Changes to Linked Security Policy Project are not Audited

Summary

When a project owner modifies the linked Security Policy Project, no entry is generated in the Audit Log. This is problematic because Project Owners can potentially temporarily disable and re-enable policies without any record of their activity.

Steps to reproduce

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Implementation Plan

• backend Create a new audit event type (policy_project_updated) following the documentation
• backend Update ee/app/services/security/orchestration/assign_service.rb and ee/app/services/security/orchestration/unassign_service.rb to push the audit payload along with message.

Reference implementation:

Draft: Audit policy project changes (!101817 - closed) can be used as a reference.