Update secret management to use a locked down env for deploys

Author: pimterry

.github/workflows/ci.yml

@@ -35,10 +35,11 @@ jobs:
           if-no-files-found: error
 
   deploy:
-    name: Deploy to GitHub Releases
+    name: Deploy to GitHub Releases & Google Play
     needs: build
     runs-on: ubuntu-22.04
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    environment: production
     permissions:
       contents: write
     steps:
@@ -48,7 +49,6 @@ jobs:
           name: unsigned-app.apk
           path: .
 
-
       - name: Get the AAB
         uses: actions/download-artifact@v4
         with:
@@ -67,8 +67,8 @@ jobs:
         id: sign_app
         with:
           releaseDirectory: .
-          signingKeyBase64: ${{ secrets.ANDROID_SIGNING_KEY }}
-          alias: ${{ secrets.SIGNING_KEY_ALIAS }}
+          signingKeyBase64: ${{ secrets.ANDROID_SIGNING_JKS_BASE64 }}
+          alias: ${{ vars.SIGNING_KEY_ALIAS }}
           keyStorePassword: ${{ secrets.SIGNING_KEY_STORE_PASSWORD }}
           keyPassword: ${{ secrets.SIGNING_KEY_PASSWORD }}
         env: