you have two way.

• gcp secret manager
• github secret

for gcp secret: you can encode the json in base64 and add it in secret manager. after you get the secret in your function and decode from base64 in runtime.

(long opération for each runtime)

in github secret: you can encode too but décode only in ci:cd or github secret provide you a file solution well you write directly the json without base64 step. ( work on gitlab not sûre for the file in github)

https://docs.github.com/fr/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment

you can provide a service account for each environnement and stage local with your dev environnement in .gitignore