Account for configured Scan Execution Policies when scan is missing in Merge Request Approval Policies

Why are we doing this work

In the scope of this issue, we would like to modify the logic in Merge Request Approval Policies to account for configured, enabled, and scoped Scan Execution Policies, so when a scan is missing in the target branch but is defined in the Scan Execution Policy, we do not require approval.

In the scope of this issue we would like to implement changes to allow users to use it.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Verification steps

1. Create a (sub-)group
2. Enable feature flag unblock_rules_using_execution_policies (group actor)
3. Create a scan execution policy enforcing dependency_scanning for all branches
4. Create a MR approval policy requiring approvals for dependency_scanning. Enable the new setting "Make approvals optional using scan execution policies"
5. Create a project in the group
6. Update README
7. Verify that policy rule is not blocking the MR although the scan didn't run (The MR may be created as blocking, make sure to refresh).
8. BONUS: Changes to the policy should be also automatically unblocked
9. Disable the new policy setting
10. Verify that policy rule is blocking the MR