Skip to content

WC-5290 Use PATCH APIs for 'wrangler versions secret' commands#14448

Open
GregBrimble wants to merge 1 commit into
mainfrom
wc-5290-replace-versioned-settings-with-patch-apis
Open

WC-5290 Use PATCH APIs for 'wrangler versions secret' commands#14448
GregBrimble wants to merge 1 commit into
mainfrom
wc-5290-replace-versioned-settings-with-patch-apis

Conversation

@GregBrimble

@GregBrimble GregBrimble commented Jun 26, 2026
edited by devin-ai-integration Bot
Loading

Copy link
Copy Markdown
Contributor

Fixes WC-5290.

Use PATCH APIs for wrangler versions secret commands. These APIs do server-side persistence of everything else so remove the need for Wrangler to try and reconstruct a version from a previous one, and so should reduce the number of bugs like #13843.

Reviewable, but ask Greg before merging. We're landing one or two more internal things first and then we'll be ready to go.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: refactor

A picture of a cute animal (not mandatory, but encouraged)

Open in Devin Review

@GregBrimble GregBrimble added the blocked Blocked on other work label Jun 26, 2026
@changeset-bot

changeset-bot Bot commented Jun 26, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 0317402

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jun 26, 2026
@workers-devprod workers-devprod requested review from a team and dario-piotrowicz and removed request for a team June 26, 2026 23:15
@workers-devprod

workers-devprod commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/quiet-lemons-patch.md: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/versions/secrets/bulk.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/versions/secrets/delete.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/versions/secrets/put.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/versions/secrets/utils.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/versions/secrets/bulk.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/versions/secrets/delete.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/versions/secrets/index.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/versions/secrets/put.ts: [@cloudflare/wrangler]

@ask-bonk

ask-bonk Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Pre-existing, not introduced by this PR.

The PR is a clean refactor: it replaces the fragile version-reconstruction logic (download full version + reconstruct + re-upload) with a single PATCH to /versions/latest using application/merge-patch+json. Key observations:

  • The workers/workers/ URL segment is correct (matches the existing preview/api.ts pattern and the test mocks).
  • Environment handling is preserved via getLegacyScriptName and args.env.
  • The NO_VERSIONS_ERR_CODE (10222) error mapping is preserved with telemetry messages.
  • Tests are comprehensive (put/delete/bulk + no-versions + multi-env warnings) and the expectSecretPatch helper correctly asserts that fields like keep_bindings, placement, build_options are NOT resent (which is the whole point of the server-side persistence change).
  • Changeset is appropriately a patch with good user-facing description.
  • expect is correctly sourced from test context per repo conventions.

I found no logic bugs, security issues, or backward-compatibility problems. The deletions of the old reconstruction code are appropriate.

LGTM

github run

@pkg-pr-new

pkg-pr-new Bot commented Jun 26, 2026

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/@cloudflare/autoconfig@14448

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14448

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14448

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14448

miniflare

npm i https://pkg.pr.new/miniflare@14448

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14448

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14448

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14448

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14448

@cloudflare/workers-auth

npm i https://pkg.pr.new/@cloudflare/workers-auth@14448

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14448

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14448

wrangler

npm i https://pkg.pr.new/wrangler@14448

commit: 0317402

devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 26, 2026
View reviewed changes

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

Open in Devin Review

Comment thread packages/wrangler/src/versions/secrets/index.ts
Comment on lines +108 to +111
annotations: {
"workers/message": versionMessage,
"workers/tag": versionTag,
},

@devin-ai-integration devin-ai-integration Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Merge-patch semantics cause annotations to be inherited from previous version

The old code created a brand-new version via POST, so annotations like workers/tag were only present if explicitly set. The new code uses application/merge-patch+json (packages/wrangler/src/versions/secrets/index.ts:108-111), and when versionTag is undefined, JSON.stringify omits workers/tag from the body. Per RFC 7396, omitting a field in a nested merge-patch object means 'preserve existing value'. So if the previous version had a workers/tag (e.g. from a prior --tag v1 invocation), the new version will inherit it — unlike the old behavior where the new version would have no tag. The same applies to any other annotation fields on the previous version (e.g. workers/triggered_by). This is arguably correct for a patch operation (only change what's specified), but it is a semantic difference from the old behavior. Whether this matters depends on how the PATCH API server handles annotations in practice.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments
@workers-devprod workers-devprod Awaiting requested review from workers-devprod workers-devprod is a code owner
@dario-piotrowicz dario-piotrowicz Awaiting requested review from dario-piotrowicz dario-piotrowicz was automatically assigned from cloudflare/wrangler

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

blocked Blocked on other work

Projects

workers-sdk
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GregBrimble @workers-devprod