The secret is held by the metadata server that the CI instance has access to

Or: the deployment service knows the identity of the instance, so its secret is its private key

Or, how PyPI does it: the deployment service coordinates with the trusted CI/CD service to learn the identity of the machine (like its IP address, or a trusted assertion of which repository it’s running on), so the secret is handled in however that out-of-band verification step happens. (PyPI communicates with Github Actions about which pipeline from which repository is doing the deployment, for example)

It’s still just secrets all the way down