buildkit secrets support

- Secrets are never exposed in plaintext in the Cue tree. `dagger query`
  won't dump secrets anymore, Cue errors won't contain them either.
- BuildKit-native secrets support through a new `mount` type. This
  ensures secrets will never be part of containerd layers, buildkit
  cache and generally speaking will never be saved to disk in plaintext.
- Updated netlify as an example
- Added tests
- Changed the Cue definition of a secret to:

```
	@dagger(secret)

	id: string
}
```

This is to ensure both that setting the wrong input type on a secret
(e.g. `dagger input text`) will fail, and attempting to misuse the
secret (e.g. interpolating, passing as an env variable, etc) will also
fail properly.

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>

tests/compute.bats

@@ -67,6 +67,33 @@ setup() {
     assert_line '{"in":"foobar","test":"received: foobar"}'
 }
 
+@test "compute: secrets" {
+    # secrets used as environment variables must fail
+    run "$DAGGER" compute  "$TESTDIR"/compute/secrets/invalid/env
+    assert_failure
+    assert_line --partial "conflicting values"
+
+    # strings passed as secrets must fail
+    run "$DAGGER" compute  "$TESTDIR"/compute/secrets/invalid/string
+    assert_failure
+
+    # Setting a text input for a secret value should fail
+    run "$DAGGER" compute --input-string 'mySecret=SecretValue' "$TESTDIR"/compute/secrets/simple
+    assert_failure
+
+    # Now test with an actual secret and make sure it works
+    "$DAGGER" init
+    dagger_new_with_plan secrets "$TESTDIR"/compute/secrets/simple
+    "$DAGGER" input secret mySecret SecretValue
+    run "$DAGGER" up
+    assert_success
+
+    # Make sure the secret doesn't show in dagger query
+    run "$DAGGER" query mySecret.id -f text
+    assert_success
+    assert_output "secret=mySecret"
+}
+
 @test ".daggerignore" {
     "$DAGGER" compute --input-dir TestData="$TESTDIR"/compute/ignore/testdata "$TESTDIR"/compute/ignore
 }

tests/compute/secrets/invalid/env/env.cue

@@ -0,0 +1,21 @@
+package testing
+
+import (
+	"dagger.io/dagger"
+	"dagger.io/dagger/op"
+	"dagger.io/alpine"
+)
+
+mySecret: dagger.#Secret
+
+TestSecrets: #up: [
+	op.#Load & {
+		from: alpine.#Image & {
+			package: bash: "=~5.1"
+		}
+	},
+
+	op.#Exec & {
+		env: foo: mySecret
+	},
+]

tests/compute/secrets/invalid/string/string.cue

@@ -0,0 +1,21 @@
+package testing
+
+import (
+	"dagger.io/dagger/op"
+	"dagger.io/alpine"
+)
+
+mySecret: dagger.#Secret
+
+TestString: #up: [
+	op.#Load & {
+		from: alpine.#Image & {
+			package: bash: "=~5.1"
+		}
+	},
+
+	op.#Exec & {
+		mount: "/secret": secret: mySecret
+		args: ["true"]
+	},
+]

tests/compute/secrets/simple/simple.cue

@@ -0,0 +1,34 @@
+package testing
+
+import (
+	"dagger.io/dagger"
+	"dagger.io/dagger/op"
+	"dagger.io/alpine"
+)
+
+mySecret: dagger.#Secret
+
+TestSecrets: #up: [
+	op.#Load & {
+		from: alpine.#Image & {
+			package: bash: "=~5.1"
+		}
+	},
+
+	op.#Exec & {
+		mount: "/secret": secret: mySecret
+		env: PLAIN: mySecret.id
+		args: [
+			"/bin/bash",
+			"--noprofile",
+			"--norc",
+			"-eo",
+			"pipefail",
+			"-c",
+			#"""
+				test "$(cat /secret)" = "SecretValue"
+				test "$PLAIN" != "SecretValue"
+				"""#,
+		]
+	},
+]