GitLab.com hostRule token not applied for private Maven registry (401 Unauthorized)

[nuwan-samarasinghe]

How are you running Renovate?

Self-hosted Renovate

Which platform you running Renovate on?

GitLab (.com or self-hosted)

Which version of Renovate are you using?

42.19.7

Please tell us more about your question or problem

Renovate fails to authenticate against a private GitLab Maven repository even though a matching hostRule is configured with a valid GitLab personal access token.
The same token works when tested manually (Postman / curl).

Renovate always returns 401 Unauthorized when trying to fetch Maven metadata from GitLab’s package registry endpoint.

{
  "hostRules": [
    {
      "matchHost": "gitlab.com",
      "hostType": "maven",   # I even tried gitlab
      "token": "token-masked",
    }
  ]
}

Maven repository URL Renovate needs to access https://gitlab.com/api/v4/projects/<project_id>/packages/maven

Manual request using Postman

Authorization: Bearer <token-masked>
curl -H "Authorization: Bearer <token>" \
https://gitlab.com/api/v4/projects/<project_id>/packages/maven/...

this gives a success

personal access token as api and all other read access testing purpose I added

Logs (if relevant)

Logs

{"name":"renovate","hostname":"test","pid":41,"level":20,"logContext":"test","repository":"repository","msg":"GET https://gitlab.com/api/v4/projects/project_id/packages/maven/registry_url/maven-metadata.xml = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=242)","time":"2025-11-25T10:19:47.478Z","v":0}
{"name":"renovate","hostname":"test","pid":41,"level":20,"logContext":"test","repository":"repository","msg":"Dependency lookup unauthorized. Please add authentication with a hostRule for https://gitlab.com/api/v4/projects/project_id/packages/maven/registry_url/maven-metadata.xml","time":"2025-11-25T10:19:47.478Z","v":0}
{"name":"renovate","hostname":"test","pid":41,"level":20,"logContext":"test","repository":"repository","msg":"Maven: error fetching versions for \"maven dependency\": permission-issue","time":"2025-11-25T10:19:47.478Z","v":0}

[finn-matti]

We actually seem to have the same issue, but for composer (PHP). The PATs work using curl, but renovate doesn't seem to handle correctly.