I Scanned 10 Popular GitHub Actions Workflows for Undocumented Environment Variables. Here's What I Found.

I Scanned 10 Popular GitHub Actions Workflows for Undocumented Environment Variables. Here's What I Found. Every repo has GitHub Actions workflows. They're full of environment variables nobody documents. I spent an afternoon scanning 10 popular open-source JavaScript projects to find out how bad the problem really is. What I Was Looking For I was hunting for variables referenced in workflow YAML — ${{ secrets.VAR }} , env: blocks, hardcoded values — that appear nowhere in the project's README, .env.example , or CONTRIBUTING.md . The silent assumptions that break your fork on day one. The things maintainers know instinctively but never wrote down. Methodology I chose 10 projects that most JavaScript developers have at minimum heard of: Electron, NestJS, Next.js, Remix, Prisma, Supabase, Strapi, Fastify, TypeORM, and Vitest. For each, I fetched their workflow YAML files via the GitHub API and looked for env: blocks, ${{ secrets.* }} references, and any hardcoded values that looked like c