Best approach for secrets management for test credentials in CI?

We have test credentials (API keys for sandbox environments, DB passwords, OAuth tokens) that need to be available in CI. Current state: GitHub Actions secrets, loaded as environment variables. Simple but: - Hard to rotate (need to update in every repo) - No audit trail of who accessed what - Secrets sprawl as the test suite touches more services Is anyone using Vault, AWS Secrets Manager, or similar for test credentials? Or is the complexity not worth it for test environments specifically? We're a 12-person engineering team.