look at something like [git-crypt](https://www.agwa.name/projects/git-crypt/) for managing secrets in the repo, instead of out of band.
