Sync exported APIs on moderation + delete a moderated version's exported files.

app/lib/admin/actions/moderate_package.dart

@@ -4,6 +4,7 @@
 
 import '../../admin/backend.dart';
 import '../../admin/models.dart';
+import '../../package/api_export/api_exporter.dart';
 import '../../package/backend.dart';
 import '../../package/models.dart';
 import '../../shared/datastore.dart';
@@ -81,6 +82,9 @@ Note: the action may take a longer time to complete as the public archive bucket
         return pkg;
       });
 
+      // sync exported API(s)
+      await apiExporter?.synchronizePackage(package);
+
       // retract or re-populate public archive files
       await packageBackend.tarballStorage.updatePublicArchiveBucket(
         package: package,

app/lib/admin/actions/moderate_package_versions.dart

@@ -5,6 +5,7 @@
 import 'package:_pub_shared/utils/sdk_version_cache.dart';
 import 'package:clock/clock.dart';
 
+import '../../package/api_export/api_exporter.dart';
 import '../../package/backend.dart';
 import '../../package/models.dart';
 import '../../scorecard/backend.dart';
@@ -114,6 +115,9 @@ Set the moderated flag on a package version (updating the flag and the timestamp
         return v;
       });
 
+      // sync exported API(s)
+      await apiExporter?.synchronizePackage(package);
+
       // retract or re-populate public archive files
       await packageBackend.tarballStorage.updatePublicArchiveBucket(
         package: package,

app/lib/package/api_export/api_exporter.dart

@@ -216,6 +216,19 @@ final class ApiExporter {
     final versions = await packageBackend.tarballStorage
         .listVersionsInCanonicalBucket(package);
 
+    // Check versions that are not exposed in the public API and if they are moderated, delete them.
+    for (final cv in versions.entries) {
+      final version = cv.key;
+      if (versionListing.versions.any((v) => v.version == version)) {
+        continue;
+      }
+      final pv = await packageBackend.lookupPackageVersion(package, version);
+      if (pv != null && pv.isModerated) {
+        // We only delete the package if it is explicitly moderated.
+        // If we can't find it, then it's safer to assume that it's a bug.
+        await _api.package(package).deleteVersion(version);
+      }
+    }
     // Remove versions that are not exposed in the public API.
     versions.removeWhere(
       (version, _) => !versionListing.versions.any((v) => v.version == version),

app/lib/package/api_export/exported_api.dart

@@ -402,6 +402,13 @@ final class ExportedPackage {
       }),
     ]);
   }
+
+  /// Deletes the files related to this package and [version].
+  Future<void> deleteVersion(String version) async {
+    await Future.wait([
+      tarball(version).delete(),
+    ]);
+  }
 }
 
 /// Information about an object to be used as source in a copy operation.

app/test/admin/moderate_package_test.dart

@@ -20,6 +20,7 @@ import 'package:pub_dev/scorecard/backend.dart';
 import 'package:pub_dev/search/backend.dart';
 import 'package:pub_dev/shared/configuration.dart';
 import 'package:pub_dev/shared/datastore.dart';
+import 'package:pub_dev/shared/versions.dart';
 import 'package:test/test.dart';
 
 import '../admin/models_test.dart';
@@ -294,15 +295,27 @@ void main() {
       expect(docs3!.where((d) => d.package == 'oxygen'), isNotEmpty);
     });
 
-    testWithProfile('archives are removed from public bucket', fn: () async {
-      final publicUri = Uri.parse('${activeConfiguration.storageBaseUrl}'
-          '/${activeConfiguration.publicPackagesBucketName}'
-          '/packages/oxygen-1.0.0.tar.gz');
+    testWithProfile('archives are removed from public buckets', fn: () async {
+      final publicUrls = [
+        '${activeConfiguration.storageBaseUrl}'
+            '/${activeConfiguration.publicPackagesBucketName}'
+            '/packages/oxygen-1.0.0.tar.gz',
+        '${activeConfiguration.storageBaseUrl}'
+            '/${activeConfiguration.exportedApiBucketName}'
+            '/latest/api/archives/oxygen-1.0.0.tar.gz',
+        '${activeConfiguration.storageBaseUrl}'
+            '/${activeConfiguration.exportedApiBucketName}'
+            '/$runtimeVersion/api/archives/oxygen-1.0.0.tar.gz',
+      ];
 
