The easiest long-term win is to use separate tokens for separate duties, each with the minimum permissions required. If one token leaks, you do not lose the whole account.
Rules I try to follow
1) Scope by zone/project, not global.
2) Scope by permissions, not convenience.
3) Rotate on a schedule, not only after incidents.
4) Store secrets outside the repo; treat config as public.