Skip to main content
skillsSource-backed

Wrangler Deployment Operations Capability Pack Skill

Expert Wrangler CLI deployment skill for release planning, config review, environment checks, version traffic splits, trigger application, and rollback.

Level:expertType:capability-packVerified:validated
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://github.com/cloudflare/workers-sdk/tree/main/packages/wrangler, https://github.com/cloudflare/workers-sdk
Safety notes
Wrangler deployment and rollback commands mutate live Worker traffic; verify account, Worker name, route, and environment before running them., The archive URL points to Cloudflare's external Workers SDK tag archive; pin versions and review release provenance before using it in CI., Use least-privilege API tokens and secret stores; never commit `.dev.vars`, `.env`, tokens, account credentials, or CI secret values., Version rollback can restore Worker code/config traffic but does not restore bound KV, R2, D1, Durable Object, queue, or downstream service state., Trigger and route updates can change public reachability; treat them as separate release steps with explicit verification.
Privacy notes
Wrangler deploy uploads bundled Worker source, static assets, and configuration metadata to the target account., Release logs can include request URLs, headers, exception details, route names, account IDs, and zone IDs; redact before sharing publicly., CI deploys rely on API tokens and account IDs; avoid printing environment dumps, secret values, or full request payloads in logs., Worker routes, custom domains, and account metadata can reveal infrastructure topology; keep public notes minimal and intentional.
Platform compatibility
claude-code (native-skill), codex (native-skill), windsurf (native-skill), gemini (native-skill), cursor (adapter), cli (manual-context)
Author
oktofeesh1
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

86

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

5 prerequisites to line up before setup. Have accounts and credentials ready first.

0/5 ready
Account & credentials1Install & runtime2General2

Safety & privacy surface

Safety & privacy surface

5 safety and 4 privacy notes across 5 risk areas. Review closely: credentials & tokens, network access.

5 areas
  • SafetyExecution & processesWrangler deployment and rollback commands mutate live Worker traffic; verify account, Worker name, route, and environment before running them.
  • SafetyGeneralThe archive URL points to Cloudflare's external Workers SDK tag archive; pin versions and review release provenance before using it in CI.
  • SafetyCredentials & tokensUse least-privilege API tokens and secret stores; never commit `.dev.vars`, `.env`, tokens, account credentials, or CI secret values.
  • SafetyData retentionVersion rollback can restore Worker code/config traffic but does not restore bound KV, R2, D1, Durable Object, queue, or downstream service state.
  • SafetyGeneralTrigger and route updates can change public reachability; treat them as separate release steps with explicit verification.
  • PrivacyNetwork accessWrangler deploy uploads bundled Worker source, static assets, and configuration metadata to the target account.
  • PrivacyNetwork accessRelease logs can include request URLs, headers, exception details, route names, account IDs, and zone IDs; redact before sharing publicly.
  • PrivacyCredentials & tokensCI deploys rely on API tokens and account IDs; avoid printing environment dumps, secret values, or full request payloads in logs.
  • PrivacyData retentionWorker routes, custom domains, and account metadata can reveal infrastructure topology; keep public notes minimal and intentional.

Safety notes

  • Wrangler deployment and rollback commands mutate live Worker traffic; verify account, Worker name, route, and environment before running them.
  • The archive URL points to Cloudflare's external Workers SDK tag archive; pin versions and review release provenance before using it in CI.
  • Use least-privilege API tokens and secret stores; never commit `.dev.vars`, `.env`, tokens, account credentials, or CI secret values.
  • Version rollback can restore Worker code/config traffic but does not restore bound KV, R2, D1, Durable Object, queue, or downstream service state.
  • Trigger and route updates can change public reachability; treat them as separate release steps with explicit verification.

Privacy notes

  • Wrangler deploy uploads bundled Worker source, static assets, and configuration metadata to the target account.
  • Release logs can include request URLs, headers, exception details, route names, account IDs, and zone IDs; redact before sharing publicly.
  • CI deploys rely on API tokens and account IDs; avoid printing environment dumps, secret values, or full request payloads in logs.
  • Worker routes, custom domains, and account metadata can reveal infrastructure topology; keep public notes minimal and intentional.

