The default workflow deploy template is grabbing all organization secrets when building the docker image. I think this is not intended and changing the env_vars section to:

env_vars: '"DAGSTER_CLOUD_URL": "${{ secrets.DAGSTER_CLOUD_URL }}", "DAGSTER_CLOUD_API_TOKEN": "${{ secrets.DAGSTER_CLOUD_API_TOKEN }}"'

allowed us to deploy without pushing all of the account secrets into a docker layer. I'd recommend changing the default to be more restrictive in the future for auto-generated repos.

<!subteam^S02T7CMRSE4|@dagster-cloud-support>

Yeah, I think this is good feedback. We should change the cloned template and add a section in the docs for how to modify the github action to bake in secrets only if you need to.