feat: hide GCLOUD_DEPLOY_credentialsKey from config-secrets

deploy types can define additional secret env vars. Those can now define "hidden" secrets that won't appear when you invoke project-config-secrets

this mr sets it for GCLOUD_DEPLOY_credentialsKey, as this should not be manually adjusted and is just noise when invoking config-secrets

additionally, GCLOUD_RUN_CANONICAL_HOST_SUFFIX is now flagged as hidden. It was previously not listed at all as secret.

The reason why to keep track of those in the first place is to be able to know which ci-variables are used at all. At the moment its hard to know what is actually used.

E.g. if you change deploy type from cloudrun to something else, GCLOUD_RUN_CANONICAL_HOST_SUFFIX and GCLOUD_DEPLOY_credentialsKey would still stick around.

the goal is to have a whitelist of all secrets, so that at some point we can prune unused ones