Group deploy tokens

Description

In https://gitlab.com/gitlab-org/gitlab-ce/issues/31591 we have project deploy tokens to allow read-only access to a project. Since many times projects are organized in groups, we can consider implementing tokens at group level.

Proposal

Group deploy tokens allow read-only access to any project in the group, same as project deploy tokens, even if it will be created after the token.

Tokens can then be exposed with a group variables to all the projects in the group.

Project level tokens should over-ride group level token

UX Proposal

Add a menu option CI/CD under the group sidebar menu (to support #199370 (comment 278559048))
Add a section Deploy tokens with options similar to project Deploy tokens
The description should read:
- Group deploy tokens allow read-only access to the repositories and registry images within the group.

Tests

If a project is part of a group when the token are configured, it should inherit the group tokens
If a project is added to a group after the tokens were configured, it should inherit the group tokens
If a project is removed from a group, group tokens should be removed from the deploy tokens of that project

Edited Feb 07, 2020 by Mike Nichols