkout -b release-x.y.z
+   git add luno_python/__init__.py
+   git commit -m "release: bump version to x.y.z"
+   git push origin release-x.y.z
+   gh pr create --title "release: bump version to x.y.z" --body "Bump version for release."
+   # After review, merge the PR
+   ```
+
+4. **Create a GitHub Release** from the merged commit on `main`:
+   ```bash
+   git checkout main && git pull origin main
+   gh release create vx.y.z --title "vx.y.z" --generate-notes
+   ```
+   This triggers the publish workflow which automatically builds and uploads the package to PyPI.
+
+### PyPI Trusted Publishing
+
+The publish workflow uses [PyPI Trusted Publishing](https://docs.pypi.org/trusted-publishers/) (OpenID Connect), which means no API tokens need to be stored as secrets. This must be configured once in PyPI's project settings under *Publishing → Add a new publisher*, pointing at this repository's `publish.yml` workflow.
diff --git a/luno_python/__init__.py b/luno_python/__init__.py
index 308cd67..16e7d70 100644
--- a/luno_python/__init__.py
+++ b/luno_python/__init__.py
@@ -1,3 +1,3 @@
 """Luno Python SDK."""
 
-VERSION = "0.0.10"
+VERSION = "0.3.0"
diff --git a/pyproject.toml b/pyproject.toml
index 5423a21..ef13dd0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -22,7 +22,6 @@ skip_gitignore = true
 exclude_dirs = ["tests", "env", "build"]
 skips = [
     "B101",  # Skip assert_used check (common in tests)
-    "B107",  # Skip hardcoded_password_default (empty string defaults are acceptable for optional credentials)
 ]
 
 [tool.pytest.ini_options]

From f47087bfae5dddfdfe15ae0e1f49b8055cfa8b3f Mon Sep 17 00:00:00 2001
From: Ed Harrod <echarrod@users.noreply.github.com>
Date: Sat, 4 Apr 2026 18:38:17 +0100
Subject: [PATCH 2/4] release: use Python 3.13 and pip cache in publish
 workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e546623..5ee7057 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,7 +15,8 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: "3.12"
+          python-version: "3.13"
+          cache: pip
 
       - name: Install build dependencies
         run: python -m pip install --upgrade pip build

From e34b5eb167565d79e404c4b637ef8ffd09bcb093 Mon Sep 17 00:00:00 2001
From: Ed Harrod <echarrod@users.noreply.github.com>
Date: Sat, 4 Apr 2026 18:50:10 +0100
Subject: [PATCH 3/4] fix: pin pypi-publish action hash, fix 'publishing
 workflow' wording

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 2 +-
 CONTRIBUTING.md               | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5ee7057..732f814 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -46,4 +46,4 @@ jobs:
           path: dist/
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 56eba34..6868b88 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -96,8 +96,8 @@ This project is published to [PyPI](https://pypi.org/project/luno-python/). Rele
    git checkout main && git pull origin main
    gh release create vx.y.z --title "vx.y.z" --generate-notes
    ```
-   This triggers the publish workflow which automatically builds and uploads the package to PyPI.
+   This triggers the publishing workflow, which automatically builds and uploads the package to PyPI.
 
 ### PyPI Trusted Publishing
 
-The publish workflow uses [PyPI Trusted Publishing](https://docs.pypi.org/trusted-publishers/) (OpenID Connect), which means no API tokens need to be stored as secrets. This must be configured once in PyPI's project settings under *Publishing → Add a new publisher*, pointing at this repository's `publish.yml` workflow.
+The publishing workflow uses [PyPI Trusted Publishing](https://docs.pypi.org/trusted-publishers/) (OpenID Connect), which means no API tokens need to be stored as secrets. This must be configured once in PyPI's project settings under *Publishing → Add a new publisher*, pointing at this repository's `publish.yml` workflow.

From 0f7bebe1e114cef7363884204b99851c2de5934d Mon Sep 17 00:00:00 2001
From: Ed Harrod <echarrod@users.noreply.github.com>
Date: Sat, 4 Apr 2026 19:19:46 +0100
Subject: [PATCH 4/4] ci: add workflow_dispatch trigger for manual publish
 testing

---
 .github/workflows/publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 732f814..f800ab5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,6 +3,7 @@ name: Publish to PyPI
 on:
   release:
     types: [published]
+  workflow_dispatch:
 
 jobs:
   build: