fix(ci): Add Cloudflare cache purging to rules deployment workflow#533
Merged
shivasurya merged 2 commits intomainfrom Feb 16, 2026
Merged
fix(ci): Add Cloudflare cache purging to rules deployment workflow#533shivasurya merged 2 commits intomainfrom
shivasurya merged 2 commits intomainfrom
Conversation
## Problem After deploying updated rule bundles to R2, Cloudflare serves cached versions for up to 24 hours, causing checksum verification failures: ``` Error: checksum mismatch: expected eb37afa9..., got eef87ec7... ``` ## Root Cause ZIP files are uploaded with cache headers: ``` cache-control: max-age=86400, immutable, public # 24 hour cache ``` When new ZIPs are deployed (e.g., after deterministic ZIP fix in #532), Cloudflare edge locations continue serving old cached versions until TTL expires, even though the new files exist on origin. ## Verification Confirmed cache issue by bypassing cache with query parameters: ```bash # Without cache-buster (OLD cached file) $ curl -s https://assets.codepathfinder.dev/rules/python/deserialization.zip | sha256sum eef87ec74cd2772aa5a62f64df38026afdfbd84debc4e342590beb109a8a90e4 # With cache-buster (NEW file from origin) $ curl -s "https://assets.codepathfinder.dev/rules/python/deserialization.zip?nocache=1" | sha256sum eb37afa960dadb50469a5ad55a75ff7b60e8a156d37809299a4f659326d7a46d ← Correct! ``` ## Solution Added automatic Cloudflare cache purging after successful R2 upload: 1. **Collects all ZIP URLs** from dist/rules directory 2. **Calls Cloudflare Purge API** to invalidate cached files 3. **Gracefully handles missing credentials** (logs warning, non-blocking) 4. **Provides clear feedback** on purge success/failure ## Implementation **New workflow step:** ```yaml - name: Purge Cloudflare cache env: CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} run: | # Builds JSON array of file URLs # Calls: POST /zones/{zone_id}/purge_cache # Purges all uploaded ZIP files ``` **API Call:** ```bash curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \ -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ --data '{"files":["https://assets.codepathfinder.dev/rules/python/deserialization.zip", ...]}' ``` ## Configuration Required Add these GitHub Secrets to enable cache purging: 1. **CLOUDFLARE_ZONE_ID**: Zone ID for codepathfinder.dev 2. **CLOUDFLARE_API_TOKEN**: API token with "Cache Purge" permission **To create API token:** - Cloudflare Dashboard → My Profile → API Tokens - Create Token → Custom Token - Permissions: Zone → Cache Purge → Purge - Zone Resources: Include → Specific zone → codepathfinder.dev ## Behavior **With credentials configured:** ``` 🔄 Purging Cloudflare cache for updated rule bundles... ✅ Cache purged successfully for all rule bundles ``` **Without credentials (graceful degradation):** ```⚠️ Cloudflare credentials not configured - skipping cache purge Add CLOUDFLARE_ZONE_ID and CLOUDFLARE_API_TOKEN secrets to enable automatic cache purging Files will be available after cache expires (24h) ``` ## Files Changed | File | Changes | Description | |------|---------|-------------| | `.github/workflows/deploy-rules.yml` | +47 lines | Add Cloudflare cache purge step | ## Impact - **✓ Immediate availability**: New rules accessible within seconds of deployment - **✓ No more checksum errors**: Users get latest files immediately - **✓ Non-blocking**: Missing credentials don't break deployment - **✓ Backward compatible**: Works with or without secrets ## Dependencies - **← PR #532**: Deterministic ZIP creation (already merged) - **Requires**: GitHub Secrets configuration (CLOUDFLARE_ZONE_ID, CLOUDFLARE_API_TOKEN) ## Testing Once secrets are configured, test by: 1. Triggering manual workflow run 2. Checking logs for "✅ Cache purged successfully" 3. Verifying immediate file availability (no 24h wait)
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Code Pathfinder Security Scan
No security issues detected.
Powered by Code Pathfinder |
- Don't print full API response (may contain sensitive data) - Write response to temp file instead of printing - Only show HTTP status code on failure - Count files purged instead of listing all URLs - Clean up temp response file after use This prevents potential exposure of: - Cloudflare zone details - API response metadata - Error messages with internal details
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #533 +/- ##
=======================================
Coverage 82.74% 82.74%
=======================================
Files 133 133
Lines 15666 15666
=======================================
Hits 12963 12963
Misses 2222 2222
Partials 481 481 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After deploying updated rule bundles to R2, Cloudflare serves cached versions for up to 24 hours, causing checksum verification failures:
Root Cause
ZIP files are uploaded with cache headers:
When new ZIPs are deployed (e.g., after deterministic ZIP fix in #532), Cloudflare edge locations continue serving old cached versions until TTL expires, even though the new files exist on origin.
Verification
Confirmed cache issue by bypassing cache with query parameters:
Solution
Added automatic Cloudflare cache purging after successful R2 upload:
Implementation
New workflow step:
API Call:
Configuration Required
Add these GitHub Secrets to enable cache purging:
To create API token:
Behavior
With credentials configured:
Without credentials (graceful degradation):
Files Changed
.github/workflows/deploy-rules.ymlImpact
Dependencies
Testing
Once secrets are configured, test by:
Notes