At least one person asked "wait, does this affect me? what is this?", so let me clarify a bit.
If you don't know what a personal access token is, you are likely not affected and can disregard this.
If you're not sure, and everything is still working, you're likely not affected. A precaution might be to look at your projects continuous integration (CI) pipelines to see if they are still green, consider running scheduled pipelines manually to see if they break.
If you don't know what CI is, you're likely not affected.
If you want to audit your projects thoroughly, you can use an audit script I wrote:
https://gitlab.torproject.org/tpo/tpa/gitlab-tools/-/blob/33a00c1f37e3988ba6...
it will show you projects with private tokens (before they are expired AKA destroyed) and secret project variables that *might* be backed by tokens.
Example run for TPA:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41510#note_2997204
A.