I don't know how this is handled in open-source projects but I'd suggest to not publish the googles-services.json since somebody knowing these keys can spam firebase with arbitrary events...

good question ... it is bound to the package. So in the store its not really possible, but I must admit apps not installed from the play store can spam into the account (but why should they do it :-D )

After a quick research it turned out to be okay to put the google-service.json into the public repository since the keys can be extracted easily from the APK itself. But it is possible to restrict the API access to correctly signed APKs only.
Take a look at: https://stackoverflow.com/a/57067722/6843341