Hi @clee46,
thanks for the question!
You should define your secret variables on Secrets tab (in Workflow Editor).
These variables are not part of your bitrise config (bitrise.yml), instead they are stored separately.
For security reasons these variables are not applied in case of pull request, to avoid malicious access to secret infos.
The secrets env vars are config level variables, so you can not define it per workflow. Possible workaround is to prefix/suffix the variable names based on in which workflow you want to use them.
Read more in devcenter: Managing Secrets locally - Bitrise Docs