[wrangler] feat: add --secrets-file parameter to deploy and versions upload

[devin-ai-integration]

Adds a --secrets-file parameter to both wrangler deploy and wrangler versions upload, allowing secrets to be uploaded alongside Worker code in a single operation.

Changes

New CLI option: --secrets-file <path>

Both commands accept a path to a JSON or .env file containing secrets. The file is parsed using the existing parseBulkInputToObject() from the secrets module (same parser used by wrangler versions secret bulk).

wrangler deploy --secrets-file .env.production
wrangler versions upload --secrets-file secrets.json

Implementation details:

• Secrets are added to the bindings map as secret_text entries (deploy/deploy.ts, versions/upload.ts)
• wrangler deploy: sets keepSecrets: true when --secrets-file is provided (or when --keep-vars is set), so existing secrets not in the file are preserved
• wrangler versions upload: keepSecrets remains unconditionally true (existing behavior — secrets are always inherited)
• The help text for --secrets-file cross-references --keep-secrets for discoverability

Files changed:

File	Change
packages/wrangler/src/deploy/index.ts	Register --secrets-file option
packages/wrangler/src/deploy/deploy.ts	Parse secrets file, add to bindings, set keepSecrets
packages/wrangler/src/versions/upload.ts	Register --secrets-file option, parse secrets file, add to bindings
packages/wrangler/src/__tests__/deploy/secrets.test.ts	5 tests for deploy --secrets-file
packages/wrangler/src/__tests__/versions/upload.test.ts	6 tests for versions upload --secrets-file
.changeset/secrets-file-versions-upload.md	Minor changeset

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s): docs: add --secrets-file documentation for wrangler deploy and versions upload cloudflare-docs#28976
  • Documentation not necessary because:

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

🦋 Changeset detected

Latest commit: ce22602

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@10896

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@10896

miniflare

npm i https://pkg.pr.new/miniflare@10896

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@10896

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@10896

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@10896

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@10896

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@10896

wrangler

npm i https://pkg.pr.new/wrangler@10896

commit: 649f618

[devin-ai-integration]

Fixed! I've restored the comment in commit 710a08c.

The comment is now back on line 753:

logpush: undefined, // both logpush and observability are not supported in versions upload

All local tests pass. There are 2 macOS test failures in CI, but they appear to be unrelated flaky tests since my change only restored a comment.

[devin-ai-integration]

Fixed! I've updated the logic to always set keepSecrets: true and removed the keepBindings assignment. The secrets file is now additive - secrets from the file are added/updated while existing secrets are inherited from the previous version, matching the behavior of wrangler versions secret bulk.

Changes in commit 93e74d6:

• keepSecrets is now always true (line 731 in upload.ts)
• Removed the conditional logic and keepBindings assignment
• createWorkerUploadForm() automatically adds ["secret_text", "secret_key"] to keep_bindings when keepSecrets: true
• Updated test expectations to match the correct binding order

This ensures that secrets not included in the file will be inherited from the previous version, making the secrets file truly additive.

[petebacondarwin]

Can you rebase and fix the conflicts here?

[devin-ai-integration]

❌ Cannot revive Devin session - the session is too old. Please start a new session instead.

[theoephraim]

Happy to see this moving along and that you included the functionality for wrangler deploy as well.

One important request - I'm feeding in secrets from another tool and would like to avoid writing anything to disk. Is there a way to accept the secrets content as a long string or to feed in on stdin like secret bulk? The stdin way is a bit awkward since the command is much more general now...

This would allow passing them as wrangler deploy --secrets $(fetch-and-spit-out-secrets)

@petebacondarwin - any update on timeline for this to land? It will greatly simplify things for using Varlock with Cloudflare secrets

[penalosa]

This is an old PR that's quite stale so I'm going to close it for now. If you'd still like to land it feel free to re-open and get it back up to date with main.

[theoephraim]

@penalosa @petebacondarwin - would really love to see this single step "deploy with secrets" functionality land. Anything I can do to help? I expect you're likely not taking external PRs much these days?

[petebacondarwin]

Re-opening as I would like to try landing this.
It is not clear how best one could implement not writing the secrets to disk so I am going to land without that initially and then we can discuss how best one could achieve that.

[github-actions]

✅ All changesets look good

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[dario-piotrowicz]

Generally looks good to me 🙂

I've just left some minor non-blocking comments.

Also one question I have, could/should we support multiple secret files as well?
e.g.

wrangler deploy --secrets-file env.base --secrets-file .env.production