Merge branch 'least-privilege-group-token' into 'master'

It can be configured with the following variables:

* `GITLAB_TOKEN`: a [group access token](https://docs.gitlab.com/user/group/settings/group_access_tokens/) with at least scopes `api,read_repository`

  and `Developer` role,

* `KICKER_RESOURCE_GROUPS`: JSON configuration of GitLab groups to crawl.

* `GITLAB_TOKEN`: an [access token](https://docs.gitlab.com/security/tokens/) with at least scopes `read_api,read_repository`

  and `Reporter` role. Only required to crawl `internal` and `private` projects.

### Details about `KICKER_RESOURCE_GROUPS`

   when [configuring the TBC synchronization](./basic.md#sync-your-local-copy-of-tbc) for first time:

    * `$DEST_SYNC_PATH` to override the GitLab destination root group path,

    * `$MAX_VISIBILITY` to override the maximum visibility of projects in the destination group.

3. TBC configuration shall be overridden accordingly in the `KICKER_RESOURCE_GROUPS` variable in your local copy of the 

   [doc](https://gitlab.com/to-be-continuous/doc) project (see the [Have your own doc + kicker](#have-your-own-doc-kicker) chapter).

3. Set the right variable(s) in your local copy of the 

   [doc](https://gitlab.com/to-be-continuous/doc) project:

    * See the [Have your own doc + kicker](#have-your-own-doc-kicker) chapter.

## Variable presets

In your local copy of the [doc](https://gitlab.com/to-be-continuous/doc) project:

1. Declare the CI/CD project variable `GITLAB_TOKEN`: a [group access token](https://docs.gitlab.com/user/group/settings/group_access_tokens/) with scopes `api,read_registry,write_registry,read_repository,write_repository` and with `Owner` role.

2. Declare the CI/CD project variable `KICKER_RESOURCE_GROUPS`: JSON configuration of GitLab groups to crawl.

1. Declare the CI/CD project variable `KICKER_RESOURCE_GROUPS`: JSON configuration of GitLab groups to crawl.

2. If you want to crawl any `internal` or `private` projects, declare the CI/CD project variable `GITLAB_TOKEN` (masked, hidden and protected): an [access token](https://docs.gitlab.com/security/tokens/) with at least scopes `read_api,read_repository` and `Reporter` role on all of those groups.

3. create a scheduled pipeline (for instance every day at 3:00 am).

Here is an example of `KICKER_RESOURCE_GROUPS` content:

1. Create an empty `to-be-continuous` root group with `public` visibility.

2. In the `to-be-continuous` root group, generate a [group access token](https://docs.gitlab.com/user/group/settings/group_access_tokens/) with scopes 

   `api,read_registry,write_registry,read_repository,write_repository` and with `Owner` role.

3. Store the token in the `GITLAB_TOKEN` environment variable (`export GITLAB_TOKEN="<the token>"`).

3. Save the token in your local environment variable `GITLAB_TOKEN` (`export GITLAB_TOKEN="<the token>"`).

4. Install our [GitLab Copy CLI](https://gitlab.com/to-be-continuous/tools/gitlab-cp#usage) (requires Python 3.11 or higher):

    ```bash

    pip install gitlab-cp --index-url https://gitlab.com/api/v4/projects/to-be-continuous%2Ftools%2Fgitlab-cp/packages/pypi/simple --upgrade

For this, you only have to create a [scheduled pipeline](https://docs.gitlab.com/ci/pipelines/schedules/) in your local copy of the [tools/gitlab-sync](https://gitlab.com/to-be-continuous/tools/gitlab-sync) project:

1. declare the CI/CD project variable `GITLAB_TOKEN` with the previously created token (mark it as [masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable)),

1. declare the CI/CD project variable `GITLAB_TOKEN` with the previously created token (mark it as [masked and hidden](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) as well as [protected](https://docs.gitlab.com/ci/variables/#protect-a-cicd-variable)),

2. create a scheduled pipeline (for instance every day at 2:00 am).

All other required variables will be automatically retrieved from [GitLab CI predefined variables](https://docs.gitlab.com/ci/variables/predefined_variables/).