buildkit secrets support

- Secrets are never exposed in plaintext in the Cue tree. `dagger query`
  won't dump secrets anymore, Cue errors won't contain them either.
- BuildKit-native secrets support through a new `mount` type. This
  ensures secrets will never be part of containerd layers, buildkit
  cache and generally speaking will never be saved to disk in plaintext.
- Updated netlify as an example
- Added tests
- Changed the Cue definition of a secret to:

```
	@dagger(secret)

	id: string
}
```

This is to ensure both that setting the wrong input type on a secret
(e.g. `dagger input text`) will fail, and attempting to misuse the
secret (e.g. interpolating, passing as an env variable, etc) will also
fail properly.

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>

environment/environment.go

@@ -44,7 +44,7 @@ func New(st *state.State) (*Environment, error) {
 
 	// Prepare inputs
 	for key, input := range st.Inputs {
-		v, err := input.Compile(st)
+		v, err := input.Compile(key, st)
 		if err != nil {
 			return nil, err
 		}
@@ -86,7 +86,7 @@ func (e *Environment) LoadPlan(ctx context.Context, s solver.Solver) error {
 	span, ctx := opentracing.StartSpanFromContext(ctx, "environment.LoadPlan")
 	defer span.Finish()
 
-	planSource, err := e.state.PlanSource().Compile(e.state)
+	planSource, err := e.state.PlanSource().Compile("", e.state)
 	if err != nil {
 		return err
 	}
@@ -157,7 +157,7 @@ func (e *Environment) LocalDirs() map[string]string {
 	}
 
 	// 2. Scan the plan
-	plan, err := e.state.PlanSource().Compile(e.state)
+	plan, err := e.state.PlanSource().Compile("", e.state)
 	if err != nil {
 		panic(err)
 	}