Add a separate action for removing old wheels

.github/workflows/remove-wheels.yml

@@ -3,7 +3,7 @@ name: Remove old wheels
 on:
   # Run daily at 1:23 UTC
   schedule:
-  - cron:  '23 1 * * *'
+    - cron: '23 1 * * *'
   workflow_dispatch:
 
 concurrency:
@@ -30,16 +30,7 @@ jobs:
       name: remove-old-wheels
 
     steps:
-      - name: Install micromamba and anaconda-client
-        uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822  # v1.9.0
-        with:
-          environment-name: remove-wheels
-          create-args: >-
-            python=3.12
-            anaconda-client=1.12.3
-            curl
-            jq
-
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Show environment
         run: env
 
@@ -49,64 +40,9 @@ jobs:
           echo ""
           anaconda remove --help
 
-      - name: Query package index for packages
-        run: |
-          curl https://raw.githubusercontent.com/scientific-python/upload-nightly-action/main/packages-ignore-from-cleanup.txt --output packages-ignore-from-cleanup.txt
-          anaconda show "${ANACONDA_USER}" &> >(grep "${ANACONDA_USER}/") | \
-              awk '{print $1}' | \
-              sed 's|.*/||g' | \
-              grep -vf packages-ignore-from-cleanup.txt > package-names.txt
-
-      - name: Remove old uploads to save space
-        run: |
-          # Remove all _but_ the last ${N_LATEST_UPLOADS} package versions and
-          # remove all package versions older than 30 days.
-
-          if [ -s package-names.txt ]; then
-              threshold_date="$(date +%F -d '30 days ago')"
-
-              # Remember can't quote subshell as need to split on (space seperated) token
-              for package_name in $(cat package-names.txt); do
-
-                  echo -e "\n# package: ${package_name}"
-
-                  curl --silent https://api.anaconda.org/package/"${ANACONDA_USER}/${package_name}" | \
-                      jq -r '.releases[].version' > package-versions.txt
-                  head --lines "-${N_LATEST_UPLOADS}" package-versions.txt > remove-package-versions.txt
-
-                  for package_version in $(cat package-versions.txt); do
-                    # c.f. https://github.com/Anaconda-Platform/anaconda-client/issues/682#issuecomment-1677283067
-                    upload_date=$(curl --silent https://api.anaconda.org/release/"${ANACONDA_USER}/${package_name}/${package_version}" | \
-                        jq -r '.distributions[].upload_time' | \
-                        sort | \
-                        tail --lines 1 | \
-                        awk '{print $1}')
-
-                    # check upload_date is YYYY-MM-DD formatted
-                    # c.f. https://github.com/scientific-python/upload-nightly-action/issues/73
-                    if [[ "${upload_date}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
-                        if [[ "${upload_date}" < "${threshold_date}" ]]; then
-                            echo "# ${ANACONDA_USER}/${package_name}/${package_version} last uploaded on ${upload_date}"
-                            echo "${package_version}" >> remove-package-versions.txt
-                        fi
-                    else
-                        echo "# ERROR: ${ANACONDA_USER}/${package_name}/${package_version} upload date ${upload_date} is not YYYY-MM-DD."
-                    fi
-
-                  done
-
-                  if [ -s remove-package-versions.txt ]; then
-                      # Guard against duplicate entries from packages over
-                      # count and time thresholds
-                      sort --output remove-package-versions.txt --unique remove-package-versions.txt
-
-                      for package_version in $(cat remove-package-versions.txt); do
-                          echo "# Removing ${ANACONDA_USER}/${package_name}/${package_version}"
-                          anaconda --token ${{ secrets.ANACONDA_TOKEN }} remove \
-                            --force \
-                            "${ANACONDA_USER}/${package_name}/${package_version}"
-                      done
-                  fi
-
-              done
-          fi
+      - name: Remove old wheels
+        uses: ./remove-wheels
+        with:
+          n_latest_uploads: ${{ env.N_LATEST_UPLOADS }}
+          anaconda_nightly_upload_organization: ${{ env.ANACONDA_USER }}
+          anaconda_nightly_token: ${{ secrets.ANACONDA_TOKEN }}

