How can you prevent secrets from being committed in the first place?

Preventing secrets from being committed relies on proactive controls that catch secrets before they ever enter the repository. The best approach is to treat secret management as part of the development workflow: supply credentials through secure stores (like environment variables or GitHub Actions Secrets) rather than hardcoding them in code; add automated pre-commit checks that scan for common secret patterns and block commits that include them; and extend protection with secret scanning in CI to catch anything that slips through locally and to enforce rotation if a leak is detected. This approach stops secrets at the source and reduces risk across commits, branches, and pull requests. Relying on local environment variables alone isn’t enough because secrets can still end up in files and get committed, and waiting for manual audits after a commit is too slow and error-prone. Storing secrets in code is insecure and should be avoided.