Add support for CI_JOB_TOKEN to GitLab fetcher

[axman6]

Motivation

The motivation is laid out in #12579 but the summary is: GitLab can be configured to provide a token to each build which is only valid for the life of the job, which allows access to git repositories and the GitLab API. Currently this isn't well supported by Nix, it can be hacked into an Authorization header by using something like:

export NIX_CONFIG="access-tokens = \"gitlab.mycompany.com=Authorization:Basic $(echo \"gitlab-ci-token:$CI_JOB_TOKEN\" | base64)\""

but it would be nicer to support users who're using GitLab CI.

This is my first Nix contribution (and my first C++), so any suggestions are humbly appreciated. I have a couple of questions:

• I've implemented the most basic solution I can think of for this, but I'm sure I'm missing some places that would need updating - what have I missed?
• From a design point of view, I can see it being useful to be able to say:

  access-tokens = gitlab.mycompany.com=CI_JOB_TOKEN
  

  and have Nix extract this from the invoking environment. Being able to do this would mean that users don't need to modify their nix.conf or export NIX_CONFIG in every build. This feels like it should be morally "pure" (in the --impure sense), the result of the fetcher doesn't only differs in whether it works or not, not the content of its result. This would mean users can bake this into their docker images used for CI once.
• How can I test this? I looked at the tests in src/libfetchers-tests/access-tokens.cc but couldn't see how to actually test the code I've written; none of the methods appear to be visible as far as I can tell.

Context

See #12579.

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.