Create a personal_token scope: mirror_pull

Description

If we like to use repository mirroring with GitHub, and want to use the pull trigger from a GitHub webhook on a Private GitLab Project we need to provide GitHub a personal access token with the scope api.

Everybody with admin access on the GitHub repository can read the token in the GitHub WebHook and thus gain access to all GitLab repos.

Proposal

A solution would be to have project scoped access tokens https://gitlab.com/gitlab-org/gitlab-ee/issues/756 . But it seems this is not straight forward to implement.

As the "shared" personal token with api scope actually is quite a security risk (and could probably also filed as bug?) we propose to create a new mirror_pull scope (or similar). Which only allows to mirror_pull on the users repositories.