Prior to this we tried to do the same sort of thing manually, by putting config.example.yml (which isn't actually looked at by the code) into git and then copying it to config.yml and customizing it, but this had problems with having to remember to check for changes in the example config and then propagate them into the live config.

I have the credentials either in the environment or a separate config file, and neither of them go into source control.

Having the credentials in the environment has the drawback of making them "easily" available to other processes of that user and thus, potentially other processes on that machine.

Having the credentials in a separate config file (think .netrc) has the drawback of having them on file at all. The advantage is that you can explicitly exclude that credentials file from the main repository and potentially keep the credentials file in another, "highly secure" repository.

Having the credentials in the environment has the drawback of making them "easily" available to other processes of that user

I set all test environment config in a dedicated test-xterm (with screen inside, so it can proliferate). Something like:

export FOO=foo
export BAR=bar
export PATH=whatever/bin:$HOME/bleadperl/bin:$PATH
export PGPASSFILE=$HOME/.someplace/.pfile
xterm -wf -geometry 200x50 +sb -u8 -fg white -bg black -e "screen -Um 
+-t '${screen_title}'" &
[download]

for instance test database passwords (low value) would be in a file pointed at by one of the env vars (Postgres uses PGPASSFILE).

I personally have only kept passwords in separate files which aren't under version control. However, you should be able to use git filters to automatically mask passwords for you. Something like:

# In global or local git/config  (extra backslashes needed for git)
[filter "hide-password"]
clean = /usr/bin/perl -pe 's/^password\\s*=\\s*\\K.*/PASSWORD/'

# In repo/.gitattributes
settings.conf  filter=hide-password

# settings.conf
password=3zhGERnFhzaUVs
foo=bar
...
[download]

Now the repo will store "password=PASSWORD" regardless of what you set the password to locally.

I understand completely how this is insecure, but throughout testing, I one-off my communication channel names, and flick out passphrases for them, then when I go to prod for real, I write code that will write to EEPROM, save the prod connection info, then go from there.

So the creds aren't really creds, but only for testing etc? Well, then I'd just use the last commit id as channel name and its commit message as passphrase or vice versa. That way you only have to keep track of real credentials used for production tags.

All API keys and DB credentials are stored in modules in another location, and those modules are not under version control. Each script I write does a use lib to include that directory, then I pull in the credential modules that I need.

Never, ever, not even for a minute, should you put any credentials into a script that's under version control.