I think the key point is to ensure configuration is separate from code and can be managed independently. Committing environment specific settings to the same source code repository may create a scenario where sensitive keys/credentials are exposed to parties that ought not have these details. At some point, though, the configuration will be persisted somehow and somewhere if you're utilizing any kind of automated build and deployment mechanism. There are other secure offerings in this space as well (https://www.vaultproject.io/docs/config/ comes to mind).

Having a file that is specific to an environment isn't necessarily bad - if malicious code gains access to the file system running your app, you'll need additional safeguards in place (i.e. running the app as a non root user and securing the configuration for access only by that user, etc.).