Masked variables are not masked - credentials leaked

I’m having issues with masked variables not getting masked in a new project. This is despite that I simply replicated the same setup that has worked before in another project.

Here’s a CI job in the old project - note the masked credentials for the twine command:

And here’s two similar jobs in the new project that casually leaks API tokens:

Between those jobs I deleted and recreated all variables and went through and compared all project settings and cannot find any (relevant) differences. Since they’re all nice an visible to the public you can also easily verify that the values conform to the requirements for masked variables.

I was lucky enough to notice almost immediately so I could invalidate the token both times, but I would really like to avoid deleting the token every time.
Does anyone have an idea what’s going on? There are a few issues in the Gitlab repo, but they never went anywhere.

So I just received an email from Gitlab. Turns out this was caused by a regression in the Gitlab runner version deployed by at the time.