The nix Bitcoin repo had a solution to keeping secrets out of the configuration file (I think they're pointed to elsewhere) but basically no different from git pushing your configuration to github. The difference would be that your config is signed by your nsec.