My company enforces this with two rules. One, deployment always builds and deploys exactly what's in the git repository, so there is no way to include anything else (secrets, configuration...) in a deployment. Two, it's obviously forbidden to commit secrets to the git repository (we enforce this through training and reviews, but it's fairly easy to add pre-commit hooks as well).