Prerequisites

  • Wrangler-managed Worker project or release plan
  • Project-local Node.js toolchain that satisfies the pinned Wrangler package engines
  • Access to account ID, Worker name, environment name, route, and binding inventory
  • CI or local authentication plan for non-interactive deploys
  • Known smoke checks and rollback target for the release

Schema details

Install type
package
Reading time
9 min
Troubleshooting
Yes
Source repository stats
Scope
Source repo
Skill and platform metadata
Skill type
capability-pack
Skill level
expert
Verification
validated
Verified at
2026-06-03
Retrieval sources
https://github.com/cloudflare/workers-sdk/tree/main/packages/wranglerhttps://raw.githubusercontent.com/cloudflare/workers-sdk/main/packages/wrangler/README.mdhttps://raw.githubusercontent.com/cloudflare/workers-sdk/main/packages/wrangler/package.jsonhttps://registry.npmjs.org/wrangler/4.97.0https://api.github.com/repos/cloudflare/workers-sdk/git/ref/tags/wrangler%404.97.0https://api.github.com/repos/cloudflare/workers-sdk/git/tags/f212de33d52fc0e6614d09b43c3998a7d8bda9c8https://raw.githubusercontent.com/cloudflare/workers-sdk/0b6042466efdc845b374f82ab49f977399e6c237/packages/wrangler/src/deploy/deploy.tshttps://raw.githubusercontent.com/cloudflare/workers-sdk/0b6042466efdc845b374f82ab49f977399e6c237/packages/wrangler/src/versions/deploy.tshttps://raw.githubusercontent.com/cloudflare/workers-sdk/0b6042466efdc845b374f82ab49f977399e6c237/packages/wrangler/src/versions/rollback/index.tshttps://raw.githubusercontent.com/cloudflare/workers-sdk/0b6042466efdc845b374f82ab49f977399e6c237/packages/wrangler/src/triggers/deploy.ts
Tested platforms
ClaudeCodexWindsurfGeminiCursorGeneric AGENTS
PlatformSupportInstall path
claude-codeNative.claude/skills/<skill-name>/SKILL.md
codexNative.agents/skills/<skill-name>/SKILL.md
windsurfNative.windsurf/skills/<skill-name>/SKILL.md
geminiNative.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursorAdapter.cursor/rules/<skill-name>.mdc
cliManualAGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the Wrangler deployment operations capability pack to this release."

# Required output
1) Wrangler source/package version and command inventory
2) Account, Worker, environment, route, and binding review
3) Deploy/version/trigger command plan
4) Verification evidence and rollback path

About this resource

Knowledge Freshness

This capability pack is pinned to Wrangler package/source metadata verified on 2026-06-03. The package metadata checked was wrangler@4.97.0, tagged on 2026-06-02 at Workers SDK commit 0b6042466efdc845b374f82ab49f977399e6c237.

Retrieval Sources

Prefer the pinned Workers SDK package source, npm package metadata, and exact tag/commit evidence over model memory for command availability and release behavior.

Core Workflow

  1. Confirm the exact Wrangler package version, tag, package integrity, and Node engine requirement before planning the deploy.
  2. Inventory the release target: account ID, Worker name, environment, route/custom domain, worker.dev exposure, bindings, secrets, service bindings, assets, queues, and build command.
  3. Review Wrangler configuration as the deploy source of truth and call out dashboard/API drift that the deploy may overwrite.
  4. Separate local/auth discovery from mutation: run npx wrangler --version, npx wrangler whoami, project tests, build, and a dry-run or preview step when available.
  5. Choose the release path:
    • npx wrangler deploy for direct deploys that can shift traffic immediately.
    • npx wrangler versions deploy for selected version traffic splits.
    • npx wrangler triggers deploy when routes, domains, or time-based triggers need their own application step.
  6. Verify the release with command output, deployment status, smoke checks, logs, and application-specific success criteria.
  7. Prepare rollback before production mutation. Use explicit version IDs where possible and document resources that rollback will not restore.
  8. Produce a concise release record with commands run, account/Worker/environment, changed targets, verification evidence, and residual risks.

Capability Scope

  • Wrangler package/source verification
  • Project-local install and command inventory
  • Deploy command risk classification
  • Environment and configuration drift review
  • Version traffic split planning
  • Trigger and route application checks
  • Rollback planning and evidence capture
  • CI secret handling for non-interactive deploys

Compatibility

Native

  • Claude Code / Claude: use as a reusable Agent Skill for planning and executing Wrangler release operations.
  • Codex/OpenAI workflows: use as SKILL.md-style instructions for Worker deploy changes and release review.

Manual Adaptation

  • Windsurf and Gemini: adapt the trigger, workflow, and output contract into their skill or command format.
  • Cursor and Generic AGENTS files: convert the production rules and validation checklist into repository-level release rules.

Required Inputs

  • Wrangler package version and package manager
  • Worker name, account ID, and target environment
  • Configuration file path and relevant environment block
  • Route, custom domain, worker.dev, and trigger inventory
  • Binding inventory for storage, services, queues, vars, and secrets
  • CI secret names and deploy workflow trigger
  • Health check, smoke test, and rollback criteria

Production Rules

  • Do not run a deploy command until the account, Worker name, environment, and route target are explicit.
  • Treat direct deploys as immediate traffic changes unless the command is explicitly dry-run or targets isolated infrastructure.
  • Pin Wrangler in the project and CI; avoid unpinned npx wrangler in release workflows.
  • Use scoped API tokens and keep account IDs/tokens in CI secret storage.
  • Do not assume rollback restores external resource state; record storage and binding caveats before release.
  • Keep trigger, domain, and route changes visible in the release plan because they can change public reachability independently of Worker code.
  • Use version traffic splits when blast radius, compatibility date, assets, or runtime behavior make an all-at-once release too risky.

