2025-11-03: CreateWarnModeApprovalAuditEventService is creating policy bot users on MR approval for all projects

CreateWarnModeApprovalAuditEventService is creating policy bot users on MR approval for all projects (Severity 3 (Medium))

In gitlab-org/gitlab!210351 (merged) we shipped a worker for creating audit events related to a security policy feature. The audit events are attributed to a bot user, which the worker attempts to create when absent. However the worker's called service doesn't check for feature availability, and now we are creating a large number of security policy bots. This also reflects in Exclusive Leases being unobtainable, because policy bot creation uses one: https://log.gprd.gitlab.net/app/discover#/?_g=h@9c1de8a&_a=h@6334b9e

We need to put Security::ScanResultPolicies::CreateWarnModeApprovalAuditEventsWorker on hold.

---

This ticket was created to track INC-5433, by incident.io 🔥