Dependency-scanning job can't use group level variable

Summary

Dependency-scanning job failing being not able to get ${NPM_TOKEN} variable from group level variables.

Steps to reproduce

  • Run dependency-scanning job against a JS project, which is using private NPM repos.
  • Store ${NPM_TOKEN} variable in group level variables

Example Project

https://gitlab.com/new10/services/gandalf/-/jobs/349334979

What is the current bug behavior?

The dependency-scanning job job fails and produces no report, with following log

Installing dependencies... yarn install v1.17.3 error An unexpected error occurred: "Failed to replace env in config: ${NPM_TOKEN}". info If you think this is a bug, please open a bug report with the information provided in "/tmp/app/yarn-error.log". info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

Screenshot_2019-11-13_at_11.06.30

What is the expected correct behavior?

The dependency-scanning job job should be be able to use env variable ${NPM_TOKEN} from group level variables.