Has GAE sorted out secrets management? Last I checked, they required you to commit secrets to the repo you push, which necessitates your secrets being on whatever computer (or whoever's computer) does production deploys. Contrast this with DO/Heroku/etc. which lets you set environment variables.

Some folks suggest using a DB to store secrets on GAE, but this is (IMO) just obfuscation.

Yes, they added Secret Manager early this year: https://cloud.google.com/secret-manager

And before this you could implement Cloud KMS in your app to decrypt the encrypted secrets you can store in your repo.

This still seems ridiculous. Why did I need to keep secrets in my repo to begin with? GAE, as far as I can tell, has been the only major PaaS that hasn't offered a solution for this. It's so easy to get wrong...it contradicts one of the biggest rules of version control: keep your secrets out of your repo.

There are a million ways to do it that don't require Google? Your CI system builds the production image, it can get secrets from anywhere.

My CI system arguably shouldn't have access to production secrets any more than my developers' macbooks.

GAE has a free tier for their smallest instance.