Why don't you simply store the JKS file encoded as base64 in the github secrets? What's the point of encrypting it? You are also adding the passphrase to github secrets. So if your github secrets are compromised, it does not matter whether your keystore file is encrypted or not.