Struggling with the same and sorry to say the solution above doesn't work. I had a beautiful script in my package.json set up to sync the secrets to cloudflare to allow for auto deployments.

"sync-secrets": "bunx wrangler secret bulk .env.production"

But that's just not how this works. I suspect those variables are accessible via $env/dynamic/private, which is shitty bc they aren't available at build-time and the server has to fetch them every time you use them (which is probably optimized in workers but a shitty condition anywhere else).

Idk what happens if you keep your vars in a .dev.vars file, if they get pushed to both sections, because adding one by one via the UI is not something I'm gonna do. The issue with .dev.vars is there doesn't seem to be any way to pick those up automatically with vite (which is ridiculous) so you can't develop locally, or again, anywhere else.

So the solution seems to be?? maintaining .env files and having a pre-commit script copying them to .dev.vars??? Idk how we came to this. I love cloudflare but bow, .dev.vars, really?