As an open-source builder and a streamer, I'm afraid I will leak keys on stream any time soon. And fun story—I did leak the API keys to my smart lights once, and the company (Govee) had a 30-day grace period for any revoked keys!

It still looks too tedious to manage all this—curious to see if there's an easier way. Currently I use 1Password in my teams to share .env config, but we basically c/p to local git folders, so there's still a lot to lose.

I'm especially worried about the growing number of supply chain attacks. Curious to see how you tackle these.