Wrangler 3.16 breaking secret uploads

[demosjarco]

The action fails immediately since the release of Wrangler 3.16

Finished processing secrets JSON file:
  ✨ 0 secrets successfully uploaded
  
  ✘ [ERROR] 🚨 23 secrets failed to upload

I assume it was #4179 that was merged that broke it

[mrbbot]

Hey! 👋 I'm unable to reproduce this. Are you able to share the workflow run that is failing, or is it in a private repo? If so, could you share the full logs for the workflow?

[demosjarco]

Looking back at the the log for the 3.16 fail, that was it. I don't see any other error message or log from wrangler. I see the secrets were assigned correctly. I have dm-ed you on discord the log file.

[demosjarco]

Ok, updating to wrangler 3.17 that came out earlier today, it works (no change done to the secrets vs 3.15 that was working, 3.16 that wasn't, and 3.17 that is).

Side node, log format is broken, but I'm not sure if I should post that in this issue or start a new one.

[leyafo]

I have the same problem that struggled me a day. I have set the CLOUDFLARE_API_TOKEN into my repository secrets settings. But can not get.
here is my configurations:

  - name: Upload to Cloudflare
        uses: cloudflare/wrangler-action@v3
        with:
          secrets: |
            CLOUDFLARE_API_TOKEN
            CLOUDFLARE_ACCOUNT_ID
          shell: 'bash'
          accountId: '${{ secrets.CLOUDFLARE_ACCOUNT_ID }}'
          apiToken: '${{ secrets.CLOUDFLARE_API_TOKEN }}'
          environment: ${{ github.events.inputs.environment }}
          command: 'whoami --env ${{ github.events.inputs.environment }}' 
          postCommands: |
            echo '${{ secrets.CLOUDFLARE_ACCOUNT_ID }}'
            echo ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
            echo "Uploading ${{ env.file }} to Cloudflare slippod/${{ env.filename }}..."
            wrangler r2 object put slippod/${{ env.filename }}) --file="${{ env.file }}"
            echo "***done***" 
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} 
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

the echo cannot output "*****", it always output empty string.
I was trying to set the with -> secrets, it gives me the error:

🔑 Uploading secrets...
Error: Failed to upload secrets.
Error: 🚨 Action failed

[fatihy101]

I've been dealing with the same problem for a few days.
I printed all the logs in .wrangler/logs/ with the cat .wrangler/logs/* command and found this as the error.

--- 2023-11-22T07:21:04.767Z debug
Failed to load .env file ".env": Error: ENOENT: no such file or directory, open '.env'
    at Object.openSync (node:fs:603:3)
    at Object.readFileSync (node:fs:471:35)
    at tryLoadDotEnv (/home/runner/work/cf-project/cf-project/node_modules/wrangler/wrangler-dist/cli.js:122671:72)
    at loadDotEnv (/home/runner/work/cf-project/cf-project/node_modules/wrangler/wrangler-dist/cli.js:122680:12)
    at /home/runner/work/cf-project/cf-project/node_modules/wrangler/wrangler-dist/cli.js:146614:20
    at /home/runner/work/cf-project/cf-project/node_modules/wrangler/wrangler-dist/cli.js: 0116:16
    at maybeAsyncResult (/home/runner/work/cf-project/cf-project/node_modules/wrangler/wrangler-dist/cli.js:128337:44)
    at Array.reduce (<anonymous>) {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '.env'
}
---

However, when I change the name of the Worker from the Cloudflare dashboard and re-run the workflow, it deployed successfully. That's not a viable work-around though.

Here's my configuration:

- name: Deploy
  uses: cloudflare/wrangler-action@v3
  with:
    apiToken: ${{ secrets.CF_API_TOKEN }}
    accountId: ${{ secrets.CF_ACCOUNT_ID }}
    wranglerVersion: latest
    secrets: |
      INTERNAL_API_KEY
  env:
    INTERNAL_API_KEY: ${{ secrets.INTERNAL_API_KEY }}
- name: Print Wrangler Logs
  if: failure()
  run: |
    ls -l .wrangler/logs
    cat .wrangler/logs/*

Edit: Secrets uploaded with version 3.15, it's failed both on 3.16 and 3.17 versions.

[fatihy101]

As a work-around, I changed wranglerVersion: latest to wranglerVersion: "3.15.0" and deployment completed successfully.

[1000hz]

This is an upstream issue in wrangler captured by cloudflare/workers-sdk#4496. According to that issue, it seems to only affect users uploading secrets to workers that have Durable Object bindings.

[demosjarco]

This is an upstream issue in wrangler captured by cloudflare/workers-sdk#4496. According to that issue, it seems to only affect users uploading secrets to workers that have Durable Object bindings.

I can confirm I do not have Durable Object bindings. I only have 1 D1, 6 Analytics engine, 3 worker bindings, 1 vectorize binding. Plus the weird part is that 3.17 fixes it for me. That bug report has them having the issue on 3.17.1 too

[rastislavcore]

Same error here. Secrets are not created at all with wrangler 3.20.0.
Even do GitHub action is indicating success.

[demosjarco]

I wanted to update that the action update of 3.4.0 does make wrangler do the bulk secret upload which again breaks secret uploading. I currently have 26 secrets, but only 1 secret is a multiline. Again, no durable objects bindings - just D1, AE, and service bindings.

[demosjarco]

I tried one more time with action 3.4.0 and wrangler 3.22.1 (set both in wranglerVersion of the action and the one in package.json in the project). Still failing.

• 4 (set in the action) + 11 (from wrangler.toml) env vars
• 26 secrets (only 1 multiline - specifically a pkcs1/der key encoded as base64)
• 0 durable objects
• 1 d1 binding
• 7 analytics engine bindings
• 3 service bindings

Key part of the log is the ENOENT: no such file or directory of .env.development and .env which I assume are temporary files created by wrangler to take stdin and do bulk secrets upload (because my project doesn't have them and those file names are in .gitignore`.

(redacted)wrangler-2023-12-23_01-50-32_594.log from the runner

[1000hz]

The problem is caused by a bug in the API endpoint we now use to bulk upload secrets when the worker has certain binding types. We switched to using this endpoint in [email protected]. Until the upstream API is fixed, you’ll likely continue having issues with secret uploads on that version and above.

As a temporary workaround, you can set wranglerVersion: 3.15.0 in your action inputs.

[willin]

https://github.com/willin/sso/actions/runs/7347300952/job/20003540459

📥 Installing Wrangler
  /home/runner/.bun/bin/bun i [email protected]
  bun add v1.0.20 (09d51486)
   Resolving dependencies
   Resolved, downloaded and extracted [70]
   Saved lockfile
  
   + @hono-dev/auth-afdian@workspace:packages/hono-auth-afdian
   + @hono-dev/auth-alipay@workspace:packages/hono-auth-alipay
   + @hono-dev/auth-github@workspace:packages/hono-auth-github
   + @hono-dev/powered-by@workspace:packages/hono-powered-by
   + v0-sso@workspace:apps/sso
   + web@workspace:apps/website
  
   installed [email protected] with binaries:
    - wrangler
    - wrangler2
  
   23 packages installed [1.89s]
  ✅ Wrangler installed
🔑 Uploading secrets...
Error: Failed to upload secrets.
Error: 🚨 Action failed

[RamIdeas]

Hi @demosjarco! The upstream issue, mentioned above by @1000hz, has been fixed. Can you try again with the latest version of wrangler and report back whether you still experience this issue?

[demosjarco]

I can confirm it's no longer breaking with wrangler 3.23.0 and 3.24.0, but I haven't checked if the secret value is correctly being update. I'll check that and report back soon

[demosjarco]

Confirmed, new secret content is uploaded correctly

[vladinator1000]

I'm started facing this issue after upgrading to wrangler-action v3 #162 (comment)