GitLab + AWX questions

Hello!
I still have problems to get a file from GitLab to a host.

I try to dl the file but get the message access denied:
HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password.
Playbook:

---
- name: Download with PAT
  hosts: all
  become: true

  vars:
    gitlab_user: "{{ 'GITLAB_USER' }}"
    gitlab_token: "{{ 'GITLAB_TOKEN' }}"
    git_repo: "https://git.gruen.net/awx_gruen/playbooks.git"

  tasks:
    - name: clone from repo to tmp
      ansible.builtin.git:
        repo: "https://{{ gitlab_user }}:{{ gitlab_token }}@{{ git_repo | regex_replace('https://', '') }}"
        dest: "/tmp/"
        version: "dev"
        force: yes
        accept_hostkey: yes

i use the PAT as token var and can auth with this data co clone the git with:

git clone https://git.gruen.net/awx_gruen/playbooks.git /tmp/

I replaced the PAT value once to make shure.
And how could i download just a singlie file:
https://git.gruen.net/awx_gruen/playbooks/-/blob/dev/linux_playbooks/fusion_inventory/agent.cfg?ref_type=heads

And i have read about the possibillity to use a webhoock to trigger a project sync if there has been an change in the files.

I have seen two versions:
One from the official guide where you enable a webhoock in a Template and enter there the webhoock data - i think this i just for messaging if the template has been run or propably data from it to the GitLab(?) :face_with_raised_eyebrow:

The other one uses the service Webhoock but i dont get how the AWX is actepting the request to sync the project in this version. :thinking:

Thank you again for your input!!

I got now a functional playbook to clone the repo:

---
- name: Download with PAT
  hosts: all
  become: true

  tasks:
    - name: check for /tmp/git
      ansible.builtin.file:
        path: "/tmp/git"
        state: directory
        mode: '0755'

    - name: clone from repo to tmp
      ansible.builtin.git:
        repo: "https://{{ GITLAB_USER | urlencode() }}:{{ GITLAB_TOKEN | urlencode() }}@git.gruen.net/awx_gruen/playbooks.git"
        dest: "/tmp/git"
        version: "dev"
        force: yes
        accept_hostkey: yes

You might look at setting header values. Our instance has the same response, and I believe the method to get around it is to create a project token and use the headers.
I just got through an issue like this, with downloading an archive file of a repo, but it should be the same for your single file case.

PRIVATE-TOKEN: glpat-blahblahblah

Would be the header. You might have to download it via get_url though.

You could also look at using gitlab runners to vet the merge, either before, or after, or both (ansible-lint and such), and let the runner notify AWX to pull when it passes your criteria. We do a little of that, but we mostly use Jenkins — it was set up and working before we knew about gitlab runners, and it still works fine.