[DerekBickerton]

Secrets like API keys should be added last, when the program is in the very last stages, then you can plug them in. I know, it sucks having to do that, but it's a strategy I've been using for years, and I use leaky things like Copilot too. If you must use API keys with Copilot, make the key related to some disposable staging/test environment, not important code like prod.

[sbecker]

No one uses API keys with Copilot intentionally. If you install the VSCode extension and start using it, and you happen to open a file that has an API key in it, boom - it's sent to Copilot. That is the issue. It's currently like walking a tightrope with no guardrails, and it's not obvious.