fix: use proper URL parsing for GitHub API domain

[mprpic]

Pull Request Description

What

Replace substring check with urlparse hostname comparison to prevent potential bypass via crafted URLs. Resolves CodeQL alert py/incomplete-url-substring-sanitization (CWE-20):

https://github.com/python-wheel-build/fromager/security/code-scanning/1

Why

Resolves https://github.com/python-wheel-build/fromager/security/code-scanning/1 while still being a minimal, unobtrusive change.

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5d644470-e314-4f02-ab9b-06f1204ea59d

📥 Commits

Reviewing files that changed from the base of the PR and between 7c6324a and 22be37f.

📒 Files selected for processing (1)

• src/fromager/http_retry.py

✅ Files skipped from review due to trivial changes (1)

• src/fromager/http_retry.py

---

📝 Walkthrough

Walkthrough

Added an import from urllib.parse and changed GitHub rate-limit detection in RetryHTTPAdapter.send to parse the request URL and compare its hostname to "api.github.com" (using urlparse(request.url).hostname == "api.github.com") instead of using a substring check. This narrows which 403 responses are classified as GitHub rate limiting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: use proper URL parsing for GitHub API domain' accurately and specifically describes the main change—replacing a substring check with urlparse hostname comparison for GitHub API validation.
Description check	✅ Passed	The description is directly relevant, explaining the security fix (CodeQL alert py/incomplete-url-substring-sanitization) and referencing the specific issue being resolved.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rd4398]

LGTM

[LalatenduMohanty]

@mergify rebase

[mergify]

Deprecation notice: This pull request comes from a fork and was rebased using bot_account impersonation. This capability will be removed on July 1, 2026. After this date, the rebase action will no longer be able to rebase fork pull requests with this configuration. Please switch to the update action/command to ensure compatibility going forward.

[mergify]

rebase

✅ Branch has been successfully rebased

[mprpic]

@mergify rebase

@LalatenduMohanty Why run this before every merge? (also it seems this behavior will be deprecated in a few months; see above)