[pull] main from cloudflare:main

.changeset/breezy-groups-warn.md

@@ -0,0 +1,21 @@
+---
+"@cloudflare/containers-shared": patch
+"wrangler": minor
+---
+
+Users are now able to configure DockerHub credentials and have containers reference images stored there.
+
+DockerHub can be configured as follows:
+
+```sh
+echo $PAT_TOKEN | npx wrangler@latest containers registries configure docker.io --dockerhub-username=user --secret-name=DockerHub_PAT_Token
+```
+
+Containers can then specify an image from DockerHub in their `wrangler.jsonc` as follows:
+
+```jsonc
+"containers": {
+  "image": "docker.io/namespace/image:tag",
+  ...
+}
+```

.changeset/dry-shoes-cheat.md

@@ -0,0 +1,7 @@
+---
+"wrangler": patch
+---
+
+Fix SolidStart autoconfig for projects using version 2.0.0-alpha or later
+
+SolidStart v2.0.0-alpha introduced a breaking change where configuration moved from `app.config.(js|ts)` to `vite.config.(js|ts)`. Wrangler's autoconfig now detects the installed SolidStart version and based on it updates the appropriate configuration file

.changeset/empty-radios-happen.md

@@ -1,12 +1,10 @@
 ---
 "@cloudflare/vite-plugin": minor
 "@cloudflare/containers-shared": minor
-"@cloudflare/workers-utils": minor
 "miniflare": minor
 "wrangler": minor
 ---
 
 Add experimental support for containers to workers communication with interceptOutboundHttp
 
-This feature is experimental and requires adding the "experimental"
-compatibility flag to your Wrangler configuration.
+This feature is experimental and requires adding the "experimental" compatibility flag to your Wrangler configuration.

.changeset/quiet-queens-build.md

@@ -1,5 +1,21 @@
 ---
+"@cloudflare/vite-plugin": minor
 "wrangler": minor
 ---
 
-Add dev support for experimental `secrets` property.
+Add local dev validation for the experimental `secrets` configuration property
+
+When the new `secrets` property is defined, `wrangler dev` and `vite dev` now validate secrets declared in `secrets.required`. When required secrets are missing from `.dev.vars` or `.env`/`process.env`, a warning is logged listing the missing secret names.
+
+When `secrets` is defined, only the keys listed in `secrets.required` are loaded. Additional keys in `.dev.vars` or `.env` are excluded. If you are not using `.dev.vars`, keys listed in `secrets.required` are loaded from `process.env` as well as `.env`. The `CLOUDFLARE_INCLUDE_PROCESS_ENV` environment variable is therefore not needed when using this feature.
+
+When `secrets` is not defined, the existing behavior is unchanged.
+
+```jsonc
+// wrangler.jsonc
+{
+	"secrets": {
+		"required": ["API_KEY", "DB_PASSWORD"],
+	},
+}
+```

.changeset/sharp-sheep-buy.md

@@ -2,6 +2,21 @@
 "wrangler": minor
 ---
 
-Add type generation support for experimental `secrets` property.
+Add type generation for the experimental `secrets` configuration property
 
-This has precedence over deriving secret types from .env and .dev.vars files.
+When the new `secrets` property is defined, `wrangler types` now generates typed bindings from the names listed in `secrets.required`.
+
+When `secrets` is defined at any config level, type generation uses it exclusively and no longer infers secret names from `.dev.vars` or `.env` files. This enables running type generation in environments where these files are not present.
+
+Per-environment secrets are supported. Each named environment produces its own interface, and the aggregated `Env` marks secrets that only appear in some environments as optional.
+
+When `secrets` is not defined, the existing behavior is unchanged.
+
+```jsonc
+// wrangler.jsonc
+{
+	"secrets": {
+		"required": ["API_KEY", "DB_PASSWORD"],
+	},
+}
+```

packages/containers-shared/src/client/index.ts

@@ -97,6 +97,7 @@ export type { EnvironmentVariableValue } from "./models/EnvironmentVariableValue
 export { EventName } from "./models/EventName";
 export { EventType } from "./models/EventType";
 export type { ExecFormParam } from "./models/ExecFormParam";
+export { ExternalRegistryKind } from "./models/ExternalRegistryKind";
 export type { GenericErrorDetails } from "./models/GenericErrorDetails";
 export type { GenericErrorResponseWithRequestID } from "./models/GenericErrorResponseWithRequestID";
 export type { GenericMessageResponse } from "./models/GenericMessageResponse";
@@ -105,6 +106,7 @@ export type { GetPlacementError } from "./models/GetPlacementError";
 export { HTTPMethod } from "./models/HTTPMethod";
 export type { Identity } from "./models/Identity";
 export type { Image } from "./models/Image";
+export type { ImageRegistryAuth } from "./models/ImageRegistryAuth";
 export { ImageRegistryAlreadyExistsError } from "./models/ImageRegistryAlreadyExistsError";
 export type { ImageRegistryCredentialsConfiguration } from "./models/ImageRegistryCredentialsConfiguration";
 export { ImageRegistryIsPublic } from "./models/ImageRegistryIsPublic";
@@ -190,6 +192,7 @@ export type { SecretMetadata } from "./models/SecretMetadata";
 export type { SecretName } from "./models/SecretName";
 export { SecretNameAlreadyExists } from "./models/SecretNameAlreadyExists";
 export { SecretNotFound } from "./models/SecretNotFound";
+export type { SecretsStoreRef } from "./models/SecretsStoreRef";
 export type { SSHPublicKey } from "./models/SSHPublicKey";
 export type { SSHPublicKeyID } from "./models/SSHPublicKeyID";
 export type { SSHPublicKeyItem } from "./models/SSHPublicKeyItem";

packages/containers-shared/src/client/models/CustomerImageRegistry.ts

@@ -2,8 +2,11 @@
 /* tslint:disable */
 /* eslint-disable */
 
+import type { DefaultImageRegistryKind } from "./DefaultImageRegistryKind";
 import type { Domain } from "./Domain";
+import type { ExternalRegistryKind } from "./ExternalRegistryKind";
 import type { ISO8601Timestamp } from "./ISO8601Timestamp";
+import type { SecretsStoreRef } from "./SecretsStoreRef";
 
 /**
  * An image registry added in a customer account
@@ -13,6 +16,11 @@ export type CustomerImageRegistry = {
 	 * A base64 representation of the public key that you can set to configure the registry. If null, the registry is public and doesn't have authentication setup with Cloudchamber
 	 */
 	public_key?: string;
+	private_credential?: SecretsStoreRef;
 	domain: Domain;
+	/**
+	 * The type of registry that is being configured.
+	 */
+	kind?: ExternalRegistryKind | DefaultImageRegistryKind;
 	created_at: ISO8601Timestamp;
 };

packages/containers-shared/src/client/models/DefaultImageRegistryKind.ts

@@ -0,0 +1,7 @@
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+
+export enum DefaultImageRegistryKind {
+	DEFAULT = "default",
+}

packages/containers-shared/src/client/models/ExternalRegistryKind.ts

@@ -7,4 +7,5 @@
  */
 export enum ExternalRegistryKind {
 	ECR = "ECR",
+	DOCKER_HUB = "DockerHub",
 }

packages/containers-shared/src/client/models/ImageRegistryNotAllowedError.ts

@@ -3,11 +3,11 @@
 /* eslint-disable */
 
 /**
- * The registry is not allowed to be added
+ * The registry is not allowed to be modified
  */
 export type ImageRegistryNotAllowedError = {
 	/**
-	 * The domain of the registry is not allowed to be added
+	 * The domain of the registry is not allowed to be modified
 	 */
 	error: ImageRegistryNotAllowedError.error;
 	/**
@@ -18,7 +18,7 @@ export type ImageRegistryNotAllowedError = {
 
 export namespace ImageRegistryNotAllowedError {
 	/**
-	 * The domain of the registry is not allowed to be added
+	 * The domain of the registry is not allowed to be modified
 	 */
 	export enum error {
 		IMAGE_REGISTRY_NOT_ALLOWED = "IMAGE_REGISTRY_NOT_ALLOWED",

packages/containers-shared/src/images.ts

@@ -259,6 +259,12 @@ export const getAndValidateRegistryType = (domain: string): RegistryPattern => {
 			name: "AWS ECR",
 			secretType: "AWS Secret Access Key",
 		},
+		{
+			type: ExternalRegistryKind.DOCKER_HUB,
+			pattern: /^docker\.io$/,
+			name: "DockerHub",
+			secretType: "DockerHub PAT Token",
+		},
 		{
 			type: "cloudflare",
 			// Make a regex based on the env var CLOUDFLARE_CONTAINER_REGISTRY

packages/create-cloudflare/e2e/tests/frameworks/test-config.ts

@@ -813,8 +813,6 @@ function getExperimentalFrameworkTestConfig(
 		},
 		{
 			name: "solid",
-			// quarantined: SolidStart moved from app.config to vite.config with Nitro plugin
-			quarantine: true,
 			promptHandlers: [
 				{
 					matcher: /Which template would you like to use/,

packages/workers-utils/src/config/environment.ts

@@ -709,20 +709,18 @@ export interface EnvironmentNonInheritable {
 	vars: Record<string, string | Json>;
 
 	/**
-	 * Secrets configuration.
+	 * Secrets configuration (experimental).
 	 *
 	 * NOTE: This field is not automatically inherited from the top level environment,
 	 * and so must be specified in every named environment.
 	 *
-	 * @default undefined
 	 * @nonInheritable
 	 */
 	secrets?: {
 		/**
 		 * List of secret names that are required by your Worker.
 		 * When defined, this property:
-		 * - Replaces .dev.vars/.env inference for type generation
-		 * - Enables deploy-time validation to ensure secrets are configured
+		 * - Replaces .dev.vars/.env/process.env inference for type generation
 		 * - Enables local dev validation with warnings for missing secrets
 		 */
 		required?: string[];

packages/wrangler/src/__tests__/containers/config.test.ts

@@ -708,7 +708,7 @@ describe("getNormalizedContainerOptions", () => {
 				containers: [
 					{
 						class_name: "TestContainer",
-						image: "docker.io/test:latest",
+						image: "unsupported.domain/test:latest",
 						instance_type: "standard",
 						name: "test-container",
 						max_instances: 3,
@@ -727,7 +727,7 @@ describe("getNormalizedContainerOptions", () => {
 			const result = await getNormalizedContainerOptions(config, {});
 			expect(result).toHaveLength(1);
 			expect(result[0]).toMatchObject({
-				image_uri: "docker.io/test:latest",
+				image_uri: "unsupported.domain/test:latest",
 			});
 		});
 		it("should not try and add an account id to non containers registry uris", async () => {