       Future<Uint8List?> expectStatusCode(int statusCode) async {
-        final rs1 = await http.get(publicUri);
-        expect(rs1.statusCode, statusCode);
-        return rs1.bodyBytes;
+        final rs = await Future.wait(
+            publicUrls.map((url) => http.get(Uri.parse(url))));
+        for (final r in rs) {
+          expect(r.statusCode, statusCode);
+          expect(r.bodyBytes, rs.first.bodyBytes);
+        }
+        return rs.first.bodyBytes;
       }
 
       final bytes = await expectStatusCode(200);

app/test/admin/moderate_package_version_test.dart

@@ -2,6 +2,8 @@
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
+import 'dart:convert';
+import 'dart:io';
 import 'dart:typed_data';
 
 import 'package:_pub_shared/data/account_api.dart';
@@ -19,6 +21,7 @@ import 'package:pub_dev/search/backend.dart';
 import 'package:pub_dev/shared/configuration.dart';
 import 'package:pub_dev/shared/datastore.dart';
 import 'package:pub_dev/shared/exceptions.dart';
+import 'package:pub_dev/shared/versions.dart';
 import 'package:pub_dev/task/backend.dart';
 import 'package:test/test.dart';
 
@@ -141,7 +144,7 @@ void main() {
       expect(optionsUpdates.isRetracted, true);
     });
 
-    testWithProfile('cannot moderated last visible version', fn: () async {
+    testWithProfile('cannot moderate last visible version', fn: () async {
       await _moderate('oxygen', '1.2.0', state: true);
       final p1 = await packageBackend.lookupPackage('oxygen');
       expect(p1!.latestVersion, '1.0.0');
@@ -186,15 +189,29 @@ void main() {
       );
     });
 
-    testWithProfile('archive file is removed from public bucket', fn: () async {
+    testWithProfile('archive file is removed from public buckets',
+        fn: () async {
       Future<Uint8List?> expectStatusCode(int statusCode,
           {String version = '1.0.0'}) async {
-        final publicUri = Uri.parse('${activeConfiguration.storageBaseUrl}'
-            '/${activeConfiguration.publicPackagesBucketName}'
-            '/packages/oxygen-$version.tar.gz');
-        final rs1 = await http.get(publicUri);
-        expect(rs1.statusCode, statusCode);
-        return rs1.bodyBytes;
+        final publicUrls = [
+          '${activeConfiguration.storageBaseUrl}'
+              '/${activeConfiguration.publicPackagesBucketName}'
+              '/packages/oxygen-$version.tar.gz',
+          '${activeConfiguration.storageBaseUrl}'
+              '/${activeConfiguration.exportedApiBucketName}'
+              '/latest/api/archives/oxygen-$version.tar.gz',
+          '${activeConfiguration.storageBaseUrl}'
+              '/${activeConfiguration.exportedApiBucketName}'
+              '/$runtimeVersion/api/archives/oxygen-$version.tar.gz',
+        ];
+
+        final rs = await Future.wait(
+            publicUrls.map((url) => http.get(Uri.parse(url))));
+        for (final r in rs) {
+          expect(r.statusCode, statusCode);
+          expect(r.bodyBytes, rs.first.bodyBytes);
+        }
+        return rs.first.bodyBytes;
       }
 
       final bytes = await expectStatusCode(200);
@@ -215,6 +232,32 @@ void main() {
       expect(restoredBytes, bytes);
     });
 
+    testWithProfile('versions file is updated in exported bucket',
+        fn: () async {
+      Future<void> expectIncluded(String version, bool isIncluded) async {
+        final prefixes = ['latest', runtimeVersion];
+        for (final prefix in prefixes) {
+          final url = '${activeConfiguration.storageBaseUrl}'
+              '/${activeConfiguration.exportedApiBucketName}'
+              '/$prefix/api/packages/oxygen';
+          final rs = await http.get(Uri.parse(url));
+          expect(rs.statusCode, 200);
+          final data = json.decode(utf8.decode(gzip.decode(rs.bodyBytes)))
+              as Map<String, dynamic>;
+          final versions = (data['versions'] as List)
+              .map((i) => (i as Map)['version'])
+              .toSet();
+          expect(versions.contains(version), isIncluded);
+        }
+      }
+
+      await expectIncluded('1.0.0', true);
+      await _moderate('oxygen', '1.0.0', state: true);
+      await expectIncluded('1.0.0', false);
+      await _moderate('oxygen', '1.0.0', state: false);
+      await expectIncluded('1.0.0', true);
+    });
+
     testWithProfile('search is updated with new version', fn: () async {
       await searchBackend.doCreateAndUpdateSnapshot(
         FakeGlobalLockClaim(clock.now().add(Duration(seconds: 3))),