Add claims to JWT token to differentiate Merge Train pipelines

Description of the issue

It is currently not possible for a vault role to distinguish merge trains from the remaining merge request pipelines via JWT claims. This makes it impossible to run sensitive validations as part of merge trains, without allowing developers to run them before merge requests are approved.

See this comment for more details: #231531 (comment 2772809082)

What are the potential solutions?

• Enabling certain merge trains to run as protected pipelines (enabling usage of ref_protected bound claim)
  • More complex solution, as it likely include changes to configuration UIs
• Adding further information to the JWT claims, including the merge_request_event_type, and the target branch of the pipeline.
  • Requires developers to configure custom vault roles for this use case