For example, if I follow the instruction on CircleCI for Google Cloud Container Engine. The env var will contain my service account credential that can do almost everything on my GCP project. If I echo this env var, the build output will print my secrets out. Even know I could turn on protection such as only pull request could build. This still leave me with the danger that if I didn’t catch the echo statement making into my circle.yml, I could have an insider that could get my secrets. Is there anyway to have a secret env var or workarounds? Thanks.