When we define public environment variable value of this variable is printed at the beginning of log, and everybody can easy get this value and I don’t have any posibility to know who read it.
It will be useful if we have posibility to hide public variable from log.
I know that public varible can be discovered if somebody create pull request with specific change. But from other side I know if somebody create pull request and I can figure out if new code do something strenge.
I can take on that hidden variable can be compromised, but some situation it will be better for me to have posibility to define hidden varible which I can use for pull request.
For example I will use sonar to decorate issues in new code.
As we know sonar require tokens to work.
I can create special account in sonar service which have only required grant to do analize. So if somebody steal token for this account it will not so danger.