Add support for BUILD-available secrets for Local Builds

[falahat]

Description

This adds support for build secrets for Local Builds. This will look up the secrets from GCP and inject the raw value as an env var into the Local Build process.

Scenarios Tested

Created a local build app with secrets on a static page and built it and deployed to staging successfully.
I verified the secret value showed up on the page as expected.

[gemini-code-assist]

Code Review

This pull request implements secret resolution for local builds in App Hosting by refactoring the loadSecret utility into a shared module and updating the localBuild function to fetch secrets from Google Secret Manager. The changes ensure that only environment variables with "BUILD" availability are injected into the process during the build phase. Feedback was provided to optimize the secret resolution logic by parallelizing the loadSecret calls using Promise.all to improve performance when multiple secrets are defined.

[falahat]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements secret resolution for local builds in App Hosting. It introduces a loadSecret utility to fetch plaintext values from Secret Manager, supporting both full resource names and shorthand syntax. The localBuild function now resolves environment variables marked for the BUILD phase and ensures they are cleaned up after the process completes. Additionally, the emulator was refactored to use this shared secret loading logic. Review feedback suggests parallelizing secret resolution to improve performance and using existing error-handling utilities to avoid the use of the any type, in accordance with the repository style guide.

[falahat]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements secret resolution for App Hosting local builds. It introduces a centralized loadSecret utility in src/apphosting/secrets/index.ts that handles both fully qualified resource names and shorthand secret formats. The localBuild function has been updated to asynchronously resolve and inject BUILD-available secrets into the environment while correctly ignoring RUNTIME-only secrets. Feedback was provided to replace the use of the any type in error handling with a more type-safe approach using unknown and existing utilities, as per the repository's style guide.