README.md

@@ -18,11 +18,44 @@ jobs:
         anaconda_nightly_upload_token: ${{secrets.UPLOAD_TOKEN}}
 ```
 
-Note that we recommend pinning the action against a specific SHA
+> [!IMPORTANT]
+> Note that we recommend pinning the action against a specific SHA
 (rather than a tag), to guard against the unlikely event of upstream
 being compromised.
 
-## Updating the action
+## Removing old nightly builds
+
+This repository also ships with an action to ease removals of older nightly wheels from a channel.
+
+Please note that the default configuration below will remove all but the `n_latest_uploads`
+latest uploads from the channel. This is useful to avoid hosting outdated development
+versions, as well as to clean up space.
+
+Note that the ``scientific-python-nightly-wheels`` channel, specifically, already removes
+old artifacts daily. The `remove-wheels` action is, therefore, intended for use with
+other channels.
+
+If you do not wish to have this automated cleanup, please [open an issue](https://github.com/scientific-python/upload-nightly-action/)
+to be added to the list of packages exempt from it. The current ones are named in
+[`packages-ignore-from-cleanup.txt`](packages-ignore-from-cleanup.txt).
+
+Please refer to the [artifact cleanup policy][] for more information.
+
+To use this functionality, add the following snippet to your workflow:
+
+```yml
+jobs:
+  steps:
+    ...
+    - name: Remove old wheels
+      uses: scientific-python/upload-nightly-action/remove-wheels@cantknowhashyet # 0.6.0
+      with:
+        n_latest_uploads: ${{ env.N_LATEST_UPLOADS }}
+        anaconda_nightly_upload_organization: "your-organization"
+        anaconda_nightly_token: ${{secrets.ANACONDA_TOKEN}}
+```
+
+## Updating the actions
 
 You can [use Dependabot to keep the GitHub Action up to date][],
 with a `.github/dependabot.yml` config file similar to:
@@ -45,7 +78,7 @@ then generate a token at `https://anaconda.org/<anaconda cloud user name>/settin
 with permissions to _Allow write access to the API site_ and _Allow uploads to Standard Python repositories_,
 and add the token as a secret to your GitHub repository.
 
-## Using a different channel
+## Using a channel other than ``scientific-python-nightly-wheels``
 
 This Github Action can upload your nightly builds to a different channel. To do so,
 define the `anaconda_nightly_upload_organization` variable. Furthermore,
@@ -65,6 +98,15 @@ jobs:
         anaconda_nightly_upload_labels: dev
 ```
 
+Similarly, to delete old wheels from a different channel, you can use the `anaconda_nightly_organization`
+parameter as described above.
+
+Please note that the `anaconda_nightly_token` secret must have the necessary permissions to
+remove artifacts from the channel. A token for a particular package will delete only the
+artifacts uploaded by that package. If you need to delete artifacts uploaded by other packages
+similar to the `scientific-python-nightly-wheels` channel here, you will need to use a token
+for the organization with higher permissions that lets you delete packages organization-wide.
+
 ## Artifact cleanup-policy at the ``scientific-python-nightly-wheels`` channel
 
 To avoid hosting outdated development versions, as well as to clean up space, we do have a
@@ -112,3 +154,4 @@ dependencies:
 [PyPI]: https://pypi.org/
 [scientific-python nightly channel]: https://anaconda.org/scientific-python-nightly-wheels
 [SPEC4 — Using and Creating Nightly Wheels]: https://scientific-python.org/specs/spec-0004/
+[artifact cleanup policy]: #artifact-cleanup-policy-at-the-scientific-python-nightly-wheels-channel

action.yml

@@ -1,4 +1,4 @@
-name: Upload Nightly
+name: Scientific Python / Upload Nightly Wheels
 description: A GitHub Action to upload artifacts nightly
 permissions:
   actions: read

remove-wheels/action.yml

@@ -0,0 +1,46 @@
+name: Scientific Python / Remove Old Wheels
+description: A GitHub Action to remove old wheels
+permissions:
+  actions: read
+  contents: read
+  metadata: read
+author: "Scientific-Python"
+# TODO: have to think about versioning; whether to version separately, or
+# for it to be in sync with the version for the upload action
+version: "0.1.0" # should be kept in sync with the version in remove-wheels/pixi.toml
+
+inputs:
+  n_latest_uploads:
+    description: 'The number of previous wheel uploads to keep'
+    required: false
+    default: '5'
+  anaconda_nightly_upload_organization:
+    description: 'Anaconda Cloud organisation name to remove the wheels from'
+    required: false
+    default: scientific-python-nightly-wheels
+  anaconda_nightly_token:
+    description: 'Anaconda Cloud API token to authenticate with'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up pixi
+      uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659  # v0.8.1
+      with:
+        locked: true
+        cache: true
+        cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
+        # Avoid post cleanup errors if action run multiple times
+        post-cleanup: false
+        # Action consumers should load the lock file from the action repo
+        manifest-path: ${{ github.action_path }}/pixi.toml
+
+    - name: Remove old wheels
+      shell: bash
+      env:
+        INPUT_N_LATEST_UPLOADS: ${{ inputs.n_latest_uploads }}
+        INPUT_ANACONDA_USER: ${{ inputs.anaconda_user }}
+        INPUT_ANACONDA_TOKEN: ${{ inputs.anaconda_token }}
+      run: |
+        pixi run --manifest-path ${{ github.action_path }}/remove-wheels/pixi.toml ${{ github.action_path }}/remove_wheels.sh