[docs]: Clarify astro:env/server variable evaluation and secret handling (#12818)

fkatsuhiro · sarah11918 · web-flow · commit dc65d3bff56e · 2025-12-04T16:18:09.000+01:00
Co-authored-by: Sarah Rainsberger &lt;5098874+sarah11918@users.noreply.github.com&gt;
diff --git a/src/content/docs/en/guides/environment-variables.mdx b/src/content/docs/en/guides/environment-variables.mdx
@@ -279,7 +279,9 @@ There are three kinds of environment variables, determined by the combination of
    import { API_SECRET } from "astro:env/server";
    ```
 
-   By default, secrets are only validated at runtime. You can enable validating private variables on start by [configuring `validateSecrets: true`](/en/reference/configuration-reference/#envvalidatesecrets).
+   By default, all secrets are validated whenever anything is imported from the `astro:env/server` module. This means, secrets may be validated even when they are not imported. You may need to [pass dummy environment variables](#setting-environment-variables) to satisfy this validation during the build.
+
+   You can also enable validating secrets on start by [configuring `validateSecrets: true`](/en/reference/configuration-reference/#envvalidatesecrets).
 
 :::note
 **Secret client variables** are not supported because there is no safe way to send this data to the client. Therefore, it is not possible to configure both `context: "client"` and `access: "secret"` in your schema.
