Implement audit trails for bypassed security policies in warn mode

Why are we doing this work

We need to implement comprehensive audit trails when security policies are bypassed in warn mode. When policies are set to warn mode, merge requests can proceed despite violations, but we need proper audit records of these events for compliance and security governance. This ensures organizations can track when and why security policies were bypassed, who approved the bypass, and maintain proper compliance records.

This issue focuses specifically on the audit event implementation for warn mode policy violations, while the mergeability checks are handled in #561888.

Relevant links

• Epic: &15552
• Related issue: #561888 (Mergeability checks)
• Service dependency: #561887 (closed)
• Infrastructure dependency: #561886 (closed)
• Schema dependency: #561885 (closed)

Implementation

Audit event implementation

• Create new audit event types for warn mode policy violations
• Implement audit event generation when:
  • A merge request with warn mode policy violations is merged
  • A policy violation is dismissed
  • A policy mode is changed from enforce to warn
• Include relevant metadata in audit events:
  • User who performed the action
  • Policy that was bypassed
  • Merge request details
  • Timestamp
  • Dismissal reason (if applicable)

Technical notes

• Follow the Audit Event Development Guide
• Implement using the Gitlab::Audit::Events framework
• Ensure proper streaming to the audit log destination
• Include appropriate context and metadata for compliance reporting
• Ensure backward compatibility with existing audit event infrastructure
• Consider performance impact of additional audit event generation
• Implement proper error handling for audit event failures
• Add appropriate documentation for the new audit events

Validation Steps

• Audit events are generated when warn mode policy violations are bypassed
• Audit events contain all required metadata for compliance reporting
• Audit events are generated for all relevant actions (merge with dismissed policy)
• Events appear correctly in the audit log UI
• Events are properly formatted for export and reporting