Question for OP Can you share how you manage the borders between the open source product and the infrastructure for offering a SaaS
As a trivial example, I’m assuming youre using plausible in plausible, do you have protections ensuring secrets don’t leak to the open source for history ?
We also have a separate repository with examples and code for how to host Plausible Analytics with docker-compose: https://github.com/plausible/hosting
The hosting repo includes everything you need including databases, MaxMind GeoIP database, reverse proxy for SSL, etc.
We don't host with docker-compose ourselves because we want to scale our databases independently from the app server.
I'm not sure I understand your question. Secrets should never be committed to source control, whether the repo is public or not. Being open source does not change how we manage secrets in the slightest.
Does that answer your question?