So im writing code and pushing it to github and pushing it to github etc etc....
Problem is when I do that I am also pushing things like Facebook API keys and config.php encryption keys - anyone know how to push code without doing this?
Just don't include them in your code and use environment variables:
$my_very_secret_key = getenv("MY_VERY_SECRET_KEY");
You'll define this key wherever your webserver will allow you to. For instance with nginx:
env MY_VERY_SECRET_KEY='OhThatsAVerySecretKey'
This procedure is recommended by Heroku to store s3 credentials, it's imho the best way to go.
If you're using a package manager(such as composer), you can install the Dotenv package, which allows you to use a .env file in the root of your project. Make sure this file isn't readable from the web though, otherwise your security keys will be exposed.