Add ability to purge cached results from a CDN

Signed-off-by: Spencer Schrock <[email protected]>

Author: spencerschrock

cron/config/config.go

@@ -56,6 +56,7 @@ const (
 	apiResultsBucketURL     string = "SCORECARD_API_RESULTS_BUCKET_URL"
 	inputBucketURL          string = "SCORECARD_INPUT_BUCKET_URL"
 	inputBucketPrefix       string = "SCORECARD_INPUT_BUCKET_PREFIX"
+	apiBaseURL              string = "SCORECARD_API_BASE_URL"
 )
 
 var (
@@ -357,3 +358,8 @@ func GetScorecardValues() (map[string]string, error) {
 func GetCriticalityValues() (map[string]string, error) {
 	return GetAdditionalParams("criticality")
 }
+
+// GetAPIBaseURL returns the base URL for the Scorecard API.
+func GetAPIBaseURL() (string, error) {
+	return getStringConfigValue(apiBaseURL, configYAML, "APIBaseURL", "api-base-url")
+}

cron/config/config.yaml

@@ -39,6 +39,7 @@ additional-params:
     prefix-file:
 
   scorecard:
+    api-base-url: https://cdn.scorecard.dev
     # API results bucket
     api-results-bucket-url: gs://ossf-scorecard-cron-results
     # TODO: Temporarily remove SAST and CI-Tests which require lot of GitHub API tokens.

cron/internal/cdn/client.go

@@ -0,0 +1,77 @@
+// Copyright 2026 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cdn implements clients for CDN operations.
+package cdn
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+var errPurgeFailed = errors.New("purge failed")
+
+// Purger is the interface for purging URLs from a CDN.
+type Purger interface {
+	Purge(ctx context.Context, url string) error
+}
+
+// FastlyClient implements Purger for Fastly.
+type FastlyClient struct {
+	token   string
+	baseURL string
+}
+
+// NewFastlyClient creates a new FastlyClient.
+func NewFastlyClient(token, baseURL string) *FastlyClient {
+	baseURL = strings.TrimSuffix(baseURL, "/")
+	return &FastlyClient{token: token, baseURL: baseURL}
+}
+
+// Purge purges the given URL from Fastly.
+// It sends a PURGE request to the given URL with the Fastly-Key header.
+func (c *FastlyClient) Purge(ctx context.Context, path string) error {
+	req, err := http.NewRequestWithContext(ctx, "PURGE", c.baseURL+path, nil)
+	if err != nil {
+		return fmt.Errorf("http.NewRequest: %w", err)
+	}
+	req.Header.Set("Fastly-Key", c.token)
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("http.Do: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("%w: %s", errPurgeFailed, resp.Status)
+	}
+	return nil
+}
+
+// NoOpClient is a no-op implementation of PurgeClient.
+type NoOpClient struct{}
+
+// NewNoOpClient creates a new NoOpClient.
+func NewNoOpClient() *NoOpClient {
+	return &NoOpClient{}
+}
+
+// Purge does nothing.
+func (c *NoOpClient) Purge(ctx context.Context, url string) error {
+	return nil
+}

cron/internal/cdn/client_test.go

@@ -0,0 +1,54 @@
+// Copyright 2026 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cdn
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+const token = "test-token"
+
+func TestFastlyClient_Purge(t *testing.T) {
+	t.Parallel()
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "PURGE" {
+			t.Errorf("expected method PURGE, got %s", r.Method)
+		}
+		if r.Header.Get("Fastly-Key") != token {
+			t.Errorf("expected Fastly-Key header %s, got %s", token, r.Header.Get("Fastly-Key"))
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+	client := NewFastlyClient(token, server.URL)
+	if err := client.Purge(context.Background(), "/foo"); err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func TestFastlyClient_Purge_Error(t *testing.T) {
+	t.Parallel()
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer server.Close()
+	client := NewFastlyClient(token, server.URL)
+	if err := client.Purge(context.Background(), "/foo"); err == nil {
+		t.Error("expected error, got nil")
+	}
+}

cron/internal/worker/main.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	_ "net/http/pprof" //nolint:gosec
+	"os"
 	"strings"
 
 	"go.opencensus.io/stats/view"
@@ -35,6 +36,7 @@ import (
 	"github.com/ossf/scorecard/v5/clients/ossfuzz"
 	"github.com/ossf/scorecard/v5/cron/config"
 	"github.com/ossf/scorecard/v5/cron/data"
+	"github.com/ossf/scorecard/v5/cron/internal/cdn"
 	format "github.com/ossf/scorecard/v5/cron/internal/format"
 	"github.com/ossf/scorecard/v5/cron/monitoring"
 	"github.com/ossf/scorecard/v5/cron/worker"
@@ -89,6 +91,7 @@ type ScorecardWorker struct {
 	ciiClient         clients.CIIBestPracticesClient
 	ossFuzzRepoClient clients.RepoClient
 	vulnsClient       clients.VulnerabilitiesClient
+	purgeClient       cdn.Purger
 	apiBucketURL      string
 	rawBucketURL      string
 	blacklistedChecks []string
@@ -131,6 +134,25 @@ func newScorecardWorker() (*ScorecardWorker, error) {
 	}
 	sw.vulnsClient = clients.DefaultVulnerabilitiesClient()
 
