setting secrets in workflow does not configure correctly on dashboard

[pippinmole]

I have the following workflow file:

name: Deploy Worker
on:
  push:
    branches:
      - main
jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@v4

      - name: Set up Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: 1.3.0

      - name: Build & Deploy Worker
        uses: cloudflare/wrangler-action@v3
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          wranglerVersion: "4.47.0"
          environment: prod
          workingDirectory: "apps/cron"
          packageManager: "bun"
          secrets: |
            BASE_URL
            CRON_SECRET
        env:
          BASE_URL: 'my-url'
          CRON_SECRET: 'my-hardcoded-secret'

I hardcoded the env strings to make sure there is no issue with GitHub Secrets not being pulled through. When I run this workflow, it outputs that it has updated two secrets:

However, on the dashboard, the secrets are listed as Plaintext, not Secret. Additionally they are both blank, and my cron job fails because neither of these env variables are set:

Here's my validation:

[pippinmole]

Interesting, so if I remove these blocks from my wrangler.jsonc file, then it works fine.

This seems like a bug, as in the GitHub Action logs, it says that 2 secrets are 'successfully' uploaded, whereas they are not. It should either fail the workflow or warn the user that they are trying to set secrets with the same name as vars in the config.