if we have a private github repo, where we save secrets and load it in from a .env file, this will keep sensitive information like usernames, passwords, api-keys, access keys etc. to a single source of truth, but is it bad practice in terms of security?
The data is technically exposed through the application, and if some malicious entities gets access to the source code, they will be able to see all the secrets, as if the repository access is compromised or something?
The alternative is injecting the data, at runtime (through a script, Docker container etc.), which would eliminate this vulnerability, but is it necessary?
First, it's recommended to not commit .env to git (add it to .gitignore) but rather have a .env.example which lists all the relevant variables (without values or with dummy values) and has code comments explaining what each of them is doing.
Second, the answer to your question is yes, you should never commit secrets to git, and even if you commit and then delete and commit again it still lives in git history which is also bad.
Today there are lots of malicious scripts scanning github repos at all times looking for such data and I heard more than once about AWS accounts that got hacked due to such mistakes, so the the bottom line is: keep your data safe!
And last, you want to keep these practices even if your github repo is private, because it can be made public by mistake and then it's a matter of seconds until your data gets exposed!