Warning: What you are doing will invalidate the signature. You'll have to resign it afterwards to install it, and it won't look like the original dev made it. There's no way around this, except exploits.
You can just put the versionCode in AndroidManifest.xml and it will override the arguments given to aapt from apktool.yml with a warning. I just confirmed this myself.
Example changes to AndroidManifest.xml:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:installLocation="internalOnly" package="com.example.someApp" android:versionCode="12345" android:versionName="1.2.3.4.5">
Setting version information: https://developer.android.com/tools/publishing/versioning.html#appversioning
What the aapt command would look like if you changed apktool.yml:
Aug 11, 2015 12:56:52 PM brut.androlib.res.AndrolibResources aaptPackage
INFO: [/var/folders/5m/jph9d7q573b5yl5ybnhhx4000000gn/T/brut_util_Jar_5616282982200298928.tmp, p, -v, --forced-package-id, 127, --min-sdk-version, 5, --version-code, 12345, --version-name, 1.2.3.4.5, -F, /Users/caleb/example/someApp.apk, -0, arsc, -A, /Users/caleb/example/./assets, /Users/caleb/example/./build/apk]
It's clear the values in apktool.yml are pulled from AndroidManifest.xml:
https://github.com/iBotPeaches/Apktool/blob/0370416d9029d01f210556ab3662e3fa0f80c239/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/XmlPullStreamDecoder.java#L96
For some reason they're not included in the decoded <manifest> attribute. This could be a bug.
