Best practices for secrets and local config in this repo

[JanPetterMG]

Although .env and firmware/include/config/secrets.h are listed in .gitignore, they are currently tracked in Git. This means changes can still be accidentally committed, which is risky and raises the barrier for less experienced contributors. Switching branches can also be cumbersome.

Locally, I work around this by splitting secrets per board #ifdef BOARD_XYZ and using separate .env.board-xyz files. However, this approach is not suitable for everyone. I have seen PRs where secrets.h was committed accidentally, and not everyone is familiar with partial staging.

Ideally, real secrets and local configuration files should not be tracked at all. Template files help, but in practice end-users often miss setup steps described in the main README.

One possible approach is to replace .env and secrets.h with template files and use PlatformIO extra_scripts to generate the real files on first build if they are missing. This could reduce accidental commits and lower the onboarding barrier, though it is not a perfect solution.

I would appreciate input from the community: what approach do you prefer, and are there better or more established patterns to consider?