Image Registry Pull from k8s

Hi, I need to have a pull secret on k8s deployment with credentials that allow me to download each image from the entire gitlab instance, on premise and free. I could also make the images public but this is not possible because the related projects should be public and this is not possible. I had thought of a personal access token of an admin user with read registry rights but now these tokens last a maximum of one year and are not renewable, it is impossible to change them in infrastructures of thousands of images. Using the user and pwd of a gitlab admin account directly is not possible because the pull secret is a visible base64 and would become public. I saw that in the premium, even if I don’t use it, there are service accounts but these also use tokens to be exchanged after one year. The current solution is to manage the deploy tokens on each group to generate the pull secret, but that has an overhead that is currently not applicable. Another hypothesis is to manage a non-admin user to be associated with each group/project with minimum privileges and directly use his username and pwd, this also involves additional company management that is not applicable. Anyone have an idea?