[buildkite] Update S3 credential handling (#416)

* [buildkite] Update S3 credential handling

We were alerted that our S3 credentials had leaked in a build that dumps
the environment when it errors out [0]. Because `TuringTutorials` uses
the same infrastructure as `SciMLBenchmarks`, we have to update things
here as well.

 This PR rotates to a new key, and also wipes out the key in the
environment during the build itself, so that sensitive values won't get
written out in debugging information like that.

[0] https://github.com/SciML/SciMLBenchmarksOutput/blob/8d80b1840228c63e8c6fdc597049211a8b916dea/markdown/DynamicalODE/single_pendulums.md

* Churn `00_introduction.jmd`

Author: staticfloat

.buildkite/build_tutorial.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -euo pipefail
+
+echo "--- Instantiate"
+julia --project=. -e 'using Pkg; Pkg.instantiate(); Pkg.build()'
+
+# Run tutorial
+echo "+++ Run tutorial for ${1}"
+julia --project=. weave_tutorials.jl "${1}"

.buildkite/launch_tutorials.yml.signature

@@ -15,8 +15,8 @@ steps:
     plugins:
       - staticfloat/cryptic#v2:
           variables:
-            - BUILDKITE_S3_ACCESS_KEY_ID="U2FsdGVkX1/ckce1vUF8A17rHLxcAlAou4aokaeS8YL6omsA1Vq1IDZko5cL1Z+t"
-            - BUILDKITE_S3_SECRET_ACCESS_KEY="U2FsdGVkX1+SPF81nkK7KQ64DsafSl0qq2iG7BsQs1xlTYEtZV3MqQl3l/NWaiocaEywZZFbAB5zpnKPD0xHTQ=="
+            - BUILDKITE_S3_ACCESS_KEY_ID="U2FsdGVkX1+WPOr26vcEpOV6IfWQ/wwzUGjFRYux1AFtQjongCK2rnzySL6mkLdR"
+            - BUILDKITE_S3_SECRET_ACCESS_KEY="U2FsdGVkX19cbtDEWMwL+gpAtByCS8SJzX0hZ6qZ68L2bfjgAWJhbkb14T9uNwJZgKzWymvy0G9LwnJD/0VQ+Q=="
             - BUILDKITE_S3_DEFAULT_REGION="U2FsdGVkX1/cORlxhXcxhja2JkqC0f8RmaGYxvGBbEg="
       - JuliaCI/julia#v1:
           version: 1
@@ -44,20 +44,16 @@ steps:
           s3_prefix: s3://julialang-buildkite-artifacts/turingtutorials
     timeout_in_minutes: 360
     commands: |
-      # Instantiate, to install the overall project dependencies
-      echo "--- Instantiate"
-      julia --project=. -e 'using Pkg; Pkg.instantiate(); Pkg.build()'
-      # Run tutorial
-      echo "+++ Run tutorial for {PATH}"
-      julia --project=. weave_tutorials.jl "{PATH}"
+      # We don't need these secrets at this point, so clear them out so they don't show up in debugging outputs
+      BUILDKITE_S3_ACCESS_KEY_ID="" BUILDKITE_S3_SECRET_ACCESS_KEY="" ./.buildkite/build_tutorial.sh {PATH}
   - label: ":rocket: Publish {PATH}"
     env:
       BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}
     plugins:
       - staticfloat/cryptic#v2:
           variables:
-            - BUILDKITE_S3_ACCESS_KEY_ID="U2FsdGVkX1/ckce1vUF8A17rHLxcAlAou4aokaeS8YL6omsA1Vq1IDZko5cL1Z+t"
-            - BUILDKITE_S3_SECRET_ACCESS_KEY="U2FsdGVkX1+SPF81nkK7KQ64DsafSl0qq2iG7BsQs1xlTYEtZV3MqQl3l/NWaiocaEywZZFbAB5zpnKPD0xHTQ=="
+            - BUILDKITE_S3_ACCESS_KEY_ID="U2FsdGVkX1+WPOr26vcEpOV6IfWQ/wwzUGjFRYux1AFtQjongCK2rnzySL6mkLdR"
+            - BUILDKITE_S3_SECRET_ACCESS_KEY="U2FsdGVkX19cbtDEWMwL+gpAtByCS8SJzX0hZ6qZ68L2bfjgAWJhbkb14T9uNwJZgKzWymvy0G9LwnJD/0VQ+Q=="
             - BUILDKITE_S3_DEFAULT_REGION="U2FsdGVkX1/cORlxhXcxhja2JkqC0f8RmaGYxvGBbEg="
           files:
             - .buildkite/ssh_deploy.key

.buildkite/run_tutorial.yml

@@ -179,7 +179,7 @@ rand(coinflip(; N))
 ```
 
 The model can be conditioned on some observations with `|`.
-See the [documentation of the `condition` syntax](https://turinglang.github.io/DynamicPPL.jl/stable/api/#Condition-and-decondition) in DynamicPPL.jl for more details.
+See the [documentation of the `condition` syntax](https://turinglang.github.io/DynamicPPL.jl/stable/api/#Condition-and-decondition) in `DynamicPPL.jl` for more details.
 In the conditioned `model` the observations `y` are fixed to `data`.
 
 ```julia