Deployment failing due to "Failed to upload secrets"

[vladinator1000]

I just migrated to wrangler-action v3 and this started happening to me. It fails every time I run it.

Here's my workflow file:

name: Deploy

on:
  workflow_dispatch:
  push:
    branches: [main]

jobs:
  build_and_deploy:
    name: Build and deploy
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [21.x]

    env:
      ENVIRONMENT: production
      APP_SECRET: ${{ secrets.APP_SECRET }}
      DATABASE_URL: ${{ secrets.DATABASE_URL }}
      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

    steps:
      - uses: actions/checkout@v4
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}

      - uses: c-hive/gha-yarn-cache@v2

      - name: Get version
        id: version
        run: echo "::set-output name=version::$(date +'%Y-%m-%dT%H:%M:%S')-${{ github.sha }}"

      - name: Install dependencies
        run: yarn --frozen-lockfile

      - name: 🔨📦 Build and deploy
        uses: cloudflare/wrangler-action@v3
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          environment: 'production'
          secrets: |
            APP_SECRET
            DATABASE_URL

I ran it in debug mode, but didn't see any useful logging

I tried pinning wranglerVersion to the one in my package.json, but that didn't change anything.

[AdiRishi]

Hey 👋
These issues are always quite tricky to debug so let me ask some simple debugging questions first

• Is your worker already deployed? Or is it yet to be created? If not, you should deploy it without secrets first
• Second, let's make sure the secret values are being passed in to your action, can you try to expand the group for cloudflare/wrangler-action@3, here's an example of what of of my projects looks like (note the inclusion of secret values in env)

  Run cloudflare/wrangler-action@v3
    with:
      accountId: ***
      apiToken: ***
      wranglerVersion: 3.26.0
      secrets: TURBO_TOKEN
      command: deploy --minify
      quiet: false
    env:
      PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin
      TURBO_TOKEN: ***
  

• Have you tried adding the secrets manually via the CLI? Does it work?
• In the output you pasted (running in debug mode), when you expand the Uploading secrets... group, is there any additional debugging information? Remember groups can have additional information inside them, you have to expand to find out more.
• Instead of specifying CLOUDFLARE_ACCOUNT_ID in the environment, specify it directly in the options for wrangler-action

[enfipy]

Any news on this? I also can't make the wrangler-action upload secrets (I use wrangler v3.48.0).

Here's my code:

      - name: Deploy to Cloudflare
        uses: cloudflare/wrangler-action@v3
        with:
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          workingDirectory: ./apps/api/
          packageManager: bun
          environment: production
          quit: false
          secrets: |
            RESEND_API_KEY
        env:
          RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }}

And the result is always the same:

 Finished processing secrets JSON file:
  ✨ 0 secrets successfully uploaded
  
  ✘ [ERROR] 🚨 1 secrets failed to upload

[caffeinated-nick]

I was able to resolve this issue by reverting to the "legacy" secrets upload method (i.e. setting wranglerVersion: '3.3.0' to get more detailed logging. Doing this means you will get logging per attempted secret upload, so if any individual secret has a problem you should get a clear message of why (rather than bulk upload failing with a generic error).

Example with bulk upload with wrangler >= 3.4.0 (I used 3.50.0)

Example with wrangler <=3.3.0

To "properly" fix it I guess CF would have to improve the error output on wrangler secret:bulk

[mpint]

Thanks Nick, reverting to wranglerVersion: 3.3.0 helped with logging, although in my case, it's still not clear what's causing the error. My action logs look like this:

✨ Success! Uploaded secret SUPABASE_SERVICE_ROLE_KEY
✘ [ERROR] A request to the Cloudflare API (/accounts/123/workers/scripts/im--135348507-example_com-staging/secrets) failed.

  global variable USER_PAGERDUTY_API_KEY already set [code: 10053]

The logs seem to indicate USER_PAGERDUTY_API_KEY is set as a variable instead of a secret, but inspecting the Worker Variables tab in the dashboard confirms USER_PAGERDUTY_API_KEY is a secret as expected.

USER_PAGERDUTY_API_KEY Value encrypted

It's not clear to me why the SUPABASE_SERVICE_ROLE_KEY secret gets uploaded correctly but USER_PAGERDUTY_API_KEY fails when both of them are secrets that have been previously set using Wrangler (when the script was created).

[gentlementlegen]

Happening to me as well. In my case, deleting the worker and creating it again fixed the issue.

I was able to break it again by manually adding variables within Cloudflare Dashboard, anything random like test = foobar and try to deploy again afterwards through GitHub Action. Adding the environment variables would fail with the error

  Finished processing secrets JSON file:
  ✨ 0 secrets successfully uploaded
  
  ✘ [ERROR] 🚨 4 secrets failed to upload

Deleting again the manually added value allowed me to deploy again successfully, so my suspicion is any discrepancy with the variables in the dashboard and the Action file are the cause of the issue.