Solid advice. In general there is a certain 'bar' you should probably set when publishing open source that you check before you do a git push, things like "are any passwords in here?", "are there private URLs?", "Email addresses?", "API Keys?". All of which can come back to bite you in weird ways.
Anything that is about "you" rather than about "code" should be in configuration or input parameters, instead of the code.
Don't get me wrong, it's inconvenient sometimes, so people will skip it and get caught, but if you can instrument a good system for doing this configuration redirect quickly it can pay off.
