How do you secure stuff like .env secrets.yml that have important keys and token away from contractors who are working for you?

There needs to be a level of trust when working with contractors. Apart from that you can create separate keys for contractors or set up the app in such a way that it still works without having all the keys in place. (Automatically disable functionality reliant on keys.)

Or generate new keys after the contract ends.

Another option I would recommend is to use something like Vault by Hashicorp. When working with different people with different levels of access who need to test locally, i would suggest always using Vault, Azure Keyvault or another similiar service where users can authenticate with their own unique credentials in order to access security credentials for other services. This also means it's very easy to refresh security credentials as everyone retrieves it from the same place (including your services) and makes it easy to restrict an individuals access or remove them completely and limiting the risk of them causing any damage. (you should do both, regularly change tokens, and limit user access for it to be considered secure)
In general any security credentials, tokens, etc, should never be in the source code or checked in as part of the source code. While early on in a small project it's fine, security credentials in source code is a very common cause of hacks.