Closes #708

The PR adds support for project secrets. Secrets are managed by project admins via dstack secret command and then can be used by regular users in run configurations using ${{ secret.<secret_name> }} syntax:

✗ dstack secret set my_secret some_secret_value
OK

type: task
nodes: 1
name: test-secrets
env:
  - MY_SECRET=${{ secrets.my_secret }}
commands:
  - echo $MY_SECRET

✗ dstack apply -f .dstack/confs/task.dstack.yaml
...
Submit the run test-task? [y/n]: y
 NAME            BACKEND         RESOURCES              PRICE   STATUS  SUBM… 
 test-task       aws             cpu=2 mem=8GB          $0.107  runni…  10:48 
                 (eu-west-1)     disk=100GB                                   

test-secrets provisioning completed (running)
some_secret_value
Exited (0)

Implementation details

Secrets are interpolated on the server side before submitting job spec to backend/shim/runner. Additionally, registry_auth is interpolated when creating job specs (temporarily, to pull image configuration).

TBD (not this PR)

• Map secrets to files (e.g. via volumes).
• Filter secrets values from logs.