It's typically more secure to provide authentication tokens via the environment so they don't appear in shell history and other logs. It's difficult to securely automate coder in CI at the moment.