Fine tune CI_JOB_TOKEN scope for read_api
Problem to solve
In #329550 (closed), we introduced a secure method of enabling project access via CI_JOB_TOKEN. The permission scope is still fairly broad in action.
Proposal
Add a scope to CI_JOB_TOKEN that enables the token to have read-only access from the API called: read_api