[wrangler] Fix first-deploy guidance for required secrets#14332
Open
Divkix wants to merge 2 commits into
Open
Conversation
When deploying a new Worker that declares secrets.required, the previous error suggested `wrangler secret put` (fails with 10007 for a Worker that does not exist yet) and .dev.vars/env (not read by deploy). The one working path, `wrangler deploy --secrets-file`, was never mentioned. The pre-deploy error now directs users to --secrets-file, and the post-deploy 10057 error mentions it too, branching the command per code path (deploy vs versions upload).
🦋 Changeset detectedLatest commit: 460f500 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
workers-devprod
requested review from
a team and
NuroDev
and removed request for
a team
Contributor
|
Codeowners approval required for this PR:
Show detailed file reviewers |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
NuroDev
approved these changes
Jun 17, 2026
Comment on lines
+74
to
+81
| const secretPutCommand = | ||
| options.type === "deploy" | ||
| ? "wrangler secret put" | ||
| : "wrangler versions secret put"; | ||
| const secretsFileCommand = | ||
| options.type === "deploy" | ||
| ? "wrangler deploy --secrets-file <path-to-file>" | ||
| : "wrangler versions upload --secrets-file <path-to-file>"; |
Member
There was a problem hiding this comment.
These could could probably be streamlined into a template string. For example:
const secretPutCommand = `wrangler ${options.type === "deploy" ? "versions" : ""}secret put`;
Author
There was a problem hiding this comment.
Good call, done in 460f500. Also, heads up as the example had the branches flipped for our logic (deploy is plain secret put, upload is versions secret put), so I kept that order:
const secretPutCommand = `wrangler ${options.type === "deploy" ? "" : "versions "}secret put`;Did the same for secretsFileCommand while I was at it.
workers-devprod
approved these changes
Jun 17, 2026
workers-devprod
left a comment
workers-devprod
left a comment
Contributor
There was a problem hiding this comment.
Codeowners reviews satisfied
create-cloudflare
@cloudflare/deploy-helpers
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-auth
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #14258.
On a first deploy of a new Worker that declares
secrets: { required: [...] }, every remedy Wrangler suggested was impossible:wrangler secret put <NAME>→ fails, the Worker doesn't exist yet (API10007).dev.vars/.env→wrangler deploydoesn't read thesewrangler deploy --secrets-file <file>— was mentioned nowhere.This PR fixes the guidance so it points at the path that actually works:
addRequiredSecretsInheritBindings, first-deploy branch): now explains thatwrangler secret putcan't be used for a Worker that doesn't exist yet, and directs users towrangler deploy --secrets-file <path-to-file>(with the expectedSECRET_NAME=value/JSON file format).handleMissingSecretsError, code10057): now also surfaces the--secrets-fileoption alongsidesecret put, branching the recommended command per code path (wrangler deploy --secrets-filevswrangler versions upload --secrets-file).This is the low-risk messaging fix. The issue also proposes a deeper behavioral change (routing env/
.dev.vars-supplied required secrets through the "new secret binding" path that--secrets-fileuses, instead of the inherit path that yields10057on first deploy). I assessed that as a separate, more invasive feature: there is currently no code path that readsprocess.env/.dev.varsinto secret bindings at deploy time, so this would be net-new behavior rather than a re-route. Left as a follow-up.A picture of a cute animal (not mandatory, but encouraged)
🦦