Here is a technique I use:

I create a folder in my home folder called: .config

In that folder I place the config files for any number of things that I want to externalize passwords and keys.

I typically use reverse domain name syntax such as:

com.example.databaseconfig

Then in the bash script I do this:

#!/bin/bash
source $HOME/.config/com.example.databaseconfig ||exit 1

The || exit 1 causes the script to exit if it is not able to load the config file.

I used that technique for bash, python, and ant scripts.

I am pretty paranoid and don't think that a .gitignore file is sufficiently robust to prevent an inadvertent check-in. Plus, there is nothing monitoring it, so if a check-in did happen no one would find out to deal with it.

If a particular application requires more than one file I create subfolder rather than a single file.

An approach can be to set password (or API key) using an environment variable. So this password is out of revision control.

With Bash, you can set environment variable using

export YOUR_ENV_VARIABLE=your_password

This approach can be use with continuous integration services like Travis, your code (without password) being stored in a GitHub repository can be executed by Travis (with your password being set using environment variable).

With Bash, you can get value of an environment variable using:

echo $YOUR_ENV_VARIABLE

With Python, you can get value of an environment variable using:

import os
print os.environ['YOUR_ENV_VARIABLE']

PS: be aware that it's probably a bit risky (but it'ss a quite common practice) https://www.bleepingcomputer.com/news/security/javascript-packages-caught-stealing-environment-variables/

PS2: this article titled "How to securely store API keys" https://dev.to/bpedro/how-to-securely-store-api-keys-ab6 may be interesting to read

The typical way to do this is to read the password info from a configuration file. If your configuration file is called foobar.config, then you would commit a file called foobar.config.example to the repository, containing sample data. To run your program, you would create a local (not tracked) file called foobar.config with your real password data.

To filter out your existing password from previous commits, see the GitHub help page on Removing sensitive data.

What Greg said but I'd add that it's a good idea to check in a file foobar.config-TEMPLATE.

It should contain example names, passwords or other config info. Then it is very obvious what the real foobar.config should contain, without having to look in all the code for which values must be present in foobar.config and what format they should have.

Often config values can be non obvious, like database connection strings and similar things.

If you're using ruby on rails, the Figaro gem is very good, easy, and reliable. It has a low headache factor with the production environment too.

One can use Vault which secures, stores, and controls access to tokens, passwords, certificates, API keys, etc. For example Ansible uses the Ansible Vault which deals with passwords or certificates used in playbooks