+	// Use STORAGE_EMULATOR_HOST to determine if we're testing the worker locally,
+	// in which case we don't want to purge the CDN.
+	if os.Getenv("STORAGE_EMULATOR_HOST") != "" {
+		sw.logger.Info("API result CDN purging disabled, STORAGE_EMULATOR_HOST is set")
+		sw.purgeClient = cdn.NewNoOpClient()
+	} else {
+		apiBaseURL, err := config.GetAPIBaseURL()
+		if err != nil {
+			sw.logger.Info("API result CDN purging disabled, SCORECARD_API_BASE_URL not set")
+			sw.purgeClient = cdn.NewNoOpClient()
+		} else if purgeToken := os.Getenv("FASTLY_PURGE_TOKEN"); purgeToken == "" {
+			sw.logger.Info("API result CDN purging disabled, FASTLY_PURGE_TOKEN not set")
+			sw.purgeClient = cdn.NewNoOpClient()
+		} else {
+			sw.logger.Info("API result CDN purging enabled for " + apiBaseURL)
+			sw.purgeClient = cdn.NewFastlyClient(purgeToken, apiBaseURL)
+		}
+	}
+
 	if sw.exporter, err = startMetricsExporter(); err != nil {
 		return nil, fmt.Errorf("startMetricsExporter: %w", err)
 	}
@@ -152,7 +174,7 @@ func (sw *ScorecardWorker) Close() {
 func (sw *ScorecardWorker) Process(ctx context.Context, req *data.ScorecardBatchRequest, bucketURL string) error {
 	return processRequest(ctx, req, sw.blacklistedChecks, bucketURL, sw.rawBucketURL, sw.apiBucketURL,
 		sw.checkDocs, sw.githubClient, sw.gitlabClient, sw.ossFuzzRepoClient, sw.ciiClient,
-		sw.vulnsClient, sw.logger)
+		sw.vulnsClient, sw.purgeClient, sw.logger)
 }
 
 func (sw *ScorecardWorker) PostProcess() {
@@ -167,6 +189,7 @@ func processRequest(ctx context.Context,
 	githubClient, gitlabClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient,
 	ciiClient clients.CIIBestPracticesClient,
 	vulnsClient clients.VulnerabilitiesClient,
+	purgeClient cdn.Purger,
 	logger *log.Logger,
 ) error {
 	filename := worker.ResultFilename(batchRequest)
@@ -276,10 +299,18 @@ func processRequest(ctx context.Context,
 		if err := data.WriteToBlobStore(ctx, apiBucketURL, exportPath, exportBuffer.Bytes()); err != nil {
 			return fmt.Errorf("error during writing to exportBucketURL: %w", err)
 		}
+		path := fmt.Sprintf("/projects/%s", repo.URI())
+		if err := purgeClient.Purge(ctx, path); err != nil {
+			logger.Info(fmt.Sprintf("failed to purge CDN for %s: %v", path, err))
+		}
 		// Export result based on commitSHA.
 		if err := data.WriteToBlobStore(ctx, apiBucketURL, exportCommitSHAPath, exportBuffer.Bytes()); err != nil {
 			return fmt.Errorf("error during exportBucketURL with commit SHA: %w", err)
 		}
+		path = fmt.Sprintf("/projects/%s?commit=%s", repo.URI(), result.Repo.CommitSHA)
+		if err := purgeClient.Purge(ctx, path); err != nil {
+			logger.Info(fmt.Sprintf("failed to purge CDN for %s: %v", path, err))
+		}
 		// Export raw result.
 		if err := data.WriteToBlobStore(ctx, apiBucketURL, exportRawPath, exportRawBuffer.Bytes()); err != nil {
 			return fmt.Errorf("error during writing to exportBucketURL for raw results: %w", err)

cron/k8s/worker.release.yaml

@@ -57,6 +57,11 @@ spec:
                 secretKeyRef:
                   name: gitlab
                   key: auth_token
+            - name: FASTLY_PURGE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: fastly
+                  key: purge_token
             - name: "SCORECARD_API_RESULTS_BUCKET_URL"
               value: "gs://ossf-scorecard-cron-releasetest-results"
           volumeMounts: