flowey: make values secret, not variables (#1338)

Currently, a `ReadVar`/`WriteVar` pair can be marked as secret, in which
case flowey is careful never to display its value in logs. To mark a
variable as such, the user must remember to create the variable pair
with `new_secret_var()`, and the user must ensure that users of the
variable to do not rewrite its contents into some other, non-secret
variable. This is hard to do accurately, especially as we change the
code to create more variables implicitly (via `<foo>v`-style methods
such as `reqv` and `emit_rust_stepv`).

Change the model so that _variables_ are not secret but their _values_
can be--when any variable is written to, the caller can specify that the
value is secret. Propagate this to readers of the variable, even if this
variable is converted into and back from a CI environment variable.

By default, be conservative in marking values as secret: once a Rust
step reads a secret value from a variable, mark all future values
written by that step as secret. Add specific `write_secret` and
`write_non_secret` methods for overriding this default.

Author: jstarks