Output Contract

  1. Source evidence: Wrangler package version, tag/commit, npm integrity, and command source files reviewed.
  2. Release inventory: account, Worker, environment, route/domain, bindings, secrets, triggers, and CI path.
  3. Command plan: exact deploy/version/trigger/rollback commands with each placeholder named.
  4. Risk decision: direct deploy, traffic split, or no-go with explicit reason.
  5. Verification record: checks run, live smoke result, logs/status inspected, and caveats.
  6. Rollback record: version ID or fallback command plus non-versioned resources that need separate recovery.

CI/CD Notes

  • Store API tokens and account IDs as CI secrets; do not hardcode them in workflow YAML or Wrangler config.
  • Prefer a project-pinned Wrangler install before the deploy step so local and CI behavior match.
  • Protect production deploy jobs with branch rules, environment approvals, manual dispatch, or equivalent release controls.
  • Emit enough deployment output to prove which account, Worker, environment, and version were affected without exposing secrets.
  • Keep package provenance checks lightweight but concrete: package version, tag/commit, integrity metadata, and source repository.

Troubleshooting

Issue: The deploy targets the wrong Worker or environment

Fix: Stop before another mutation. Check wrangler whoami, config name, selected environment, route/custom domain, CI secrets, and package-manager script arguments.

Issue: Direct deploy would overwrite dashboard/API changes

Fix: Compare local config against remote state and decide whether to accept the overwrite, backport remote changes into config, or pause for owner review.

Issue: A version traffic split is stuck or ambiguous

Fix: List deployments, capture version IDs and percentages, then either progress the intended version or roll back to a known-good version ID.

Issue: Route or trigger changes did not apply

Fix: Treat trigger application as its own release step and verify route/domain/time-based trigger state after the command completes.

Issue: Rollback does not fix data behavior

Fix: Inspect storage, queues, migrations, Durable Objects, and downstream services separately. Worker version rollback does not restore those states.

Validation Checklist

  • Wrangler package version, npm metadata, tag, and commit verified.
  • Local build/test/dry-run or preview checks completed where supported.
  • Account, Worker, environment, route/domain, and trigger target confirmed.
  • Bindings, secrets, and external resources inventoried.
  • CI secrets and deploy workflow protections reviewed.
  • Direct deploy versus version traffic split decision documented.
  • Smoke checks and logs/status evidence collected.
  • Rollback target and non-versioned resource caveats documented.

Source citations

Add this badge to your README

Show that Wrangler Deployment Operations Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/skills/wrangler-deployment-operations-capability-pack.svg)](https://heyclau.de/entry/skills/wrangler-deployment-operations-capability-pack)

How it compares

Wrangler Deployment Operations Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

2 trust signals differ across this comparison (Source provenance, Submitter).

Next steps differ across entries — use the actions in the table below to copy install commands and source links per resource.

Field

Expert Wrangler CLI deployment skill for release planning, config review, environment checks, version traffic splits, trigger application, and rollback.

Open dossier

Source-backed agent for reviewing Cloudflare Workers deployments before production release, covering wrangler config, bindings, routes, secrets, compatibility flags, and rollback plans aligned to official Cloudflare docs.

Open dossier

Slash command that runs a pre-deploy readiness check for a Cloudflare Workers project before you ship.

Open dossier

Read-only Claude Code PostToolUse hook that checks edited Cloudflare Wrangler config files for required Worker fields, environment inheritance traps, secret-like vars, deprecated Workers Sites usage, and source-of-truth drift before Claude continues.

