Forge requires a GitHub access token to function.
Doom ships with Keychain integration enabled by default for macOS hosts, so we can use that and avoid fiddling with GPG. Doom helpfully documents the format required, which can be created from the command line as follows:
security add-internet-password -a "{username}^forge" -r htps -s api.github.com -w "{key}"Similarly to Forge, org-gcal requires access an OAuth access token to access the Google Calendar API.
There are two distinct uses of secrets with org-gcal: storing a client secret which is used to obtain the access token, and then storing the access token itself. org-gcal uses GPG for the latter in a non-configurable fashion, so I've used GPG for the former as well for consistency. This is mostly abstracted through Emacs' AuthSource library and the password for the GPG key itself is handily stored in the macOS Keychain.
Creating the secret uses the "netrc" file syntax as follows:
echo "machine org-gcal-secret login client password PASS" > oauth-client-secret.txt
gpg --encrypt --recipient KEYID --output org-gcal-secret.gpg org-gcal-secret.txt