Fetch secrets in a CI job (environment scoping)

This is dependent on #470405 (closed).

In this issue, we enforce the rules regarding environments. If a secret that is being fetched in a CI job has specific environments configured, we should deny access to it if the environment is not included in the list.