[buildkite] Fix env leakage of signed tokens (#42526)
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks. To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.
We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.
