DCE Playbook for Design and Development
We use environment variables to manage information that varies between different project deployments such as hostnames, mail server settings, directory paths, passwords, API Keys, and other kinds of data that is either sensitive or instance-specific. In particular, sensitive configuration like passwords and API keys should not be checked into publicly accessible source control (but probably should checked into version control somewhere else with appropraite access restrictions).
Here are some good places to read about best practices to which we aspire on this subject:
For concrete details on how DCE handles environment variables in practice, please see the dotenv setup section of our playbook.