If you don't expect your source code to be made public and don't take care to keep secrets out of it, then you will be surprised when attackers have (for example) your cookie signing key.

I know checking secrets into source code is already a bad practice, but accidental publication takes bad practice and makes it a security hole.

Parent post was asking about static content, not dynamic. No code to keep secret.

Off the top of my head, if you use an email (to commit) that you don't want the outside world to see, now it's exposed.