The documentation on Sensitive variable policy explains how you can enable it, but not how an environment variable is actually determined as sensitive or not.
Untrusted deploys will build automatically, but variables identified as sensitive will not be passed to the deploy environment.
could indicate that this is somehow automatic and magic?
We want to make sure that some of the environment variables we are using are considered sensitive.
Using the feature seems to work correctly, the correct ones are currently identified as sensitive, but we need to make sure this does not change with a platform update so would be much more comfortable with an explicit definition of “this var is sensitive, do not expose”.