Storing kubeconfig in a GitHub can be a convenient and secure way to manage your CICD workflow, since it is encrypted and can only be accessed by authorized users. But downside is if Github Action gets compromised or malicious user gains access. Also you pretty much vendor lock-in. Some other options are:

1. Use your own github runner (i.e AWS ec2) and deploy kubeconfig prior to the build (aws eks update-config command for example). If its a on-prem server, you can use static IAM users with limited accessed.

2. Store config in third party tools such as AWS system manager secret, or Azure DevOps like you mentioned. Then retrieve it dynamically during the build.

Bottom line, whatever method you use, should be approved by cloud-sec team or compliance team.