feat: Allow mounting of secrets for build steps

[gmpinder]

We should have a way to define secrets to mount during the execution of a module. This would allow users to authenticate to services during build-time. This has a requirement for using the secret mounting mechanisms provided by buildah, podman, and docker. This new system will also require some schema changes to be able to define the secrets to mount in the recipe.

Docker docs

Proposed schema

type: script
secrets:
  # Loads an environment variable as a secret
  - type: env
    name: SOME_ENV_VAR

  # Loads the secret to a file in the build
  - type: file
    source: /some/file/somewhere
    destination: /some/location/in/build

  # Executes a command on the host system to retrieve the secret
  - type: exec
    command: some_command
    args:
      - arg1
      - arg2
    output:
      type: file
      destination: /some/other/location
      # Could also do env
      # type: env
      # name: SOME_OTHER_ENV

snippets:
  - echo "$SOME_ENV_VAR"
  - cat /some/location/in/build
  - cat /some/other/location

[xynydev]

What's the intended source of secrets? Can you get them from the GitHub build secrets, for example? I supposed you can edit the workflow file to echo the secret from GitHub to a file and use that, but it doesn't seem like a perfect solution.

[gmpinder]

What's the intended source of secrets? Can you get them from the GitHub build secrets, for example? I supposed you can edit the workflow file to echo the secret from GitHub to a file and use that, but it doesn't seem like a perfect solution.

This method would allow both file-based and environment variable-based secrets.