Support file-based secrets in codespaces

[numbsafari]

As of now, CodeSpaces injects secrets as environment variables.

There are some security concerns around this, as environment variables are often easily exposed via logging or inadequate care when forking processes, potentially allowing them to be exposed to malicious code that should otherwise be run in a lower privileged state.

To address this, many tools require secrets to be stored in files and use environment variables as pointers to those files. This helps avoid the incidental logging issue, as well as helps avoid incidental exposure of secrets to forked processes.

It is possible to add wrappers or postCreateXXX scripts to copy the secret environment variables to files, but consistently unsetting them to clear them from the environment is rather painful.

As a result, it would be nice to have the ability to inject secrets as filesystem locations only. I would imagine for broad compatibility, having the ability to opt-in to this feature would be necessary. However, it would also be nice to be able to set an organization-wide policy that requires all secrets to be mounted as files, rather than as env vars.