feat: add --secrets-file parameter to wrangler versions upload

[devin-ai-integration]

Fixes #10068.

This PR adds a --secrets-file parameter to the wrangler versions upload command, enabling users to upload secrets alongside their Worker code in a single atomic operation.

Key Changes

Command Interface:

• Added --secrets-file parameter that accepts a path to a JSON or .env file
• File format matches what's used by wrangler versions secret bulk command

Implementation:

• Reuses existing parseBulkInputToObject function for file parsing
• Creates rawBindings array with secret_text type bindings from parsed secrets
• Sets keepSecrets: false and keepBindings: ["secret_key", "secret_text"] when secrets file is provided to inherit non-provided secrets

Usage Examples:

wrangler versions upload --secrets-file .env.production
wrangler versions upload --secrets-file secrets.json

Critical Review Areas

⚠️ Secret Inheritance Logic: The combination of keepSecrets: false + keepBindings: ["secret_key", "secret_text"] is critical - please verify this correctly inherits existing secrets not in the file while uploading new ones.

⚠️ API Contract: Confirm that using rawBindings with secret_text type is the correct way to upload secrets via the versions API.

⚠️ Test Accuracy: Tests mock API responses based on my understanding - please verify expectations match real API behavior.

Testing

• Comprehensive unit tests covering JSON and .env file formats
• Tests for secret inheritance behavior with and without secrets file
• Error handling tests for missing/invalid files
• All existing tests continue to pass

Link to Devin run: https://app.devin.ai/sessions/589ac34811cb43258f0107ed00840ed7
Requested by: @petebacondarwin

---

• Tests
  • Tests included
  • Tests not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: this is a new CLI parameter that will be documented via CLI help text and changeset
• Wrangler V3 Backport
  • Wrangler PR:
  • Not necessary because: this is a new feature, not a patch fix

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

🦋 Changeset detected

Latest commit: 3f78336

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@10896

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@10896

miniflare

npm i https://pkg.pr.new/miniflare@10896

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@10896

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@10896

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@10896

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@10896

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@10896

wrangler

npm i https://pkg.pr.new/wrangler@10896

commit: 3f78336

[petebacondarwin]

no reason to remove this comment

[devin-ai-integration]

Fixed! I've restored the comment in commit 710a08c.

The comment is now back on line 753:

logpush: undefined, // both logpush and observability are not supported in versions upload

All local tests pass. There are 2 macOS test failures in CI, but they appear to be unrelated flaky tests since my change only restored a comment.

[petebacondarwin]

I don't think this change is quite right. They cancel each other out.

When keepSecrets is true (i.e. here secretsFile is falsy) we automatically add secret_key and secret_text to the keep_bindings field in createWorkerUploadForm().

And here if secretsFile is truthy, then we are explicitly adding secret_key and secret_text.

If we are saying that secretsFile is the full source of truth for secrets then we should be setting keepSecrets to false and not setting keepBindings at all.

If we are saying that secretsFiles is additive to the current secrets in the dashboard then keepSecrets should always be true and keepBindings should not be defined.

From looking at how wrangler versions secret bulk works, we should not be treating the secetsFile as a source of truth but only additive. I think we should follow that here too.

So I think this should be:

Suggested change

	keepSecrets: props.secretsFile ? false : true,
	keepBindings: props.secretsFile
	? ["secret_key", "secret_text"]
	: undefined,
	// we never delete secret bindings when uploading, even if we are setting secrets from a file
	// so inherit all unchanged secrets from the previous Worker Version
	keepSecrets: true,

[devin-ai-integration]

Fixed! I've updated the logic to always set keepSecrets: true and removed the keepBindings assignment. The secrets file is now additive - secrets from the file are added/updated while existing secrets are inherited from the previous version, matching the behavior of wrangler versions secret bulk.

Changes in commit 93e74d6:

• keepSecrets is now always true (line 731 in upload.ts)
• Removed the conditional logic and keepBindings assignment
• createWorkerUploadForm() automatically adds ["secret_text", "secret_key"] to keep_bindings when keepSecrets: true
• Updated test expectations to match the correct binding order

This ensures that secrets not included in the file will be inherited from the previous version, making the secrets file truly additive.