Andrew, co-founder of Gitter here.

Removing secrets was a lot of work - more than I expected - while we open-sourced the product.

I agree with your sentiment though. Handling secrets in a codebase is not something that it currently easy or standardised.

As an aside, BFG Repo Cleaner really helped a lot with cleaning things up: https://rtyley.github.io/bfg-repo-cleaner/

It's been my impression that the standard (promoted by services like Heroku and Travis) is to pass secrets as environment variables.

Fair enough: this is exactly what we've moved to on Gitter on Gitter since open-sourcing the product.

I quite like git-crypt for secrets, I store them in a single place (eg as environment variables) and encrypt that.

Not having started out as an open source project, this was always a major consideration.

Once we've finished fully open sourcing everything, we should look to write up our experience around the conversation, in particular, the tools we used.

ENVs in a private repo would definitely be convenient, but the best practices I've always seen are to omit those values even from a private repo (for security but also portability)