[dg] adds `dg scaffold gitlab-ci

[cmpadden]

Summary & Motivation

Adds a dg scaffold gitlab-ci command to reach feature parity with dg scaffold github-actions.

Note: consider consolidating into dg scaffold ci --{github,gitlab}

How I Tested These Changes

Changelog

• Adds a dg scaffold gitlab-ci command for scaffolding CI for GitLab projects

The optimal fix is to parse the provided URL using Python's urlparse from the standard library, then extract the hostname for checking. This ensures we only match exact hostnames or well-defined subdomains rather than arbitrary string matches.

For the lambda functions highlighted (such as those checking for 'docker.io', 'gcr.io', 'ecr', and especially 'gitlab.com'/'registry.gitlab.com'), the match function should parse the URL, retrieve its .hostname, and then only return True if the host exactly matches the registry's domain or is a well-formed subdomain (as appropriate).

What to change:

• In lines where match=lambda url: "docker.io" in url and similar substring checks occur, update these to parse the URL, retrieve the hostname, and check for an exact match or proper subdomain (e.g., hostname == "docker.io" or hostname.endswith(".docker.io") as needed).
• Add from urllib.parse import urlparse at the top if not already imported in the shown snippet.
• Do not change the calling or surrounding code, only the lambda match definitions.

---

The safest way to fix this is to parse the URL and verify the hostname matches the allowed values, rather than checking for substring inclusion. To do this, update the match lambdas in REGISTRY_INFOS to parse the input (likely a URL) using urllib.parse.urlparse, then check if the .hostname is exactly equal to or endswith the required host (for supporting subdomains if desired). For registries supporting only the exact host, use ==, otherwise use .endswith() with a preceding dot.

The following fixes should be applied within the same file:

• At the top, import urlparse from urllib.parse.
• For each match=lambda url: ... lambda:
  • Use urlparse(url).hostname to extract the host.
  • Change checks from substring in to hostname comparison, e.g. hostname == "registry.gitlab.com" (or .endswith(".gitlab.com") to allow subdomains, as appropriate for each registry).

Edit only the shown code regions (i.e. rework the relevant lambdas inside the REGISTRY_INFOS list).

The best way to fix the problem is to ensure that URL matching works by examining the parsed hostname of the URL, not by substring-matching the URL string. Specifically, for each lambda in the match argument of ContainerRegistryInfo, replace unsafe substring checks like "gitlab.com" in url with a safe check using urlparse(url).hostname. For example, check if the hostname equals or ends with gitlab.com or its valid subdomains. Also, update "docker.io" in url, "ecr" in url, "azurecr.io" in url, "gcr.io" in url similarly, parsing the URL first and matching the relevant registry domain in the hostname.
Add the necessary import for urlparse from urllib.parse at the top of the file. This change should be made within the definition of the REGISTRY_INFOS list in python_modules/libraries/dagster-dg-cli/dagster_dg_cli/cli/scaffold/gitlab_ci.py.

To securely check if a URL belongs to a recognized registry domain, we must parse the URL and examine its hostname in a structured way. The fix is to use the standard urlparse function from Python’s urllib.parse to parse the provided URL, extract the hostname, and only then perform matching—for example, by comparing the hostname to an explicit domain name or ensuring it ends with a valid domain preceded by a dot. For public registries with well-known host patterns (like docker.io, azurecr.io, gcr.io, registry.gitlab.com), use the parsed hostname for exact or suffix matching that prevents accidental substring matches or subdomain bypasses (i.e., .azurecr.io matches, but not notazurecr.io).

You only need to change the match lambdas in each ContainerRegistryInfo definition; add the necessary import for urlparse from urllib.parse if not already present.

---

To properly fix the issue, we should parse the input registry URL and compare the hostname portion (and potentially scheme) of the parsed URL to known valid hosts. This means updating the match lambda functions in the ContainerRegistryInfo definitions to avoid substring searching and instead use URL parsing (e.g., via urllib.parse.urlparse). For example, instead of "gcr.io" in url, use something like hostname = urlparse(url).hostname; hostname and hostname.endswith('gcr.io'). We should update all lambdas to use a consistent, correct host matching approach.

This affects the REGISTRY_INFOS definitions (lines 78-125), specifically updating the match lambdas for ECR, DockerHub, GitLab, Azure, and Google. For this, we should import urlparse from Python's standard library and update each relevant lambda accordingly.

---

[cmpadden]

• [dg] refactor `dg scaffold {github-actions,gitlab-ci} to use shared utilities #32662
• [dg] adds `dg scaffold gitlab-ci #32659 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.