In the past, when working with static Mac hardware, I would add secrets to recipe overrides and keep them only locally on the Mac used to run AutoPkg. While still mostly insecure, at least those secrets weren’t also available in a code repo, and less prone to being compromised. With ephemeral CI runs though, this isn’t possible. A secret store which can be referenced at runtime, outside of the repo becomes necessary. Thankfully my colleagues at Gusto had encountered this before and already had a solution to avoid committing plain text secrets.