Update docs to include steps to use protected token.

Fixes #8. The current set up with project tokens lets anyone with merge access circumvent changes only being applied on merge and instead lets them simply make changes in the merge request pipeline.

This merge request proposes changes to the docs that inform the user of a more secure way of setting up GPC that uses two tokens. One token can only read from the api, for use on merge request pipelines, the other can read and write to the api but can only be used on protected branches, see gitlab documentation for protecting CI/CD variables. This means changes can only be made to projects when the pipeline is running on a protected branch, which sensibly should be your mainline.