Account for policy_scope in approval setting override audit events

What does this MR do and why?

Adds policy_scope support to warn mode audit events.

References

• #577782

How to set up and validate locally

1. Enable the feature flag: echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c
2. Configure Audit event streaming for instances. You can use a Cloud Run function or alternatively persist the audit event locally for testing:

diff --git a/config/audit_events/types/policy_warn_mode_approval_settings_overrides.yml b/config/audit_events/types/policy_warn_mode_approval_settings_overrides.yml
index 36c899830faa..7f8846903132 100644
--- a/config/audit_events/types/policy_warn_mode_approval_settings_overrides.yml
+++ b/config/audit_events/types/policy_warn_mode_approval_settings_overrides.yml
@@ -5,6 +5,6 @@ introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/563867
 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208969
 milestone: '18.6'
 feature_category: security_policy_management
-saved_to_database: false
+saved_to_database: true
 streamed: true
 scope: [Project]

3. Create a new group
4. Create a contained project and note its ID
5. On the group-level, navigate to Secure > Policies and create the following merge request approval policy, substituting <PROJECT_ID>:

approval_policy:
  - name: Warn Mode Out of Scope
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      require_password_to_approve: true
    policy_scope:
      projects:
        excluding:
          - id: <PROJECT_ID>

6. Verify no audit event was streamed
7. On the group-level, navigate to Secure > Policies and create the following merge request approval policy, substituting <PROJECT_ID>:

approval_policy:
  - name: Enforced Out of Scope
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      require_password_to_approve: true
    policy_scope:
      projects:
        excluding:
          - id: <PROJECT_ID>

8. Verify no audit event was streamed
9. On the group-level, navigate to Secure > Policies and create the following merge request approval policy, substituting <PROJECT_ID>:

approval_policy:
  - name: Warn Mode in Scope
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      require_password_to_approve: true

10. Verify the following audit event was streamed: A warn-mode security policy sets more restrictive merge request approval settings: Require user re-authentication (password or SAML) to approve

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #577782