I had the impression KMS is the way to go here.
Put the encrypted keys in the repo and decrypt them before usage.
I do not think that this is a good idea. You would put encrypted keys and the decryption algorithm in the repo. It is still possible to get to the keys.
Well encrypt it and decrpyt it with your private key.
First of all: The named function hash_hmac does not encrypt. It creates a hash, which cannot be used to restore the original value. It is one way.
If you would use a proper encryption the logic is still faulty.
You have a secret, that cannot be added plainly to the repository. You add some decryption logic, encrypt the original secret and add it to the repository. The original secret is now safe. But now you have another secret (the private key needed for decryption) that cannot be added plainly to the repository.
You still have the same situation plus some extra decryption code, which has to be maintained. Also your build process has to handle the encryption.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.