Ability to reduce scope of Mattermost' access to GitLab's API?

[leaf-node]

Thanks for your contributions to Mattermost.

Currently, the GitLab / Mattermost bridge requires granting Mattermost full API access to GitLab. From what I understand, it's equivalent to granting someone admin access, to make requests on the behalf of users of Mattermost. This poses a security risk if a Mattermost instance is ever compromised.

My feature request would be to give administrators the option of limiting the API access level, to reduce the attack surface. Some integrations like tracking private merge requests, or other privileged tasks would not be offered to users of that instance.

The level of integration could involve setting access to "read_api" for read-only access, or removing features other than the ability to log in via GitLab and interact with public repositories.

Thanks for your consideration. : )