Skip to content

CC-7948 Update wrangler CLI to support GAR#14311

Merged
nikitassharma merged 1 commit into
cloudflare:mainfrom
sherryliu-lsy:sherryliu/cc-7948-update-wrangler-cli-to-support-gar
Jun 23, 2026
Merged

CC-7948 Update wrangler CLI to support GAR#14311
nikitassharma merged 1 commit into
cloudflare:mainfrom
sherryliu-lsy:sherryliu/cc-7948-update-wrangler-cli-to-support-gar

Conversation

@sherryliu-lsy

@sherryliu-lsy sherryliu-lsy commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

CC-7948

Adds Google Artifact Registry (*-docker.pkg.dev) to wrangler containers registries configure, built on the existence-first secret reuse from #14362.

  • Public credential — the Google service account email, supplied via --gar-email. It must match the client_email field in the service account key.
  • Private credential — the service account JSON key, provided via stdin (a file path, raw JSON, or base64) or an interactive prompt (a file path or base64). It is never accepted as a CLI flag, so the secret never lands in shell history. The key is validated against --gar-email and stored base64-encoded for Cloudchamber.
  • Reuse inherits the existence-first flow: when the target Secrets Store secret already exists, it is reused by reference and the key is not required. In that case the email can't be verified locally, so Wrangler warns; the coordinator validates public_credential == client_email when images are pulled.

Follows CC-7866 Add Google Artifact Registry (GAR) support as an external registry provider.


Open in Devin Review
@changeset-bot

changeset-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 31d1624

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@cloudflare/containers-shared Minor
wrangler Minor
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jun 15, 2026
@workers-devprod workers-devprod requested review from a team and emily-shen and removed request for a team June 15, 2026 23:54
@workers-devprod

workers-devprod commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/wrangler
  • ✅ @cloudflare/cloudchamber
Show detailed file reviewers
  • .changeset/common-boats-help.md: [@cloudflare/wrangler]
  • .changeset/free-islands-sink.md: [@cloudflare/wrangler]
  • packages/containers-shared/src/client/models/ExternalRegistryKind.ts: [@cloudflare/wrangler]
  • packages/containers-shared/src/images.ts: [@cloudflare/wrangler]
  • packages/containers-shared/tests/images.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/containers/registries.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/containers/registries.ts: [@cloudflare/wrangler]

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review
@pkg-pr-new

pkg-pr-new Bot commented Jun 16, 2026

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/autoconfig@14311

create-cloudflare

npm i https://pkg.pr.new/cloudflare/workers-sdk/create-cloudflare@14311

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/deploy-helpers@14311

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/kv-asset-handler@14311

miniflare

npm i https://pkg.pr.new/cloudflare/workers-sdk/miniflare@14311

@cloudflare/pages-shared

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/pages-shared@14311

@cloudflare/unenv-preset

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/unenv-preset@14311

@cloudflare/vite-plugin

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/vite-plugin@14311

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/vitest-pool-workers@14311

@cloudflare/workers-auth

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/workers-auth@14311

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/workers-editor-shared@14311

@cloudflare/workers-utils

npm i https://pkg.pr.new/cloudflare/workers-sdk/@cloudflare/workers-utils@14311

wrangler

npm i https://pkg.pr.new/cloudflare/workers-sdk/wrangler@14311

commit: f5bfd51

@nikitassharma

Copy link
Copy Markdown
Member

Can we also accept a filename for the service key? We shouldn't require a user to paste the JSON object if they've already downloaded the file from GCP

@sherryliu-lsy

Copy link
Copy Markdown
Contributor Author

Can we also accept a filename for the service key? We shouldn't require a user to paste the JSON object if they've already downloaded the file from GCP

Yes great point let me add that!

devin-ai-integration[bot]

This comment was marked as resolved.

@sherryliu-lsy sherryliu-lsy force-pushed the sherryliu/cc-7948-update-wrangler-cli-to-support-gar branch from 5351a0d to a5afd87 Compare June 16, 2026 21:35

@nikitassharma nikitassharma left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The more I think about it, the more I think we should disallow the base64 or raw json secrets in the cli flag. That should only accept a filename. We can accept base64 or raw json through stdin, but in general we shouldn't encourage pasting a secret value into the terminal where it would remain visible in shell history.

Comment thread packages/containers-shared/src/images.ts Outdated
Comment thread packages/wrangler/src/containers/registries.ts Outdated
@sherryliu-lsy sherryliu-lsy marked this pull request as draft June 17, 2026 20:58
@sherryliu-lsy sherryliu-lsy force-pushed the sherryliu/cc-7948-update-wrangler-cli-to-support-gar branch from c718e6e to efb175e Compare June 17, 2026 21:58
Comment thread packages/wrangler/src/__tests__/containers/registries.test.ts Outdated
@sherryliu-lsy sherryliu-lsy force-pushed the sherryliu/cc-7948-update-wrangler-cli-to-support-gar branch from efb175e to 4fd4b6f Compare June 18, 2026 22:51
@sherryliu-lsy sherryliu-lsy marked this pull request as ready for review June 19, 2026 19:52

@jamesopstad jamesopstad left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a type error that needs fixing (https://github.com/cloudflare/workers-sdk/actions/runs/27794175973/job/82765039744?pr=14311) but otherwise looks good.

@workers-devprod

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/cloudchamber
  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk Jun 22, 2026
@sherryliu-lsy sherryliu-lsy force-pushed the sherryliu/cc-7948-update-wrangler-cli-to-support-gar branch 2 times, most recently from 5197201 to f5bfd51 Compare June 22, 2026 19:59
… registries configure

Recognizes *-docker.pkg.dev (Google Artifact Registry) domains in the external
registry configuration flow. The Google service account email is the public
credential, supplied via --gar-email and validated against the client_email in
the key. The service account JSON key is the private credential, provided via
stdin (file path, raw JSON, or base64) or an interactive prompt (file path or
base64). The key is validated and stored base64-encoded.

Reuse inherits the existence-first flow: when the target Secrets Store secret
already exists it is reused by reference and the key is not required; the email
is validated against the key at pull time.
@sherryliu-lsy sherryliu-lsy force-pushed the sherryliu/cc-7948-update-wrangler-cli-to-support-gar branch from f5bfd51 to 31d1624 Compare June 23, 2026 17:22
@nikitassharma nikitassharma merged commit 34e0cef into cloudflare:main Jun 23, 2026
62 of 63 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants