Introduce a warning message for pipeline trigger token form

original issue: #416619 (closed)

What does this MR do and why?

Trigger Tokens are quite frequently leaked as people assume that the only thing they can do is trigger a pipeline which is, in most cases, a harmless operation.

As an immediate step would be solved with additional messages so that maintainers could pay more attention to it.

Changelog: changed

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

app/views/projects/triggers/_index.html.haml

@@ -21,7 +21,12 @@
         .gl-new-card-add-form.gl-m-3.js-toggle-content{ class: add_form_class }
           %h4.gl-mt-0
             = _('Add new pipeline trigger token')
-          = render 'projects/triggers/form', btn_text: _('Create pipeline trigger token'), show_cancel_button: true
+          = render Pajamas::AlertComponent.new(variant: :danger, alert_options: { class:  'gl-mb-5 gl-pb-2' }, dismissible: false) do |c|
+            - keep_tokens_secure_link = link_to(s_('PipelineTriggerTokens|How can I keep my tokens secure?'), help_page_path('security/token_overview', anchor: 'security-considerations'), target: '_blank', rel: 'noopener noreferrer')
+            - c.with_body do
+              %p
+                = s_('PipelineTriggerTokens|It is a security risk to save tokens in plain text in your project, or store them in a way that malicious users could access them. A leaked trigger token could be used to force an unscheduled deployment, attempt to access CI/CD variables, or other malicious uses. %{keep_tokens_secure_link}').html_safe % { keep_tokens_secure_link: keep_tokens_secure_link }
+          = render 'projects/triggers/form', btn_text: s_('PipelineTriggerTokens|Create pipeline trigger token'), show_cancel_button: true
 
         #js-ci-pipeline-triggers-list.triggers-list{ data: { triggers: @triggers_json } }