By changes, are you talking about future commits? It depends on the license.
You mean API token? No. That goes in secrets or whatever they call it in GitLab. Make sure to generate a new one if you're unable to remove it from the previous commits.
AFAIK, those codes don't need to be kept private, but I think they only do that verification once, so you can probably just delete the file at this point. (After all, you can also use a TXT record to store the verification code for a domain with Google, and those are definitely not private; anyone can dig your domain's TXT records.)