Plain text can work, assuming that it is access controlled in a secure environment. Often times, during the build process, a secure secret management system or process will handle the combining of the code with configuration. For example, your developer (with no secret access) could commit code and Jenkins can fetch the configuration file from a secure and access-controlled service. Then the built code has the secrets and the developer does not. There are a lot of approaches to doing it at scale. See https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3... for a good overview.