CI: use Dependency Proxy when available

This sets up CI to allow the use of the GitLab Dependency Proxy which
caches images pulled from DockerHub, in order to bypass rate-limiting.

The DOCKER_REGISTRY_URL variable is set dynamically by the
check_dependency_proxy_access job defined in dependency_proxy.yml such
that only pipelines triggered by users with the requisite access will be
configured to use the proxy, while all others will continue to pull from
DockerHub as before.

When DOCKER_REGISTRY_URL is pre-set in a project's CI/CD variable
settings, the extra job is skipped and the dependency proxy is used
always, unconditionally.

To avoid breaking CI pipelines on 3rd-party GitLab instances, we only
include the dependency proxy template on gitlab.tpo

See: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40335

.gitlab-ci.yml

@@ -1,3 +1,10 @@
+include:
+  - project: tpo/tpa/ci-templates
+    file: [ dependency_proxy.yml ]
+    inputs: { namespace: tpo/anti-censorship }
+    rules:
+      - if: $CI_PROJECT_URL =~ /gitlab.torproject.org/
+
 stages:
   - test
   - deploy
@@ -9,6 +16,9 @@ variables:
   DEBIAN_OLD_STABLE: buster
   DEBIAN_STABLE: bullseye
   REPRODUCIBLE_FLAGS: -trimpath -ldflags=-buildid=
+  # Don't fail pulling images if dependency_proxy.yml is not included
+  DOCKER_REGISTRY_URL: "docker.io"
+
 
 # set up apt for automated use
 .apt-template: &apt-template
@@ -92,7 +102,7 @@ variables:
 # -- jobs ------------------------------------------------------------
 
 android:
-  image: containers.torproject.org/tpo/anti-censorship/duplicatedcontainerimages:golang-1.23-$DEBIAN_STABLE
+  image: ${DOCKER_REGISTRY_URL}/golang:1.23-$DEBIAN_STABLE
   variables:
     ANDROID_HOME: /usr/lib/android-sdk
     LANG: C.UTF-8
@@ -143,28 +153,28 @@ android:
     - gomobile bind -v -target=android $REPRODUCIBLE_FLAGS .
 
 go-1.21:
-  image: containers.torproject.org/tpo/anti-censorship/duplicatedcontainerimages:golang-1.21-$DEBIAN_STABLE
+  image: ${DOCKER_REGISTRY_URL}/golang:1.21-$DEBIAN_STABLE
   <<: *golang-docker-debian-template
   <<: *test-template
   script:
     - *go-test
 
 go-1.23:
-  image: containers.torproject.org/tpo/anti-censorship/duplicatedcontainerimages:golang-1.23-$DEBIAN_STABLE
+  image: ${DOCKER_REGISTRY_URL}/golang:1.23-$DEBIAN_STABLE
   <<: *golang-docker-debian-template
   <<: *test-template
   script:
     - *go-test
 
 debian-testing:
-  image: debian:testing
+  image: containers.torproject.org/tpo/tpa/base-images/debian:testing
   <<: *debian-native-template
   <<: *test-template
   script:
     - *go-test
 
 shadow-integration:
-  image: containers.torproject.org/tpo/anti-censorship/duplicatedcontainerimages:golang-1.21-$DEBIAN_STABLE
+  image: ${DOCKER_REGISTRY_URL}/golang:1.21-$DEBIAN_STABLE
   variables:
     SHADOW_VERSION: "193924aae0dab30ffda0abe29467f552949849fa"
     TGEN_VERSION: "v1.1.2"
@@ -253,7 +263,7 @@ shadow-integration:
 
 generate_tarball:
   stage: deploy
-  image: golang:1.21-$DEBIAN_STABLE
+  image: ${DOCKER_REGISTRY_URL}/golang:1.21-$DEBIAN_STABLE
   rules:
     - if: $CI_COMMIT_TAG
   script:
@@ -323,7 +333,7 @@ merge-manifests:
     - job: build-container
       artifacts: false
   image:
-      name: containers.torproject.org/tpo/anti-censorship/duplicatedcontainerimages:mplatform-manifest-tool-alpine
+      name: ${DOCKER_REGISTRY_URL}/mplatform/manifest-tool:alpine
       entrypoint: [""]
   script:
     - if [ $CI_COMMIT_REF_NAME == "main" ]; then export TAG='nightly'; fi