The macOS builds generated by the release workflows are notarized. The Apple Developer Program "team ID" associated with
the signing certificate is provided to the notarization tool (which refers to it as the "App Store Connect provider").
Previously, this was defined via a GitHub Actions secret. That implies it is secret information. However, the team ID is
public information that can be seen by anyone simply by looking at the notarized application (e.g., using the macOS
"spctl" utility), so there is need to use a secret for purposes of protecting the information.
The reason use of a secret was chosen for this purpose when the notarization system was originally developed was simply
that the only alternative at that time was hardcoding the information in the workflow. Since the workflow is intended to
be generally applicable even in 3rd party projects (including forks of Arduino projects), whereas the signing
credentials are specific to Arduino, it is better to define them separately from the workflow so that it can be used
without modification (though unfortunately some hardcoding of such information ended up being introduced to the
workflows at at later time).
Since that time, GitHub has introduced the repository variable feature, which is intended to configure
repository-specific non-secret information. This is the appropriate mechanism for defining the team ID.
Use of secrets to store non-secret information should be avoided as these have a higher maintenance burden. Likewise,
ambiguity about what is truly secret makes it difficult to understand the attack surface of a project's infrastructure,
resulting in a lack of focus on the true attack vectors.