Using a secret manager seems to be the default nowadays and I think it's the right way, but I propose to decouple the specific implementation of using one and the code you write by simple devops tactics: Provide the ENV vars to the process your app is running in while your app relies on ENV vars as it used to be.

So instead of sourcing an .env file at startup fetch the vars from the seceret manager and export them to the process. Then start the actual app.

In a real application you want to cache most ENV vars anyways, so why not use the process environment for that. Also you want to have them available always and from the start, and not deal with your secret manager client not being able to call its service in the middle of the show.

As developers we should be able to add .env to .gitignore.