feat: add build time secrets

[jianshen92]

What does this PR address?

Starting point for adding build time only support for BentoML and BentoCloud

Uses docker secret mount https://docs.docker.com/build/building/secrets/ when running bentoml containerize

bentoml containerize

API change

@bentoml.service(
    envs=[
        {"name": "HF_TOKEN"},
        {"name": "DB_HOST", "value": "localhost"},
        {"name": "BUILD", "value": "hello", "stages": "all" | "build" | "runtime"}, # new stage field
    ]
)
class MyService:

Generated RUN commands with secret mount (where BUILD env is set as "build" stage only) :

RUN --mount=type=secret,id=BUILD --mount=type=secret,id=BUILD_TOO  BUILD="$(cat /run/secrets/BUILD)" BUILD_TOO="$(cat /run/secrets/BUILD_TOO)" apt-get update && apt-get install -q -y --no-install-recommends --allow-remove-essential ca-certificates gnupg2 bash build-essential git
RUN --mount=type=secret,id=BUILD --mount=type=secret,id=BUILD_TOO  BUILD="$(cat /run/secrets/BUILD)" BUILD_TOO="$(cat /run/secrets/BUILD_TOO)" command -v uv >/dev/null || pip install uv
RUN --mount=type=secret,id=BUILD --mount=type=secret,id=BUILD_TOO  BUILD="$(cat /run/secrets/BUILD)" BUILD_TOO="$(cat /run/secrets/BUILD_TOO)" UV_PYTHON_INSTALL_DIR=/app/python/ uv venv --python 3.11 /app/.venv && \
    chown -R bentoml:bentoml /app/.venv

Before submitting:

• Does the Pull Request follow Conventional Commits specification naming? Here are GitHub's
  guide on how to create a pull request.
• Does the code follow BentoML's code style, pre-commit run -a script has passed (instructions)?
• Did you read through contribution guidelines and follow development guidelines?
• Did your changes require updates to the documentation? Have you updated
  those accordingly? Here are documentation guidelines and tips on writting docs.
• Did you write tests to cover your changes?

[jianshen92]

Testing for edge cases