Approval rules approvers are not updated for multiple merge requests when project members are updated

Summary

When new users are added to a group or project and if the new users are mentioned in merge request approval policy as user approvers, they are not added to approvers of all merge requests in the project.

Security::ScanResultPolicies::AddApproversToRulesService is called whenever new members are added to a project or group. It checks if the newly added users are mentioned in the MR approval policy as approvers in user_approvers or user_approver_ids. If they are present in the policy, the users are added to the project approval rules and merge request approval rules. If a project has multiple merge requests, only the last merge request approval rule is updated, others are ignored.

Steps to reproduce

1. Create a group

2. In the group, create multiple projects in the group

3. In the group, go to Policies and create a new scan result policy. Example YAML:

   type: approval_policy
   name: Security
   description: ''
   enabled: true
   policy_scope:
     compliance_frameworks: []
   rules:
     - type: scan_finding
       scanners: []
       vulnerabilities_allowed: 0
       severity_levels: []
       vulnerability_states: []
       branch_type: protected
   actions:
     - type: require_approval
       approvals_required: 1
       user_approvers_ids:
         - 1
         - 4 # User to test with

4. In the project, create multiple MRs by updating README

5. Notice the required approvals

6. Add the user referenced in the policy as a group member with a developer role

7. Verify that the user is added as an approver in all the MRs to the correct rules (rules where they are referenced as approvers)

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes