Quick answer: Godot 4 export PCK including export_presets.cfg with API keys? The cfg file gets bundled if it lives under res:// - move secrets out of the project directory.
Decompiling your own PCK shows your Steam API key inside export_presets.cfg. The file shipped.
Move secrets out of res://
Place credentials in an environment variable or a file outside the project. Reference them from CI, not from the cfg.
Add to export filter
Export preset > Resources > Filters to exclude: *.cfg. Excludes the file from the PCK at export time.
Audit your PCK
godot --headless --export-pack ... \
&& godotpcktool list game.pckList the contents post-export. Look for anything you wouldn't ship.
“The PCK is your project directory minus filters. Secrets in the directory ship by default.”
Rotate any credentials that were ever in a shipped PCK. Audit logs are cheap; revoked keys are forever.