Generally speaking, there are two types of API keys:
First off, you have your traditional secret API keys that have write access to your account or to the API resources, so it can be used to do damage (e.g. change data, delete stuff, or worse). This is the default for most APIs. Never ever use these in client-side code. That’s probably why those emails were yelling at you.
An example of a secret API is the Ghost Admin API. you can use it to edit content, delete posts, and basically destroy the entire site. So don’t publish your Admin API key anywhere, ever.
I haven’t used the Google Books API, but I’ve worked with other Google APIs and most of them are very dynamic and configurable. So if you have set up a read-only API key, it should be fine to just leave that key in your repository if you don’t want to bother with it too much.