Security with access tokens and releasing

So currently I’am developing a tools that would automate my versioning and release for my projects.
While testing I stumbled upon an issue.
my cuurent flow:
get fetch --tags
calculate new tag
create new tag
git push --tags → error

my tools is on the build server where gitlab-runner is running aswell with a shell executer.
For the git push and probably further in the process for versioning. I get a 403 access denied.

Now I understand why other tools use access tokens for this.however I do have some questions from a security standpoint.
The solutions I have tried require a access token with read/write permissions which is mostly set via an env variable. Here I do ask myself if this is safe from a security standpoint, due to the fact that if a hacker would hack my account he/she has access to the env variables where he/she can copy the access token and basically have read/write acccess anywhere on the planet, since most ci/cd platforms are accesible from the public internet.

Any opinions on this part?

If someone hacks your account, access token leak would be the last issue you would need to tackle

Just out of curiosity what would be more of a problem, I assume other env variables for production for instance, currently I have created a project access token en then git login on my build server therefore I could bypass that I had to pass it as an env variable, build server is not public.

Yeah, production related credentials, access and act as you on any repositories you have and also on any application which is using GitLab as IdP, changing and releasing versions, etc…
Access token with “write repository” can “only” pull/push repository and also you can see any strange commits in git history.