You don't store them in repos on disk, but in a HSM so they can't be stolen, and then you protect signing access to them based on service/process information.
You don't store them in repos on disk, but in a HSM so they can't be stolen, and then you protect signing access to them based on service/process information.