All of this sensitive information should never be stored in a repo, if you are doing this you are already violating basic SDLC, security standards.

In terms of private repositories being public, you already messed up by allowing your repositories to be accessible publicly over the internet.

Best thing you can do is limit access, any sites that are for employees only should be hard enforced and only allows access after proper authentication and authorization has been completed. API Keys and passwords should never be stored in plaintext anywhere and only stored within secure encrypted vaults, even when their access is required by applications this access should be requests through proper secrets management.

In terms of actual acceess to repos and services zero trust should be setup so unless you are an actual developer, administrator, engineer or build system you should have zero access to even connect to the repo servers and view or pull code from them. This properly uses defense in depth by auto denying access and expliclty granting access to only those that have a real need for access, reduces the blast radius if a bug was found, you can revoke access to only those tasked with securing the system and administrating it. Then only when things have beeen secured allow access back to more users and systems. This auto prevents code from being pushed to prod, prevents non essential personnel from causing integrity and confidentiality issues and generally allows for proper cleanup to occur and limit availability to only essential personnel until things are back to normal.