Skip to content

feat: support on-demand revalidation via graphql_purge#3810

Merged
jasonbahl merged 5 commits into
mainfrom
feat/on-demand-revalidation
May 8, 2026
Merged

feat: support on-demand revalidation via graphql_purge#3810
jasonbahl merged 5 commits into
mainfrom
feat/on-demand-revalidation

Conversation

@jasonbahl

@jasonbahl jasonbahl commented May 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds a Smart Cache docs page (docs/on-demand-revalidation.md) that walks through using the graphql_purge action to drive on-demand revalidation in static frontends — covering key formats, key-to-path translation, per-request batching, and header-based webhook auth, with a Next.js example.
  • Adds a Pages-Router API route at websites/wpgraphql.com/src/pages/api/revalidate.ts that receives { paths: string[] }, authenticates via X-WPGraphQL-Revalidate-Secret (constant-time compare against WPGRAPHQL_REVALIDATE_SECRET), and calls res.revalidate() per path with per-path failure reporting.
  • Fills in the matching stub in docs/extending.md so the new page is discoverable from there.

The 5s ISR fallback in getTemplateStaticProps is intentionally not changed in this PR. Once the on-demand path is verified end to end on production (with the WP-side mu-plugin from the docs example), a follow-up can bump it to ~300s as a safety net for any CMS changes Smart Cache doesn't track.

No code is shipped inside wp-graphql-smart-cache itself — only docs. The intent is to validate the pattern via dogfooding before deciding whether any of this should be packaged into the plugin.

Test plan

  • Smart Cache docs render correctly and all relative links resolve
  • Verified locally: GET → 405, POST without/with-wrong secret → 401, malformed body → 400, valid request → 200 with { revalidated, failed } shape
  • After deploy: drop the documented mu-plugin onto the wpgraphql.com WP install, set MY_REVALIDATE_SECRET and WPGRAPHQL_REVALIDATE_SECRET to matching values, save a post, confirm the affected page rebuilds without waiting for the 5s ISR window
  • Follow-up PR (separate): bump revalidate from 5s to ~300s once on-demand is confirmed working

jasonbahl added 2 commits May 8, 2026 09:57
@jasonbahl
docs(smart-cache): document on-demand revalidation via graphql_purge
78649d0 
Adds a dedicated guide showing how to listen for the graphql_purge action
and trigger framework-level revalidation (Next.js as the running example),
covering key formats, key-to-path translation, per-request batching, and
header-based webhook auth. Also fills in the matching stub in extending.md.
@jasonbahl
feat(site): add /api/revalidate endpoint for on-demand revalidation
2137b45 
Receives webhook POSTs containing { paths: string[] } and calls
res.revalidate() for each. Authenticates via the
X-WPGraphQL-Revalidate-Secret header (constant-time comparison)
against WPGRAPHQL_REVALIDATE_SECRET env. Validates path shape and
caps the batch at 100 entries; failures are reported per-path
without aborting the request.

Pairs with the on-demand revalidation guide added to
wp-graphql-smart-cache. The 5s ISR fallback in
getTemplateStaticProps is intentionally left in place until the
on-demand path has been validated end to end on production.
@vercel

vercel Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
wpgraphql-com Ready Ready Preview, Comment May 8, 2026 4:29pm

github-advanced-security[bot]
github-advanced-security AI found potential problems May 8, 2026
View reviewed changes
Comment thread websites/wpgraphql.com/src/pages/api/revalidate.ts Fixed
jasonbahl added 3 commits May 8, 2026 10:23
@jasonbahl
chore(site): raise ISR revalidate window from 5s to 300s
4b42389 
With on-demand revalidation now wired up via /api/revalidate, the 5s
ISR window obscures verification: any change appears fresh within
seconds even if the webhook never fired. Bumping to 5 minutes makes
on-demand the only path to near-immediate updates while still
providing a bounded stale-window if the webhook silently fails.
@jasonbahl
fix(site): quiet CodeQL format-string-with-user-input warning
b850a81 
Pass `path` as a positional %s argument to console.error rather than
interpolating it into the format string. Template literals aren't real
format strings, but keeping user input out of the format-string slot
satisfies CodeQL and is a tidier pattern regardless.
@jasonbahl
docs(smart-cache): restore @todo for emitting custom purge events
e3489af 
The previous edit overloaded the 'Purging in response to a custom event'
section with content about *listening* to graphql_purge, but that
section's original intent was the opposite direction: how plugins with
custom tables can *emit* purge events when their own data changes
(mirroring what Invalidation.php does for core WP types).

Restores the @todo with a sketch of what it should cover, and splits
the on-demand revalidation pointer into its own dedicated section.
@jasonbahl jasonbahl merged commit 6c1d176 into main May 8, 2026
41 checks passed
@jasonbahl jasonbahl deleted the feat/on-demand-revalidation branch May 8, 2026 16:54
@jasonbahl jasonbahl mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonbahl @github-advanced-security