I think putting secret key in config.toml is an insecure design, given that the project is public in most cases.

Can we move it to environment secrets for GitHub Actions?

https://github.com/[username]/[username].github.io/settings/environments

Hi harson2010,
Hugo is a static site generator. All the secret keys will finally be embedded into the webpages, which is accessible to the public.
So I think it may not be necessary to move them into environment secrets.

Currently all the secret keys that may appear in config.toml are for comment services. If there are any other usages not applied to the cases above, please reply to me.

Thanks for your feedback.