Best way to store secrets (API Keys, etc.)

Is there a best practice for storing secrets? I am not worried about the end user/app user obtaining a secret as I’m using them in cloud code. But, cloud code gets pushed to GitHub if GitHub is used for versioning.

Is there a way to store and inject environment variables to store secrets? Is there a better way to store secrets so they don’t get pushed to GitHub?

Hi Alex! I would create a shared task in CloudCode and then add e.g. a config file to that task, and then add that to the gitignore file. You can export them and include those in runtime but not push them to Github.
There is a tangential reference to that in this post: How to run unit tests?

Another option is to store them in the DB and exclude them from sync rules and load them into memory in the CC task logic. They are then effectively environment variables and are encrypted at rest.