Project Access Token not accessible in Pipelne

Greetings, everyone!

Problem to solve

I need to build a project with Maven & performing releases using the maven-release plug-in. As that modifies the pom.xml file(s) versioned with Git (which is something we want), I need write access to the repo in the pipeline. In the past, I went with the SSH-Key approach, but that always felt unnecessary complicated and hacky to me. Instead, I want to use PATs to do that.

I learned that this works by providing a remote URL like this (where GIT_WRITE is the name of my PAT):
https://$CI_PROJECT_NAME:$GIT_WRITE@$CI_SERVER_HOST/$CI_PROJECT_PATH.git

So, I do the following:
echo GIT_REMOTE=scm:git:https://$CI_PROJECT_NAME:$GIT_WRITE@$CI_SERVER_HOST/$CI_PROJECT_PATH.git > .env

Alas, while every other variable seems to become expanded, GIT_WRITE remains empty, which I can see when cat-ing the .env-file in my pipeline:
scm:git:https://pipeline-test:@gitlab.com/aarkon/pipeline-test.git
The token should be in between the two characters :@.

Steps to reproduce

Reproducing this is easy:

  • Set up any project
  • create a PAT (write access to the repository necessary in my case)
  • try to echo the PAT anywhere, to a file or what have you.

My expectation would be to see the PAT-prefix and [masked]******... or something similar, but I just don’t see anything. This masked-stuff happens when I try to echo my masked SSH key at least. I also tried all combinations of quotes, single and double, as well as curly braces. By now, I think I’m fundamentally on the wrong path because I can & expand see the other variables (e.g. CI_PROJECT_NAME) just fine.

Configuration

I’ve set up a minimal demo project detailing the issue. The entire gitlab-ci.yml is this:

stages:
  - build


build-job:
  stage: build
  image: maven:3.9.6-eclipse-temurin-17-focal
  script:
    - echo "Trying to access the PAT"
    - echo GIT_REMOTE=scm:git:https://$CI_PROJECT_NAME:$GIT_WRITE@$CI_SERVER_HOST/$CI_PROJECT_PATH.git > .env
    - cat .env

The access token is configured like so:

My genuine project is built on a self managed instance, but because the same issue can be observed on gitlab.com, I suppose that fact doesn’t matter.

Thanks in advance for pointing me in the right direction.

I posted basically the same already on StackOverflow btw, just in case anyone wants to score some points over there.