The store is world-readable, so secrets shouldn't end up there in the
first place. On top, `types.path` has the following behavior:
* `toString foo` returns the absolute path
* `${foo}` copies the path silently into the store and returns the
store-path.
This happens without any real feedback, so this can be caused by an
innocent looking change.
To address this problem, `pathsWith` was introduced into <nixpkgs/lib>
which allows absolute paths represented as string, but rejects things
pointing to the store and path literals which may be copied later on.
e9bde1ace0