[Backend] Create audit logs when an MR is bypassed by source branch exceptions

Why are we doing this work

Organizations using GitLab's Merge Request Approval Policies often need to bypass approval requirements for specific source-to-target branch combinations (e.g., release branches merging to main) to support operational workflows and avoid approval deadlocks. To maintain security governance and compliance, it is essential to create audit logs whenever a merge request is exempted from approval due to these branch exceptions. This ensures all bypasses are traceable and auditable, supporting both operational flexibility and regulatory requirements.

As a part of this issue we want to add audit logs when an MR is bypassed by source branch exceptions

Relevant links

• Design Document
• Source Branch Exceptions Epic

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• MR 1: Backend - Audit log creation for branch exception bypass
  • backend Update the merge request approval policy logic to detect when a branch exception is applied.
  • backend Create an audit log entry with details of the merge request, source and target branches, user, and policy when a bypass occurs.
  • backend Ensure audit logs are accessible via the existing audit log UI.
  • backend Add tests to verify audit log creation for branch exception bypasses.

Verification steps

1. Configure a merge request approval policy with a branch exception (e.g., source: release/*, target: main).
2. Create a merge request that matches the branch exception
3. Verify that an audit log entry is created with the correct details (MR, source/target branch, user, policy).
4. Check the audit log UI to ensure the entry is present and accurate.
5. Repeat with a merge request that does not match the exception and confirm no bypass audit log is created.