"Protecting secrets during development is a tough problem"
The only thing you need to do is not hook your internal code to someone else's code repository.
It's the cancer of today's attitude regarding the Internet : I'll just link that bit of code to my project, what's the worst that can happen ?
Take that code inside, check it out and make sure it does what it says.
But of course, to do that you have be an actual programmer, not just a muppet stringing other people's work together.