but thats at runtime, secrets are going to be deployed in a secure manner after the code is released

If your secrets are in your repo, you've probably already leaked them.