Override CI_JOB_TOKEN with project token for git read access when 2FA is enabled

With a default .gitlab-ci.yml config:

image: busybox

pages:
  stage: deploy
  script:
    - echo "The site will be deployed to $CI_PAGES_URL"
  artifacts:
    paths:
      - public
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

If 2FA is enabled for my account, I the CI job is unable to check out the repo, and gives this error:

remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied

I decided to create a project access token that can read the repo (with developer-level access), etc. I then created a variable for the repo, set to PROJECT_CI_JOB_TOKEN, turned on masking of the variable in logs, and enabled the option to only allow its use on protected branches.

That’s all fine, but so far I don’t know how to to tell the CI job to use that token instead of the default CI_JOB_TOKEN for the default git checkout step. If I choose to run on a base image other than busybox, I am able to install git, then check out the repo manually, etc. Like this:

image: ubuntu:focal

variables:
  GIT_STRATEGY: none
  GIT_CHECKOUT: "false"

pages:
  stage: deploy
  script:
    - apt update
    - apt install -y git
    - git clone "https://token:${PROJECT_CI_JOB_TOKEN}@gitlab.com/..." .

That works, but it adds complexity, and it slows down the pipeline, because it requires fetching package metadata from an Ubuntu mirror.

Is there any way to set a variable in the .gitlab-ci.yml file to tell GitLab to use an alternate token? It’s not possible to simply override the CI_JOB_TOKEN according to this issue, but it seems like it would be a very useful kind of feature to have by some other means.

I’m looking for something like this:

image: busybox

variables:
  GIT_TOKEN: $PROJECT_CI_JOB_TOKEN
...

Thanks : )