How to sign an Android apk securely without using secrets in github?

If you don't want to use GitHub secrets, you can extract the signing information (passwords and alias) to a separate file as described here.

(All examples are from the link above)

Create file keystore.properties with this content:

storePassword=myStorePassword
keyPassword=mykeyPassword
keyAlias=myKeyAlias
storeFile=myStoreFileLocation

Read the content of the file in your gradle script:

...

// Create a variable called keystorePropertiesFile, and initialize it to your
// keystore.properties file, in the rootProject folder.
def keystorePropertiesFile = rootProject.file("keystore.properties")

// Initialize a new Properties() object called keystoreProperties.
def keystoreProperties = new Properties()

// Load your keystore.properties file into the keystoreProperties object.
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))

android {
    ...
}

Set the signing configuration:

android {
    signingConfigs {
        config {
            keyAlias keystoreProperties['keyAlias']
            keyPassword keystoreProperties['keyPassword']
            storeFile file(keystoreProperties['storeFile'])
            storePassword keystoreProperties['storePassword']
        }
    }
    ...
  }

In your CI job, you have to download the keystore and extracted signing information somehow. For example by using curl.

That said though, this is still not increasing security. If you're hosting your keystore and signing information publicly, everybody can download it. If you make it only accessible with a password / API key, you will have to provide this password / API key to your CI. Ideally through GitHub secrets.

I don't know your usecase but generally speaking I would recommend using GitHub secrets (or any other secrets functionallity if you use a different CI).