Open dossier
Next stepsDiffers
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceDiffersSubmission linkedSource submissionSubmission linkedSource submissionSource-backedSource-backed
SubmitterDiffersoktofeesh1kiannidevjony376oktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandCloudflare logoCloudflareCloudflare logoCloudflareCloudflare logoCloudflare
Categoryskillsagentscommandshooks
SourceSource-backedSource-backedSource-backedSource-backed
Authoroktofeesh1kiannidevjony376oktofeesh1
Added2026-06-032026-06-152026-06-042026-06-04
Platforms
Harness
Source repo
Safety notesWrangler deployment and rollback commands mutate live Worker traffic; verify account, Worker name, route, and environment before running them. The archive URL points to Cloudflare's external Workers SDK tag archive; pin versions and review release provenance before using it in CI. Use least-privilege API tokens and secret stores; never commit `.dev.vars`, `.env`, tokens, account credentials, or CI secret values. Version rollback can restore Worker code/config traffic but does not restore bound KV, R2, D1, Durable Object, queue, or downstream service state. Trigger and route updates can change public reachability; treat them as separate release steps with explicit verification.Workers deployments can change live traffic immediately; treat production deploy review as release-impacting work requiring explicit approval. Do not run production deploy commands from unreviewed forks or unverified CI workflows with Cloudflare API tokens. Bindings to production KV, R2, D1, or Queues can cause data loss or cross- environment contamination if environment names are wrong. Wrangler rollback and versions features reduce but do not eliminate blast radius; verify rollback steps before deploy.Runs Wrangler auth, secret-list, and deploy dry-run checks, but Wrangler deploy --dry-run still executes the project's local build/bundling pipeline and any configured build command or plugins. Run this command only in a trusted Workers repository after reviewing wrangler config, package scripts, and bundler plugins; do not use it to evaluate untrusted submissions. Never run a real deploy or publish, and validate any environment argument before passing it to Wrangler.This hook is static and read-only. It reads only non-symlinked Wrangler config files inside the current project and does not run `wrangler deploy`, `wrangler dev`, `wrangler whoami`, `wrangler secret list`, package scripts, build plugins, or network commands. The hook exits non-zero only for parse failures or missing required top-level Worker fields such as `name` and `compatibility_date`; warnings remain advisory so the user can review them. The TOML checks are heuristic and do not replace Wrangler's own parser or a trusted pre-deploy dry run. Use them as a fast edit-time guard, then run official Wrangler validation in a trusted repository. Do not expand this hook into a dry-run deploy hook unless the team has reviewed local build-script execution, inherited environment variables, and output-directory cleanup. Keep matchers scoped to config file edits. Running config checks after every tool call adds noise without improving Cloudflare safety.
Privacy notesWrangler deploy uploads bundled Worker source, static assets, and configuration metadata to the target account. Release logs can include request URLs, headers, exception details, route names, account IDs, and zone IDs; redact before sharing publicly. CI deploys rely on API tokens and account IDs; avoid printing environment dumps, secret values, or full request payloads in logs. Worker routes, custom domains, and account metadata can reveal infrastructure topology; keep public notes minimal and intentional.Wrangler configs, Worker logs, and binding metadata can expose account IDs, internal hostnames, customer routes, and secret names. Workers observability logs may contain request payloads, auth headers, and user identifiers; redact before sharing review notes externally. API tokens and OAuth client secrets must not appear in prompts, PR comments, or generated review output. Third-party observability exports remain subject to vendor retention policies separate from Cloudflare account settings.Wrangler output entering the model context can include your account id, worker name, environment name, and secret names (never secret values). The dry-run build reads source files and may execute project-controlled local code with inherited environment variables, including Cloudflare-related tokens; review the project before running on sensitive accounts. The command writes Wrangler dry-run output to disk and project build tooling may write additional local files.The hook reads `wrangler.toml`, `wrangler.json`, or `wrangler.jsonc` only inside the current project, with symlinks rejected and a 1 MiB size cap. Wrangler config files can contain worker names, route patterns, account identifiers, resource IDs, binding names, environment names, analytics settings, and non-secret vars. Hook output may include file paths, config key names, environment names, and secret-like variable names, so avoid pasting terminal logs into public issue comments without review. If a Wrangler config currently contains real secrets in `vars`, the hook can reveal the key names and the surrounding configuration context. Move sensitive values to Wrangler secrets before sharing output.
Prerequisites
  • Wrangler-managed Worker project or release plan
  • Project-local Node.js toolchain that satisfies the pinned Wrangler package engines
  • Access to account ID, Worker name, environment name, route, and binding inventory
  • CI or local authentication plan for non-interactive deploys
  • Worker source repository with wrangler config, routes, and environment definitions for staging and production.
  • Cloudflare account access to inspect bindings (KV, R2, D1, Queues, AI, etc.), routes, and deployment history.
  • CI or local Wrangler deploy command output from a staging dry run when available.
  • Maintainer approval path before production deploy or traffic shift.
— none listed
  • Claude Code project where hooks are allowed by user or project policy.
  • Cloudflare Workers or Pages project with `wrangler.toml`, `wrangler.json`, or `wrangler.jsonc` checked into the repository.
  • `jq` available locally to parse Claude Code hook input.
  • Node.js available locally for static JSON/JSONC/TOML heuristics.
Install
npm install --save-dev wrangler@4.97.0 && npx wrangler --version
/deploy-readiness
mkdir -p $HOME/.claude/hooks && touch $HOME/.claude/hooks/wrangler-config-guard.sh && chmod +x $HOME/.claude/hooks/wrangler-config-guard.sh
Config
{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "$HOME/.claude/hooks/wrangler-config-guard.sh"
          }
        ]
      }
    ]
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.