[johnvschmitt]

ryannielson's solution is the best IMO, as it requires the environment variable to be set, & most importantly, shows a nice error to the developer should they miss it.

Even better, raise 'SECRET_TOKEN not set! Please refer to the doc in xyz'

So, the specific method for setting is in an "xyz" doc that your team keeps in a SEPARATE location from the code repo.

And, we really need a standard way to do this, or Github pulls / forks will have more friction or bad security when setting up forks.

Also, I really would rather put it in a file, not system env, as the env might be setup different on different systems, & you'd hate to have that env potentially shared in multi-user systems. Files are more reliably locked down.