feat: add --secrets-file parameter to wrangler versions upload

[devin-ai-integration[bot]]

Devin PR requested by [email protected]

This PR adds support for uploading secrets alongside Worker deployments using a --secrets-file parameter on both wrangler deploy and wrangler versions upload commands.

Changes

Added a new --secrets-file parameter that accepts a path to either a JSON or .env file containing secrets. When provided, the secrets are uploaded as part of the deployment/version upload operation, with keepSecrets: true to inherit any secrets not specified in the file (matching the behavior of wrangler versions secret bulk).

Key implementation details:

• Reuses the existing parseBulkInputToObject() function from the secrets module to parse both JSON and .env formats
• Secrets are added as rawBindings of type secret_text in the worker upload form
• Sets keepSecrets: true when a secrets file is provided to preserve existing secrets not in the file
• For versions upload, always sets keepSecrets: true (existing behavior maintained)

Test changes:

• Added comprehensive test coverage for both deploy and versions upload commands
• Updated mockDeploymentsListRequest() to use mswListNewDeploymentsLatestFull instead of mswSuccessDeployments to match the correct API endpoint being called

Review Focus Areas

1. Secret inheritance behavior: Verify that keepSecrets: true is the correct behavior when using --secrets-file (should inherit secrets NOT in the file from previous version)
2. MSW mock change: The test mock was changed from mswSuccessDeployments to mswListNewDeploymentsLatestFull - confirm this accurately reflects the actual API endpoint
3. Merge conflict resolution: This PR was rebased from an older branch - review the conflict resolution in deploy/deploy.ts around line 779-829
4. Edge cases: Verify the secrets file parsing handles invalid files, missing files, and malformed content correctly

CI Status

Note: There are 2 failing CI checks (Tests on macOS and Windows), but these appear to be flaky tests unrelated to this PR:

• macOS failure is in ConfigController.test.ts (not modified in this PR)
• The "Checks" job (including lint) passes successfully
• Tests pass locally

---

• Tests
  • [x] Tests included
• Public documentation
  • [ ] Cloudflare docs PR:
  • [ ] Documentation not necessary because:
• Wrangler V3 Backport
  • [ ] Wrangler PR:
  • [ ] Not necessary because:

[devin-ai-integration[bot]]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• [ ] Disable automatic comment and CI monitoring

[changeset-bot[bot]]

🦋 Changeset detected

Latest commit: fc2aa9eae995a43c3e6b789932078913887f6581

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new[bot]]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@10896

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@10896

miniflare

npm i https://pkg.pr.new/miniflare@10896

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@10896

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@10896

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@10896

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@10896

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@10896

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@10896

wrangler

npm i https://pkg.pr.new/wrangler@10896

commit: fc2aa9e

[devin-ai-integration[bot]]

Fixed! I've restored the comment in commit 710a08ccb.

The comment is now back on line 753:

logpush: undefined, // both logpush and observability are not supported in versions upload

All local tests pass. There are 2 macOS test failures in CI, but they appear to be unrelated flaky tests since my change only restored a comment.

[devin-ai-integration[bot]]

Fixed! I've updated the logic to always set keepSecrets: true and removed the keepBindings assignment. The secrets file is now additive - secrets from the file are added/updated while existing secrets are inherited from the previous version, matching the behavior of wrangler versions secret bulk.

Changes in commit 93e74d6c5:

• keepSecrets is now always true (line 731 in upload.ts)
• Removed the conditional logic and keepBindings assignment
• createWorkerUploadForm() automatically adds ["secret_text", "secret_key"] to keep_bindings when keepSecrets: true
• Updated test expectations to match the correct binding order

This ensures that secrets not included in the file will be inherited from the previous version, making the secrets file truly additive.

[petebacondarwin]

Can you rebase and fix the conflicts here?

[devin-ai-integration[bot]]

❌ Cannot revive Devin session - the session is too old. Please start a new session instead.

[theoephraim]

Happy to see this moving along and that you included the functionality for wrangler deploy as well.

One important request - I'm feeding in secrets from another tool and would like to avoid writing anything to disk. Is there a way to accept the secrets content as a long string or to feed in on stdin like secret bulk? The stdin way is a bit awkward since the command is much more general now...

This would allow passing them as wrangler deploy --secrets $(fetch-and-spit-out-secrets)

@petebacondarwin - any update on timeline for this to land? It will greatly simplify things for using Varlock with Cloudflare secrets