Challenge 3: Choose Which Values Need secrets.* — Possible Solution ==================================================================== (a) NODE_ENV: production -> Can be hardcoded directly in the workflow This chapter draws exactly this distinction: "a non-sensitive value like NODE_ENV can be hardcoded directly in the workflow." Knowing that a job runs in "production mode" reveals nothing an attacker could use to access anything — it's a configuration flag, not a credential. There's no confidentiality to protect here at all. (b) A Stripe secret key -> MUST go through secrets.* A Stripe secret key is a genuine credential — anyone who obtains it can make real, authenticated API calls against a live payment account, potentially processing real charges or accessing sensitive payment data. This is precisely the category of value this chapter describes as needing to "always go through secrets.*" — exposing it (in the repo, in logs, anywhere) constitutes a real security incident, not just an inconvenience. (c) A public API base URL like https://api.example.com -> Can be hardcoded directly in the workflow A base URL for a PUBLIC API endpoint reveals no secret information — it's typically documented openly by whatever service provides the API, and anyone could find it through public documentation or simply by observing normal network traffic to that service. Knowing the URL alone grants no special access; it's the credential used WITH that URL (like the Stripe key in (b)) that would actually need protection, not the URL itself. WHY THIS WORKS AS AN ANALYSIS -------------------------------- The deciding test in every case is the same: "if this value were fully public — visible to anyone, anywhere — would that actually let someone do something harmful or gain unauthorized access?" (a) and (c) both fail that test in the sense that nothing harmful follows from exposure — they're not actually secrets, just ordinary configuration values. (b) passes the test decisively — exposure genuinely enables real financial or data access. This distinction (harmful if exposed vs merely informational) is exactly what separates something requiring secrets.* from something that's perfectly fine hardcoded in a workflow.