Confusion about signing android app


I have started to sign and upload to the PlayStore for distribution to Internal testers my first app. That went generally well but I’m a bit confused about the best way to do that:

  1. The Capacitor docs says that "Capacitor does not have a build or compile command, nor will there ever be one. " but the CLI does have a build command which appears to be doing the same as Android Studio corresponding command.

So is there any difference in what npx cap build ... android does compared to Android Studio?

  1. I need to automate the build process so I’d like to use the CLI. But when running npx cap build ... android, I must provide the keystore and key alias passwords on the command-line (--keystorepass and --keystorealiaspass options).

This means the passwords are going to be displayed in clear text and stored in the shell execution history? surely that’s not how it’s supposed to be done?
Is there a way for the CLI to prompt me for these passwords?
Or must we use ENV variables (which is harder in my use case, because I need to read these values from some .env file or something.

How are you doing this?

Thanks for any pointer!