I'm not a proper developer so this is probably too simplistic but I use tar including full paths, xattrs, selinux attributes, etc... I am assuming you mean home dir dotfiles. I only change things in one place and use a bash function to wrap things up into a versioned tarball, then rsync the tarball to other places and extract with full paths clobbering anything that exists. This is semi-automated with bash functions and ssh.

If by dotfiles you mean variables that change per environment yet remain idempotent or monkey-patch and have to be maintained by others I would make it part of an Ansible deployment using the secrets storage or whatever the company or group uses as a standard configuration management system and secrets management so I guess it depends on ones use-case. Application dotfiles may contain secrets so they need to be stored in that environments secure storage and provably never leave that environment.