I'm cleaning up my build file. Currently we're using env variables i.e.

System.env.KEYSTORE_PASSWORD

for a keystore password. In https://developer.android.com/studio/publish/app-signing#kts I see they recommend

keystore.properties

file. What do you go for when needing "secrets" in your build file?

Depends on the type of secret. If it's a secret from everyone, even your developers (e.g. prod secrets that only a few have access to) then I keep my secrets in CI and expose them to CI builds through env vars (in those cases it isn't possible to make prod builds locally). If it's a secret just to not have plaintext in the project, I use ejson (via my library / Gradle plugin)