Generally speaking, there are two types of API keys:
First off, you have your traditional secret API keys that have write access to your account or to the API resources, so it can be used to do damage (e.g. change data, delete stuff, or worse). This is the default for most APIs. Never ever use these in client-side code. That’s probably why those emails were yelling at you.
An example of a secret API is the Ghost Admin API. you can use it to edit content, delete posts, and basically destroy the entire site. So don’t publish your Admin API key anywhere, ever.
Then there are read-only API keys that are meant to be used in client-side code. They can only read data from the API, not write to it or change anything. For example the Ghost Content API. These are fine to use in client-side Javascript since people can’t abuse them. Often it is noted explicitly in the documentation if you can use a key in your client-side code.
I haven’t used the Google Books API, but I’ve worked with other Google APIs and most of them are very dynamic and configurable. So if you have set up a read-only API key, it should be fine to just leave that key in your repository if you don’t want to bother with it too much.