From e08335865d7df1d6268b6852d1952497aa3cee3e Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 26 Apr 2026 18:35:35 -0500
Subject: [PATCH] fix(release): purge mise.en.dev CDN zone after each S3
 publish
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

install.sh and install.sh.minisig are uploaded to S3 with
`max-age=86400,immutable` cache-control, so each Cloudflare zone fronting
the bucket serves the previous release's bytes for up to 24 hours unless
explicitly purged. The publish step was already purging jdx.dev and
mise.run, but never en.dev — so after a release, mise.en.dev would serve
v(N-1)/install.sh next to a v(N) install.sh.minisig until the cache aged
out, breaking minisign verification for anything pulling the bootstrap
script via the canonical en.dev URL (jdx/mise#9414 e2e-0/e2e-1).

Loop over all three zones instead of duplicating the curl block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/publish-s3.sh | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/scripts/publish-s3.sh b/scripts/publish-s3.sh
index a86505ee51..e56f4f3f63 100755
--- a/scripts/publish-s3.sh
+++ b/scripts/publish-s3.sh
@@ -50,14 +50,21 @@ aws s3 cp artifacts/deb/dists/ "s3://$AWS_S3_BUCKET/deb/dists/" --cache-control
 
 export CLOUDFLARE_ACCOUNT_ID=6e243906ff257b965bcae8025c2fc344
 
-# jdx.dev
-curl --fail-with-body -X POST "https://api.cloudflare.com/client/v4/zones/90dfd7997bdcfa8579c52d8ee8dd4cd1/purge_cache" \
-	-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-	-H "Content-Type: application/json" \
-	--data '{ "purge_everything": true }'
-
-# mise.run
-curl --fail-with-body -X POST "https://api.cloudflare.com/client/v4/zones/782fc08181b7bbd26c529a00df52a277/purge_cache" \
-	-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-	-H "Content-Type: application/json" \
-	--data '{ "purge_everything": true }'
+# Purge every CDN zone that fronts the release artifacts. install.sh and
+# install.sh.minisig are uploaded with `immutable` cache-control, so without
+# an explicit purge per zone the CDN keeps serving the previous release's
+# bytes while a sibling zone serves the new ones — which is how mise.en.dev
+# ended up serving v(N-1)/install.sh next to a v(N) install.sh.minisig.
+ZONES=(
+	"jdx.dev:90dfd7997bdcfa8579c52d8ee8dd4cd1"
+	"en.dev:531d003297f1f4ae2415b41f7f5da8fa"
+	"mise.run:782fc08181b7bbd26c529a00df52a277"
+)
+for entry in "${ZONES[@]}"; do
+	IFS=":" read -r HOST ZONE_ID <<<"$entry"
+	echo "Purging CDN cache for $HOST (zone=$ZONE_ID)"
+	curl --fail-with-body -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
+		-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+		-H "Content-Type: application/json" \
+		--data '{ "purge_everything": true }'
+done