This is a followup to the discussion touched on back in #1703. Currently buildctl supports pulling secrets from env vars via --secret id=xyz,env=ENV_VAR_NAME. However, in order to populate the corresponding env var within RUN, we have to do RUN --mount=type=secret,id=xyz ENV_VAR_NAME="$(cat /run/secrets/xyz)" ....

Not only is having to run cat every time annoyingly repetitive, it doesn't really work well in conjunction with the required=false mount option, since cat will fail due to the file not existing, so even more complex boilerplate is needed.

In addition, if multiple commands need the environment variable, we must explicitly export it, which is a pain because it requires even more boilerplate to be properly safe:

RUN --mount=type=secret,id=pip-index-url \
    PIP_INDEX_URL="$(cat /run/secrets/pip-index-url)" && \
    export PIP_INDEX_URL && \
    pip3 install ...

I propose adding an env option to --mount, which is mutually exclusive with dst. If provided, it contains the name of the environment variable that will be set to the value of the secret in question (and no file will be mounted at /run/secrets). If the mount is not required and the secret does not exist, then the environment variable will not be set at all (rather than having an empty value).

For example:

RUN --mount=type=secret,id=pip-index-url,env=PIP_INDEX_URL pip3 install ...