Notification emails for Personal Access Token creation

Release notes

The creation of Personal Access Tokens is a critical event that should be carefully reviewed by users. They can allow read-write actions on all the projects the user has access to if the scope is api for example. GitLab will now send notifications to the user every time a token is created for their account.

Problem to solve

It's a basic security best practice. As demonstrated by @dcouture in his (great) video (internal), attackers can leverage vulnerabilities to create PATs for accounts visiting a page with a crafted comment. The victim doesn't have to do anything apart from visiting the page, and they won't notice anything suspicious unless they keep the network view of their browser open (of course, no one does that on a daily usage).

Proposal

Sending notifications would at least let the user know something happened with their account, and they can report the malicious activity faster, and revoke the created token right away.