Please do not rely on git ignore to keep files out of your repo. It is just too easy to make a mistake and all of a sudden, your passwords are in plain text for all the world to see (if it is a public repo). Then, when you realize it, you will delete the file--but may not realize the history still holds it. You may also neglect to change the password so, if someone already got it before you deleted it, you are still vulnerable. At the very least, encrypt them. You still have the problem of where to store the decryption key, but at least there is one more level of protection (security by obscurity).

O.S. environment variables are better in some ways, but aren't very safe either. Sys admins can see them and anyone able to run commands can do "env" command to get them all. Running remote commands is always a high prize for a bad actor for this reason (and others).

If your organization has an enterprise password manager, that is the obvious answer. If not, perhaps create a free AWS account and use their "Secrets Manager" service (or Microsoft or Google--they all have this ability and are considered very secure).

Only a little off topic, don't put secrets on the command line. While the process is running, the "ps" command will show the secret. After the process stops, there is the "history" command.