Improve GitLab Trusted Publisher project/namespace validation during creation

[facutuesca]

As discussed in this thread, creating a GitLab trusted publisher validates the input fields (like the namespace and project) against some simple regexes:

warehouse/warehouse/oidc/forms/gitlab.py

Lines 21 to 24 in 1036b14

	# https://docs.gitlab.com/ee/user/reserved_names.html#limitations-on-project-and-group-names
	_VALID_GITLAB_PROJECT = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-_.]*$")
	_VALID_GITLAB_NAMESPACE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9-_./]*$")
	_VALID_GITLAB_ENVIRONMENT = re.compile(r"^[a-zA-Z0-9\-_/${} ]+$")

These regexes are too permissive: they accept all valid inputs, but don't fail on all invalid inputs. Looking at the GitLab docs, here is a few invalid cases which we don't detect:

• Must not contain consecutive special characters.
• Cannot start or end with a special character.
• Cannot end in .git or .atom.

There are also reserved group, subgroup and project names which we don't detect.

Currently, accepting these invalid inputs does not have security consequences (it only means that the created trusted publisher will never work, since no GitLab project/namespace with that name will exist), but making the validation more accurate would be a UX improvement, preventing users from creating incorrect trusted publishers.

cc @di @woodruffw