We're rolling out support for open source projects on Bitrise and we've done a full security revision before this so that you can be sure that your secrets lie safe with us. We've introduced multiple security-related improvements, the last of which is a new type of input called sensitive.
Your secrets are not shown in the bitrise.yml and they are stored encrypted. In addition, you can prevent exposing secrets on the UI by making them protected.
Note that anyone still might be able to do a workaround and log the value of secrets with a pull request, thus we advise not to expose secrets in PRs. For this reason, Expose for Pull Requests for secrets are set to off by default.
Apart from the previously listed security features, from now on, step inputs which store secret values (like passwords, API tokens, an SSH key, etc.) can be marked as sensitive. Bitrise then will redact the values defined as secret environment variables from the build log to keep them secret.

These step input values need to be defined as secret environment variables and cannot be set directly in the input fields (so if you can't find the Insert variable button in the top right, you've bumped into a sensitive input). To add them to an input field you can add them in advance or add them on the go. Click either Enter value or Select secret variable to get to the popup where you can add or choose one.

Add your secrets in advance
Add all (or some) of them in advance by going to your apps Secrets tab and click Add new.

You can add any number of secrets here. Don't forget to click Save!
Add a secret on the go
If you click either Enter value or Select secret variable without having Secrets predefined, you can create them in the popup window.
After setting a Key and a Value, Add new will create the Secret and add it to the list on the Secrets tab and insert it into the input field.

Stay tuned for the open source project support to land on Bitrise!
Happy and safe building!