I had the impression KMS is the way to go here.
Put the encrypted keys in the repo and decrypt them before usage.
I do not think that this is a good idea. You would put encrypted keys and the decryption algorithm in the repo. It is still possible to get to the keys.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.