Environment
- wrangler 4.99.0, Windows 11
- Observed both via
opennextjs-cloudflare deploy (plain wrangler deploy code path) on a real app, and via a minimal repro (below)
wrangler.jsonc contains secrets: { required: ["TEST_SECRET"] }; the Worker has never been deployed
What we observed (minimal repro matrix)
Minimal Worker (worker.js + the config above), fresh name, one secret supplied per attempt:
| How the secret value was supplied |
First-deploy result |
| not supplied |
pre-deploy validation error (expected) |
wrangler secret put TEST_SECRET — the remedy the error suggests |
impossible: Worker does not exist yet (code: 10007) |
.dev.vars — suggested by the validation warning |
blocked by the same pre-deploy validation; wrangler deploy does not read .dev.vars |
TEST_SECRET in process.env — suggested by the validation warning |
blocked by the same pre-deploy validation in the minimal repro |
wrangler deploy --secrets-file secrets.env — mentioned nowhere in the guidance |
✅ succeeds — Worker created, secret uploaded with the version |
On a real app (deploying through opennextjs-cloudflare deploy), the env-supplied attempt got further — wrangler logged Using secrets defined in process.env — and then failed at the API with:
X [ERROR] A request to the Cloudflare API (/accounts/.../workers/scripts/<name>/versions) failed.
cannot inherit bindings: no previous version exists [code: 10057]
i.e. the supplied secret was routed through the binding-inherit path, which cannot work when no previous version exists.
Why this is a problem
-
The guidance points only at paths that don't work for a first deploy. The pre-deploy error says "Use wrangler secret put <NAME> to set secrets before deploying" — impossible for a new Worker (10007). The validation warning says "Add them to .dev.vars, .env, or set as environment variables" — .dev.vars is not read by deploy, and the env path is either blocked by the same validation or ends in code: 10057 via the inherit path.
-
The one path that does work — --secrets-file — is not mentioned in any of these messages. Before discovering it, the only escape we found was: temporarily delete the secrets block → deploy → wrangler secret put → restore the block, which defeats the purpose of the gate for exactly one deploy.
-
When a secret value is supplied via env, sending it through the inherit path (instead of creating a new secret binding, as --secrets-file does) looks like a routing bug on the first-deploy path.
Suggested resolution (any of)
- Make the first-deploy validation/error messages mention
--secrets-file, and drop .dev.vars/.env from the deploy-time guidance if deploy does not read them
- Or: route env/
.dev.vars-supplied required secrets through the same "new secret binding" path that --secrets-file uses, so the documented remedies actually work
Repro
wrangler.jsonc: { "name": "<fresh-name>", "main": "worker.js", "compatibility_date": "2026-06-01", "secrets": { "required": ["TEST_SECRET"] } }
worker.js: export default { fetch() { return new Response("ok"); } };
TEST_SECRET=x wrangler deploy → blocked (or code: 10057 via the inherit path in larger setups)
wrangler secret put TEST_SECRET → code: 10007
echo TEST_SECRET=x > s.env && wrangler deploy --secrets-file s.env → succeeds
Environment
opennextjs-cloudflare deploy(plainwrangler deploycode path) on a real app, and via a minimal repro (below)wrangler.jsonccontainssecrets: { required: ["TEST_SECRET"] }; the Worker has never been deployedWhat we observed (minimal repro matrix)
Minimal Worker (
worker.js+ the config above), fresh name, one secret supplied per attempt:wrangler secret put TEST_SECRET— the remedy the error suggestscode: 10007).dev.vars— suggested by the validation warningwrangler deploydoes not read.dev.varsTEST_SECRETinprocess.env— suggested by the validation warningwrangler deploy --secrets-file secrets.env— mentioned nowhere in the guidanceOn a real app (deploying through
opennextjs-cloudflare deploy), the env-supplied attempt got further — wrangler loggedUsing secrets defined in process.env— and then failed at the API with:i.e. the supplied secret was routed through the binding-inherit path, which cannot work when no previous version exists.
Why this is a problem
The guidance points only at paths that don't work for a first deploy. The pre-deploy error says "Use
wrangler secret put <NAME>to set secrets before deploying" — impossible for a new Worker (10007). The validation warning says "Add them to .dev.vars, .env, or set as environment variables" —.dev.varsis not read bydeploy, and the env path is either blocked by the same validation or ends incode: 10057via the inherit path.The one path that does work —
--secrets-file— is not mentioned in any of these messages. Before discovering it, the only escape we found was: temporarily delete thesecretsblock → deploy →wrangler secret put→ restore the block, which defeats the purpose of the gate for exactly one deploy.When a secret value is supplied via env, sending it through the inherit path (instead of creating a new secret binding, as
--secrets-filedoes) looks like a routing bug on the first-deploy path.Suggested resolution (any of)
--secrets-file, and drop.dev.vars/.envfrom the deploy-time guidance ifdeploydoes not read them.dev.vars-supplied required secrets through the same "new secret binding" path that--secrets-fileuses, so the documented remedies actually workRepro
wrangler.jsonc:{ "name": "<fresh-name>", "main": "worker.js", "compatibility_date": "2026-06-01", "secrets": { "required": ["TEST_SECRET"] } }worker.js:export default { fetch() { return new Response("ok"); } };TEST_SECRET=x wrangler deploy→ blocked (orcode: 10057via the inherit path in larger setups)wrangler secret put TEST_SECRET→code: 10007echo TEST_SECRET=x > s.env && wrangler deploy --secrets-file s.env→ succeeds