---
title: "🔐 The One Where Your Credentials Stop Living in .env"
date: 2026-04-13
author: Andrea Griffiths
language: en
issue: 22
excerpt: "Tax season reminds us that 'future me will handle this' is always a lie. This week GitHub shipped two things that reduce the amount of stuff you have to manually manage."
---

# 🔐 The One Where Your Credentials Stop Living in .env

Hiya friends,

Tax season. My least favorite time of year. The part where you realize that "future me will handle this" was a lie you told yourself every month for twelve months.

This week GitHub shipped two things that reduce the amount of stuff you have to manually manage. Let's get into it.

## 🚢 What Shipped

### Copilot Autofix Gets Batch Mode

If you've had a PR flagged with five code scanning alerts and had to fix them one at a time, each one kicking off a full scan, this is for you.

Code scanning alerts on PRs now show fix suggestions generated by Copilot Autofix. Previously you could apply these one by one, but each application created a separate commit and triggered a new scan. Now you can add multiple suggestions to a batch from the Files Changed tab and commit them all at once. One commit, one scan.

On repos with heavier CI, that's a real time difference. If your pipeline takes 10 minutes per scan and you had four alerts, you just went from 40 minutes of scan time to 10.

Copilot Autofix is available on public repos without a Copilot subscription. For private and internal repos, you need GitHub Advanced Security.

### npm Trusted Publishing Supports CircleCI

npm trusted publishing lets you publish packages without storing credentials anywhere. You authenticate through your CI pipeline using OIDC, and npm validates the token at publish time. No secrets to rotate, no tokens sitting in environment variables.

It already worked with GitHub Actions and GitLab CI. Now it works with CircleCI too.

If you're publishing npm packages from CircleCI today, you can drop the stored NPM_TOKEN entirely. Setup is in your npm account settings or via `npm trust circleci` in the CLI. The [trusted publishing docs](https://docs.npmjs.com/trusted-publishers) have the full setup.

Stored credentials are one of the most common sources of supply chain incidents. Even if you're not on CircleCI, this is worth knowing, trusted publishing is the pattern npm is building toward. If you haven't set it up yet, now's a good time.

## 🎧 What I'm Listening To

**Radical Candor by Kim Scott**

My husband picked up the audiobook and I've been listening along as a refresher. I read it years ago but it hits differently now. Kim Scott grew up in the South where the culture was to never say no, to keep critical thoughts to yourself. Sound familiar? 

I've always led with gratitude — "I'm just happy to be here" is genuinely how I feel. But I'm learning that in a competitive industry, being grateful and advocating for yourself aren't mutually exclusive. It's something I'm still figuring out. How to lean into uncomfortable conversations. How to give myself credit out loud, not just in private.

Worth your time if: you manage people, or you've spent too long being grateful for a seat at a table you truly deserve to sit at.

## 🔧 What I'm Using

**[Keeper Tax](https://www.keepertax.com/invite?referrer=Andrea1445425)** — I'm using it again this year to manage my independent contracting expenses. It connects to your accounts, imports your expenses automatically, and surfaces deductions you'd probably miss. Second year using it. If you do any freelance or contract work, worth checking out. Not sponsored, just a tool I use and the link gives you 25% off.

## ✨ This Week

[Andy Warfield's S3 Files writeup](https://www.allthingsdistributed.com/2026/04/s3-files-and-the-changing-face-of-s3.html) is one of the better engineering writeups I've seen in a while. Go read it. But [Hunter Leath's tweet](https://x.com/jhleath/status/1909683757642359184) about it is reflection worthy. He wrote this exact PRFAQ in 2023, left when the org wouldn't move, and watched his former colleagues ship it three years later. He's happy for them and sounds like a solid guy. It has me asking: how many great ideas walk out the door because the person behind them got tired of fighting for them?

That's it, clean up your credentials, batch your fixes, and think about who you're keeping.

With gratitude, I'll see you next week,  
Andrea

P.S. I've been using [Mintlify](https://mintlify.com) to generate docs for my [agent context system](https://mainbranch.mintlify.app/) and honestly — color me impressed. Free, one click, comprehensive output, actually readable. worth checking out if docs are a pain point for you.