Masked variables are not masked - credentials leaked

I’m having issues with masked variables not getting masked in a new project. This is despite that I simply replicated the same setup that has worked before in another project.

Here’s a CI job in the old project - note the masked credentials for the twine command:
https://gitlab.com/jfolz/simplejpeg/-/jobs/853869420#L90

And here’s two similar jobs in the new project that casually leaks API tokens:
https://gitlab.com/jfolz/simplebloom/-/jobs/1028494188#L96
https://gitlab.com/jfolz/simplebloom/-/jobs/1028920402#L98

Between those jobs I deleted and recreated all variables and went through and compared all project settings and cannot find any (relevant) differences. Since they’re all nice an visible to the public you can also easily verify that the values conform to the requirements for masked variables.

I was lucky enough to notice almost immediately so I could invalidate the token both times, but I would really like to avoid deleting the token every time.
Does anyone have an idea what’s going on? There are a few issues in the Gitlab repo, but they never went anywhere.

So I just received an email from Gitlab. Turns out this was caused by a regression in the Gitlab runner version deployed by gitlab.com at the time.

Was there any announcement about this bug? This should be considered a security incident. I notice there are hackers who managed to do that on one of my repos.

Hi,

this was publicly shared at Masked variable vulnerability in Runner version 13.9.0-rc1 | GitLab and only affected GitLab.com SaaS users where the release candidate was deployed. If you follow the regular release versions, you were not affected.

If you think that you have found a new vulnerability, please disclose it responsibly. More at Responsible Disclosure Policy | GitLab

Cheers,
Michael