after some test we opted for:
Keep sensitive configurations in a private repository that mirrors your public repo’s structure.
Inject these files during local development and CI/CD builds, so no manual copying is needed and no secrets are ever committed to the public repo.
Key points:
Public repo contains only example configs (no secrets).
Private repo holds real configs, versioned and secured.
Application and CI/CD pipeline are configured to load/merge configs from the private repo at runtime/build time.
below an article showing the details:
Manage Sensitive Configurations with Config Injection from Private Repositories
https://diginsight.github.io/blog/posts/20241214%20-%20Handling%20Private%20Configurations%20in%20Public%20Repositories/
hth