Took a few days of Googling and reading docs but I finally got it to work.
For anyone in the future reading this, don’t use the CI_JOB_TOKEN.
Create a deploy token for your project.
Copy the username & password (can’t be retrieved after page refresh).
Create a new CI/CD variable for each of these.
Call them CI_DEPLOY_USER & CI_DEPLOY_PASSWORD.
Make them protected IF you intend to use them on a protected branch.
Set the permissions to which you want.
Change the login in your YAML script to
- echo "$CI_DEPLOY_PASSWORD" | docker login $CI_REGISTRY -u $CI_DEPLOY_USER --password-stdin
Imo there are too many kinds of tokens and all different kind of ways to configure them that it just becomes a confusing mess for the inexperienced.
Deploy tokens | GitLab
How to use the deploy token correctly - GitLab CI/CD - GitLab Forum
How do I get Docker registry username and password in gitlab.com? - Stack Overflow (2nd answer which lead me into the right direction)