Setting secrets in env vars

Use 1Password CLI with direnv on macOS to load secrets into ephemeral environment variables and avoid long lived tokens, prefer PyPI Trusted Publishing.