Add a rotate_self scope for token

Proposal

Currently if I want to rotate a token, I will need to use a token with api scope.
So, for example, if I want to automatize rotation of write_repository scoped token, I will need either

• to give also an api scope to my token and then self rotate the token, which is somehow against the Least Privilege Principle
• to have a second token, api scoped, and use it to rotate the first one (note that I will also need to rotate the second token).

Thus, the need to renew tokens could lead to a multiplication of api scoped tokens, which, in my opinion, is not a safe option.

The proposal here, is to add a rotate_self scope to allow one token to rotate itself.
The token with rotate_self scope would not have access to the entire api, but only, for example, to the https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate endpoint in order to allow the token to to self-rotate.

This would lead to a simpler and safer token rotation procedure than the current one, which requires a second api scoped token to rotate a token (and even a third one api scoped token to enable automatic mutual rotation of the api scoped tokens).

Related issues:

• [Feature request] "self" endpoints for token ro... (#426779 - closed)
• When rotating token delay revocation of old tok... (#428256)
• Rotate access token with read_api scopes (#414600 - closed)