CC-7948 Update wrangler CLI to support GAR#14311
Conversation
🦋 Changeset detectedLatest commit: 31d1624 The changes in this PR will be included in the next version bump. This PR includes changesets to release 4 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
@cloudflare/autoconfig
create-cloudflare
@cloudflare/deploy-helpers
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-auth
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
|
Can we also accept a filename for the service key? We shouldn't require a user to paste the JSON object if they've already downloaded the file from GCP |
Yes great point let me add that! |
5351a0d to
a5afd87
Compare
nikitassharma
left a comment
There was a problem hiding this comment.
The more I think about it, the more I think we should disallow the base64 or raw json secrets in the cli flag. That should only accept a filename. We can accept base64 or raw json through stdin, but in general we shouldn't encourage pasting a secret value into the terminal where it would remain visible in shell history.
c718e6e to
efb175e
Compare
efb175e to
4fd4b6f
Compare
jamesopstad
left a comment
There was a problem hiding this comment.
There's a type error that needs fixing (https://github.com/cloudflare/workers-sdk/actions/runs/27794175973/job/82765039744?pr=14311) but otherwise looks good.
|
Codeowners approval required for this PR:
Show detailed file reviewers |
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
5197201 to
f5bfd51
Compare
… registries configure Recognizes *-docker.pkg.dev (Google Artifact Registry) domains in the external registry configuration flow. The Google service account email is the public credential, supplied via --gar-email and validated against the client_email in the key. The service account JSON key is the private credential, provided via stdin (file path, raw JSON, or base64) or an interactive prompt (file path or base64). The key is validated and stored base64-encoded. Reuse inherits the existence-first flow: when the target Secrets Store secret already exists it is reused by reference and the key is not required; the email is validated against the key at pull time.
f5bfd51 to
31d1624
Compare
CC-7948
Adds Google Artifact Registry (
*-docker.pkg.dev) towrangler containers registries configure, built on the existence-first secret reuse from #14362.--gar-email. It must match theclient_emailfield in the service account key.--gar-emailand stored base64-encoded for Cloudchamber.public_credential == client_emailwhen images are pulled.Follows CC-7866 Add Google Artifact Registry (GAR) support as an external registry provider.