My Kubernetes worker node has a public IP: xxx.xx.xxx.xxx
Does this ever change? If some third-party API needs to whitelist my IP, is this the one to give?
Or do I expose the individual service of some type (NodePort/LoadBalancer) and give it that node-ip:port or loadbalancer-ip:port?
This really depends on the cloud provider. The major providers such as AWS, GCP, and Azure have ephemeral public IPs for the VMs, so if you stop your VM and then start it again you will get a new IP, if you never stop your VM then you don't have to worry about losing the IP.
All of them also offer 'Elastic public IPs' which are reserved IP addresses that you can assign to network interfaces on your VMs and basically allowing you to stop the VM and keep the same IP once you restart it.
Having said that, the preferred way to expose a service to the outside is by using the 'LoadBalancer` type of service and the way the IP addresses are assigned also vary depending on the cloud provider and the type of load balancer. For example, in AWS, ELBs and ALBs have ephemeral IPs but they load balancer have a DNS endpoint that never changes. On the other hand, NLBs can have an Elastic IP.