Remove expired and revoke token information after a period of time

With List Revoked and Expired Project and Group Acce... (#462217 - closed) we retain the bot user and project/group membership after a Project or Group Access Token becomes inactive. This allows for auditing and security review of old tokens. However it also means that, over time, the inactive tokens table will grow large and potentially unwieldily. The database, too, might have performance impacts.

Note that pagination for these tables is not present at the time I opened this issue: Add offset-based pagination to list personal/gr... (&8382).

Proposal

• Identify how long these records should be retained. Consider: compliance requirements, the presence of existing Auditing, etc
• Identify how long these records can be retained before a performance impact.
• Define a decision criteria for cleaning up old records
  • 30 days
  • When there are more than X number of inactive tokens?
  • A combination?
• Also consider making this configurable at some level, to accommodate different retention requirements