Fix GitLab Trusted Publisher not accepting valid namespaces (#15839)

Namespaces can have forward slash ("/") characters, since a repo
inside a subgroup will have a namespace where the subgroups are
delimited using slashes (e.g: `gitlab.com/group/subgroup/repo` has
a namespace of `group/subgroup`).

tests/unit/oidc/forms/test_gitlab.py

@@ -48,14 +48,22 @@ def test_validate_project_name_already_in_use(self):
 
 
 class TestGitLabPublisherForm:
-    def test_validate(self):
-        data = MultiDict(
+    @pytest.mark.parametrize(
+        "data",
+        [
             {
                 "namespace": "some-owner",
                 "project": "some-repo",
                 "workflow_filepath": "subfolder/some-workflow.yml",
-            }
-        )
+            },
+            {
+                "namespace": "some-group/some-subgroup",
+                "project": "some-repo",
+                "workflow_filepath": "subfolder/some-workflow.yml",
+            },
+        ],
+    )
+    def test_validate(self, data):
         form = gitlab.GitLabPublisherForm(MultiDict(data))
 
         # We're testing only the basic validation here.
@@ -76,6 +84,11 @@ def test_validate(self):
                 "project": "some",
                 "workflow_filepath": "some",
             },
+            {
+                "namespace": "/start_with_slash",
+                "project": "some",
+                "workflow_filepath": "some",
+            },
             {
                 "namespace": "some",
                 "project": "invalid space",

warehouse/oidc/forms/gitlab.py

@@ -20,7 +20,7 @@
 
 # https://docs.gitlab.com/ee/user/reserved_names.html#limitations-on-project-and-group-names
 _VALID_GITLAB_PROJECT = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-_.]*$")
-_VALID_GITLAB_NAMESPACE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-_.]*$")
+_VALID_GITLAB_NAMESPACE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-_./]*$")
 _VALID_GITLAB_ENVIRONMENT = re.compile(r"^[a-zA-Z0-9\-_/${} ]+$")