I don’t blame the human(s) here. This should not be technically possible today. We have to change the way we create and manage machine secrets - and then our tools should reject committing them to public code repositories. This is happening way too often.
Likewise, it should not be possible to have an unencrypted, public “data bucket” (like AWS)… but that’s a different story.
Machine secrets don’t have to be human-friendly… which means they could be strongly typed, self-identifying, scope-aware potentially, and (crucially) machine detectable. Some secrets already are doing this.