Can we state the obvious of that if you have your environment file within your repo supposed protected by .gitignore you’re automatically doing it wrong?

For cloud credentials you should never have permanent credentials anywhere in any file for any reason best case or worse case have them in your home directory and let the SDK figure out - no you don’t need to explicitly load your credentials ever within your code at least for AWS or GCP.

For anything else, if you aren’t using one of the cloud services where you can store and read your API keys at runtime, at least use something like Vault.