I agree, both contain data that you should consider as confidential. Not sure what you have available iro of a secrets store and a means to authenticate against that store, but where I work we use HashiCorp Vault to locate both of these. For CI/CD we use both Azure DevOps and Jenkins and it’s relatively straight forward to integrate Vault and other products. There are many other choices of course, encrypted S3 being another, but whatever you choose or are mandated to use, you are right to be very reluctant to put these in any regular SCM. At a push you could use you CI application itself, Jenkins has ‘credentials’ that, despite the name can be use for general name/value pairs. Azure DevOps has a secrets capability and I suspect most CI do also. In our case we prefer not to encourage ‘secrets sprawl’ and rather to consolidate all confidential data under one application, but YMMV.