You have multiple misconceptions how updating, APKs and keeping keys secure work.
You have to host your APKs somewhere. Github releases is a pretty common way (but slow), but you could also use google drive, dropbox or your own server.
Your app has to fetch the server regularly and check if a new APK is available (pull-based). Second option is to use push notification in some kind e.g. FCM (push-based). Then you download the APK and let the user install it. Your app cannot start a installation by itself, it has to be done by the user.
But you can redirect the user to the installation menu with that APK, so he just has to click “Install”. “Install from unknown sources” has to be enabled for that, if not the user will get an information about that from the OS with a way to enable.
There are apps like “APK extractor” which get you the APKs from google play without root, so there’s nothing wrong about giving out the APK. Your APK should never contain secure keys which the user isn’t allowed to see. It’s easy to reverse engineer those keys, it’s just a matter of time.