This was posted previously ( Masking tokens in GitLab CI/CD ) but closed before answered. In GitLab, variables for CI/CD are visible in job logs by default. In order to mask them, they must meet a few regular expression requirements. Generated tokens begin with FlyV1 fm2_... which violates the “Be a single line with no spaces” rule.
My solution was to use the raw FM2 payload without the FlyV1 prefix. I tested it with this script and it worked
# Extract just the payload
ORIGINAL_TOKEN="FlyV1 fm2_..."
PAYLOAD_ONLY="${ORIGINAL_TOKEN#FlyV1 }"
echo "$PAYLOAD_ONLY" # Should start with fm2_
# Test: does flyctl accept it?
FLY_API_TOKEN="$PAYLOAD_ONLY" flyctl apps list
Pros : It works and is a clean solution. No base64 dance, just a valid token. Risks: this is undocumented (AFAIK). Fly might change the format in a future release and the token stops working and this would need fixing. Low probability but non-zero.