Project Access Token not accessible in Pipelne

Greetings, everyone!

Problem to solve

I need to build a project with Maven & performing releases using the maven-release plug-in. As that modifies the pom.xml file(s) versioned with Git (which is something we want), I need write access to the repo in the pipeline. In the past, I went with the SSH-Key approach, but that always felt unnecessary complicated and hacky to me. Instead, I want to use PATs to do that.

I learned that this works by providing a remote URL like this (where GIT_WRITE is the name of my PAT):

So, I do the following:

Alas, while every other variable seems to become expanded, GIT_WRITE remains empty, which I can see when cat-ing the .env-file in my pipeline:
The token should be in between the two characters :@.

Steps to reproduce

Reproducing this is easy:

  • Set up any project
  • create a PAT (write access to the repository necessary in my case)
  • try to echo the PAT anywhere, to a file or what have you.

My expectation would be to see the PAT-prefix and [masked]******... or something similar, but I just don’t see anything. This masked-stuff happens when I try to echo my masked SSH key at least. I also tried all combinations of quotes, single and double, as well as curly braces. By now, I think I’m fundamentally on the wrong path because I can & expand see the other variables (e.g. CI_PROJECT_NAME) just fine.


I’ve set up a minimal demo project detailing the issue. The entire gitlab-ci.yml is this:

  - build

  stage: build
  image: maven:3.9.6-eclipse-temurin-17-focal
    - echo "Trying to access the PAT"
    - cat .env

The access token is configured like so:

My genuine project is built on a self managed instance, but because the same issue can be observed on, I suppose that fact doesn’t matter.

Thanks in advance for pointing me in the right direction.

I posted basically the same already on StackOverflow btw, just in case anyone wants to score some points over there.