GitLab + AWX questions

Hello!
I still have problems to get a file from GitLab to a host.

I try to dl the file but get the message access denied:
HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password.
Playbook:

---
- name: Download with PAT
  hosts: all
  become: true

  vars:
    gitlab_user: "{{ 'GITLAB_USER' }}"
    gitlab_token: "{{ 'GITLAB_TOKEN' }}"
    git_repo: "https://git.gruen.net/awx_gruen/playbooks.git"

  tasks:
    - name: clone from repo to tmp
      ansible.builtin.git:
        repo: "https://{{ gitlab_user }}:{{ gitlab_token }}@{{ git_repo | regex_replace('https://', '') }}"
        dest: "/tmp/"
        version: "dev"
        force: yes
        accept_hostkey: yes

i use the PAT as token var and can auth with this data co clone the git with:

git clone https://git.gruen.net/awx_gruen/playbooks.git /tmp/

I replaced the PAT value once to make shure.
And how could i download just a singlie file:
https://git.gruen.net/awx_gruen/playbooks/-/blob/dev/linux_playbooks/fusion_inventory/agent.cfg?ref_type=heads

And i have read about the possibillity to use a webhoock to trigger a project sync if there has been an change in the files.

I have seen two versions:
One from the official guide where you enable a webhoock in a Template and enter there the webhoock data - i think this i just for messaging if the template has been run or propably data from it to the GitLab(?) :face_with_raised_eyebrow:

The other one uses the service Webhoock but i dont get how the AWX is actepting the request to sync the project in this version. :thinking:

Thank you again for your input!!

I got now a functional playbook to clone the repo:

---
- name: Download with PAT
  hosts: all
  become: true

  tasks:
    - name: check for /tmp/git
      ansible.builtin.file:
        path: "/tmp/git"
        state: directory
        mode: '0755'

    - name: clone from repo to tmp
      ansible.builtin.git:
        repo: "https://{{ GITLAB_USER | urlencode() }}:{{ GITLAB_TOKEN | urlencode() }}@git.gruen.net/awx_gruen/playbooks.git"
        dest: "/tmp/git"
        version: "dev"
        force: yes
        accept_hostkey: yes