Ansible vault, separate repository to the code and you're fine. You're up shit creek if you lose your code too unless you're 100% perfect so there is no distinction in policy.
Hell if you're using vault you might as well chuck the config in with the code. The vault key distribution is what needs to be controlled.
There is a real difference in company impact between leaking your code and your credentials. If your code and credential policies are the same, your company has a serious problem of priorities, since it's either not protecting credentials enough, or it's slowing down developers too much.
Hell if you're using vault you might as well chuck the config in with the code. The vault key distribution is what needs to be controlled.