Hardcoded environment-specific values
=====================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``hardcoded_env_values``
   * - Category
     - maintainability
   * - Severity
     - medium

Values like URLs, bucket names, or region names are hardcoded in the workflow instead of being referenced from repository variables or secrets.

Detection
---------

``pattern_matching`` — Regex or keyword matching on string field values.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     deploy:
       env:
         API_URL: https://api.production.example.com
         BUCKET: my-app-artifacts
       steps:
         - run: ./deploy.sh

**Compliant:**

.. code-block:: yaml

   jobs:
     deploy:
       env:
         API_URL: ${{ vars.API_URL }}
         BUCKET: ${{ vars.ARTIFACT_BUCKET }}
       steps:
         - run: ./deploy.sh

**Fix**: Move environment-specific values (URLs, bucket names, regions) to GitHub repository or environment variables and reference them with ${{ vars.VAR_NAME }}.