-
Notifications
You must be signed in to change notification settings - Fork 1
83 lines (75 loc) · 3.05 KB
/
Copy pathpypi-release-retention.yaml
File metadata and controls
83 lines (75 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: pypi-release-retention
on:
workflow_dispatch:
inputs:
runner:
description: "Runner label. Use self-hosted/static-IP for unattended PyPI web deletion."
required: false
default: "ubuntu-latest"
protect_version:
description: "PyPI release version to keep. Older releases are deleted."
required: true
packages:
description: "Optional comma- or space-separated package names. Default: release packages where the protected version is visible."
required: false
permissions:
contents: read
actions: read
jobs:
retention:
runs-on: ${{ inputs.runner }}
env:
PYPI_RELEASE_PRUNE_USERNAME: ${{ secrets.PYPI_RELEASE_PRUNE_USERNAME }}
PYPI_RELEASE_PRUNE_PASSWORD: ${{ secrets.PYPI_RELEASE_PRUNE_PASSWORD }}
PYPI_RELEASE_PRUNE_TOTP_SECRET: ${{ secrets.PYPI_RELEASE_PRUNE_TOTP_SECRET }}
PYPI_RELEASE_PRUNE_OTP: ${{ secrets.PYPI_RELEASE_PRUNE_OTP }}
PYPI_CONFIRM_READER_TOKEN: ${{ secrets.PYPI_CONFIRM_READER_TOKEN }}
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.13"
- name: Install PyPI retention dependencies
run: python -m pip install --upgrade --no-cache-dir packaging pypi-cleanup requests
- name: Delete older PyPI releases and keep the protected release only
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euxo pipefail
test -n "${PYPI_CONFIRM_READER_TOKEN:-}" || {
echo "PYPI_CONFIRM_READER_TOKEN secret is required to read the temporary PyPI confirmation variable." >&2
exit 2
}
packages="${{ inputs.packages }}"
package_file="$(mktemp)"
if [[ -z "$packages" ]]; then
python - <<'PY' > "$package_file"
from tools.release_plan import release_plan
for package in release_plan()["provenance_packages"]:
print(package)
PY
else
python - "$packages" > "$package_file" <<'PY'
import re
import sys
for package in re.split(r"[\s,]+", sys.argv[1].strip()):
if package:
print(package)
PY
fi
python tools/pypi_release_retention.py \
--repo pypi \
--packages-file "$package_file" \
--protect-version "${{ inputs.protect_version }}" \
--select-visible-protected-packages \
--confirm-delete \
--direct-web-only \
--json \
--github-step-summary "$GITHUB_STEP_SUMMARY" \
--github-confirm-login-repository "$GITHUB_REPOSITORY" \
--github-confirm-login-variable "PYPI_CONFIRM_LOGIN_URL" \
--github-confirm-login-timeout 1800 \
--github-confirm-login-poll-delay 5 \
--github-token "$PYPI_CONFIRM_READER_TOKEN"