Use deploy tokens, they give read-only access to the repo and registry. Go to your project, Settings > Repository > Deploy tokens https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html
As for the earlier answers about Private and Group tokens: According to GitLab documentation and opened issues, Project Access Tokens and Group Tokens have a breach, such as the holder can access any internal repository
Project access tokens are treated as internal users. If an internal user creates a project access token, that token is able to access all projects that have visibility level set to Internal.
From https://gitlab.com/gitlab-org/gitlab/-/issues/413028
One of the consequences of this is that if we share a single read-only project access token with an external user, they can access any internal project in our Gitlab server instance, which we believe is an evident security hole.