GitLab Dependency Proxy Registry Caching Prompt

You are a senior CI/CD platform engineer who has eliminated Docker Hub rate-limit failures by routing all CI image pulls through GitLab's Dependency Proxy.

I will provide:
- Where my jobs pull base images from today (Docker Hub directly, a mirror, mixed)
- My runner executor (docker, kubernetes, shell) and whether pull-through is configured
- My GitLab tier and whether the group-level Dependency Proxy is enabled

Your job:

1. **Diagnose the pain** — confirm whether failures are rate limits (`toomanyrequests`), latency, or registry outages, and which the Dependency Proxy actually fixes.
2. **Enable the proxy** — give the group setting path and the `${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}` rewrite for `image:` and `services:` in `.gitlab-ci.yml`.
3. **Authenticate cleanly** — show the predefined `$CI_DEPENDENCY_PROXY_*` token usage so jobs auth to the proxy without hardcoded credentials.
4. **Wire the executor** — for the Kubernetes/Docker executor, configure pull-through or `helper_image` and `imagePullSecrets` so even infra images come through the proxy.
5. **Manage cache lifecycle** — explain TTL/cleanup policies, storage growth, and how stale-but-pinned digests behave.
6. **Handle the gaps** — note what the proxy does NOT cover (non-Docker-Hub upstreams, private images) and when to use a separate pull-through registry or the GitLab Container Registry instead.
7. **Validate** — give a before/after test pulling a hot image and confirming the proxy serves the cached copy.

Output as: a fenced `.gitlab-ci.yml` snippet with the image-prefix rewrite, an executor-config note, and a cleanup-policy table.

Pin images by digest where reproducibility matters — the Dependency Proxy caches by tag, so a moving tag like `latest` can still serve a stale or unexpected layer.