Quick answer: Godot export_presets.cfg containing Firebase service account JSON in plaintext? Committed to source control by default - move secrets out of project files.
Public GitHub fork of an open-source Godot project includes a Firebase admin key.
Move to environment
Read secrets from environment variables at build time; never store in cfg files.
Gitignore the cfg
If a cfg must exist, gitignore it. Ship a .example with placeholders.
Rotate exposed credentials
Anything that was committed is compromised. Rotate at the provider before working further.
“Source control is forever. Secrets in source control are forever leaked.”
Audit your project's tracked files monthly. Greppable patterns ('-----BEGIN' for PEM, 'eyJ' for JWT) surface most leaks.