Setting Authorization header causes secrets to be leaked in complied JS

[motionsuggests]

Issue

My site pulls markdown files from multiple repos with some requiring Authorization. I'm adding Authorization headers to the
requestconfig that gets passed to Axios. I'm using cli-sync with noRuntimeDownloads: true.

The problem is that because this is added to the docusaurus.config.js it ends up in the compiled main.js.

 requestConfig: {
    timeout: 60000,
      headers: {
        "Accept": "application/vnd.github.raw+json",
        "Authorization": `Bearer ${process.env.GITHUB_TOKEN}`,  // The value of GITHUB_TOKEN is preset in complied JS
      },
  }

Temporary Solution

The temporary solution I used was to reset the GITHUB_TOKEN to be empty after files are pulled but before build and deploy. I also stopped using the Docusaurus deploy and replaced it with the npm package gh-pages to deploy.

[eric-gonzalez-tfs]

Thanks for sharing this find @motionsuggests. It makes sense that webpack would replace these values, but this behavior should be explicitly called out in the README.