Hide credentials in a public repo, which is being used to deploy live

Generally the way that folks pass secrets to their code is through the environment, which is considered a best practice. Here's why:

• Secrets in the environment are never written to disk, so there's much less accidental risk of discovery or disclosure.
• Secrets in the environment are only visible to other processes with the same user ID, which is helpful when deploying to hardware.

If your credentials are small enough, you can use the secret store or environment store of whatever provider you're using. All major CI providers have this and I expect most major hosting sites do as well; I know Heroku does. Things like SSH keys which must be files can be written to disk from the environment, ideally into a temporary directory which is cleaned up.

If you're deploying to your own infrastructure, generally you'll have some encrypted secret store for this purpose. Vault is a common one.

If you need credentials that are for development, you can structure your code such that there's a safe default (like the hard-coded phrase secret) for development use if no variable is set, or you can provide a set of fallbacks in development and test code. Some projects also use .env files, although this requires additional code which some people don't want to install.

If you have huge credentials that you cannot store in your secret store, you can encrypt them and store the passphrase in the secret store.