Validate the sha when merging all the way down

What does this MR do?

This makes sure we validate the sha that was seen in the browser all the way down to the merge service.

If it differs from the MergeRequest#diff_head_sha just before the merge, we will raise an error. We do this by including the SHA in the merge params, similar to how we do it for the AutoMergeServices.

This is part of #27824 (closed)

Does this MR meet the acceptance criteria?

Conformity

• [-] Changelog entry: Should be included when removing the feature flag
• [-] Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers