ROUTES_CONFIG→ GitHub Variable → injected into wrangler.toml during deploy- Secrets (PROXY_AUTH_TOKEN, API keys) → Cloudflare Dashboard (manually, persist across deploys)
Key point: Cloudflare Secrets are NEVER deleted by wrangler deploy. Set them once in Dashboard, they stay forever.
-
Go to Cloudflare Dashboard → Workers & Pages → ai-worker-proxy → Settings → Variables
-
Click "Add variable" → Select "Encrypt" (this makes it a Secret)
-
Add these secrets:
PROXY_AUTH_TOKEN=your-secret-tokenANTHROPIC_KEY_1=sk-ant-xxxxxGOOGLE_KEY_1=AIzaxxxxxOPENAI_KEY_1=sk-xxxxxNVIDIA_KEY_1=nvapi-xxxxxGROQ_KEY_1=gsk_xxxxx- etc.
-
Click "Save and Deploy"
IMPORTANT: These secrets will NEVER be deleted or overwritten by GitHub Actions deployments. Set them once and forget.
-
Go to your repo → Settings → Secrets and variables → Actions → Variables tab
-
Click "New repository variable"
-
Name:
ROUTES_CONFIG -
Value (JSON, can be formatted):
{
"deep-think": [
{
"provider": "anthropic",
"model": "claude-opus-4-20250514",
"apiKeys": ["ANTHROPIC_KEY_1", "ANTHROPIC_KEY_2"]
}
],
"fast": [
{
"provider": "google",
"model": "gemini-2.0-flash-exp",
"apiKeys": ["GOOGLE_KEY_1"]
}
],
"nvidia": [
{
"provider": "openai-compatible",
"baseUrl": "https://integrate.api.nvidia.com/v1",
"model": "nvidia/llama-3.1-nemotron-70b-instruct",
"apiKeys": ["NVIDIA_KEY_1"]
}
]
}-
Go to Secrets tab (next to Variables)
-
Add these:
CLOUDFLARE_API_TOKEN- Your Cloudflare API tokenCLOUDFLARE_ACCOUNT_ID- Your Cloudflare account ID
git push origin mainGitHub Actions will:
- Replace
ROUTES_CONFIGin wrangler.toml with your GitHub Variable - Deploy to Cloudflare
- Your Dashboard secrets remain untouched
- Edit the variable in GitHub: Settings → Secrets and variables → Actions → Variables → ROUTES_CONFIG
- Push any commit to main (or manually re-run workflow)
- Done! New routes deployed.
- Go to Cloudflare Dashboard → Workers & Pages → ai-worker-proxy → Settings → Variables
- Edit the encrypted variable
- Click "Save and Deploy"
- Done! (No need to push anything)
Create .dev.vars file (DO NOT commit):
# .dev.vars
PROXY_AUTH_TOKEN=local-dev-token
ANTHROPIC_KEY_1=sk-ant-xxxxx
GOOGLE_KEY_1=AIzaxxxxx
ROUTES_CONFIG={"test":[{"provider":"anthropic","model":"claude-opus-4","apiKeys":["ANTHROPIC_KEY_1"]}]}Run locally:
npm run devWrangler will automatically load variables from .dev.vars.
Solution:
- Make sure you added
ROUTES_CONFIGas a Variable (not Secret) - Go to Settings → Secrets and variables → Actions → Variables tab
- Variables and Secrets are in different tabs!
Solution:
- Check secrets are set in Cloudflare Dashboard (not GitHub)
- Go to Cloudflare Dashboard → Workers & Pages → ai-worker-proxy → Settings → Variables
- Make sure secrets are marked as "Encrypted"
- Click "Save and Deploy" after adding/editing
Solution:
- Check GitHub Actions logs - did the workflow run?
- Check if GitHub Variable
ROUTES_CONFIGis set correctly - Make sure the JSON is valid (use a JSON validator)
- Check the workflow replaced the [vars] section (look at logs)
Solution:
- Add the API key to Cloudflare Dashboard as encrypted variable (e.g.,
DEEPSEEK_KEY_1) - Update GitHub Variable
ROUTES_CONFIGto include the new route - Push to trigger deployment
- All secrets added to Cloudflare Dashboard (encrypted variables)
-
ROUTES_CONFIGadded as GitHub Variable -
CLOUDFLARE_API_TOKENadded as GitHub Secret -
CLOUDFLARE_ACCOUNT_IDadded as GitHub Secret -
.dev.varscreated for local development (not committed) - Pushed to main and verified deployment succeeded
The Problem:
- Wrangler ALWAYS overwrites vars defined in wrangler.toml [vars] section
- But Cloudflare Secrets are NEVER deleted by wrangler deploy
The Solution:
ROUTES_CONFIGgoes in [vars] → GitHub Actions replaces it before deploy- Sensitive data (tokens, API keys) goes in Cloudflare Secrets → never touched
Result:
- Public repo stays clean (example config only)
- ROUTES_CONFIG easily updated via GitHub Variable
- Secrets stay secure in Cloudflare Dashboard
- No accidental overwrites