Yes. Either via a secret manager (eg vault) or configured as repo secrets if that kind of infra isn't available.

Never commit secrets for any reason.

Repo secrets are just stored on someone's computer and they obviously have the keys. This is what I mean.

Same for your vault. The vault might be encrypted, but at some point you have to give the keys to the vault.

Your secrets are not safe from someone if someone needs them to run your code.

	▲	larntz a day ago \| parent [-]
		> Your secrets are not safe from someone if someone needs them to run your code. This is true. I don't disagree with that or you're assessment of repo secrets. My comment was in the context of the grandparent committing secrets to a private repo which is a bad practice (regardless of visibility). You could do that for tests, sure (I would suggestion creating random secrets for each test when you can), but then you're creating a bad habit. If you can't use random secrets for tests repo secrets would be acceptable, but I wouldn't use them beyond that. For CI and deploys I would opt for some kind of secret manager. CI can be run on your own infrastructure, secret managers can be run on your own infrastructure, etc... But somewhere in the stack secret(s) will be exposed to _someone_.