Workflow jobs often have to connect to other providers like AWS, Google Cloud, Azure, Tailscale, etc. to perform operations: download files, update a config... As of right now, the only way to do so is to create long-lived credentials (that can be stolen and exploited) and store them in the project's environment variables. The best practice for this would be to be able to generate a token from Expo which has appropriate subject and claims in workflow jobs, which can then be validated and trusted by other services.