Move gma enforcement logic from rails-validation layer to the class

As a source of truth `::Gitlab::Auth::GroupSaml::GmaMembershipEnforcer`
should know what kind of users are allowed to be added
to a project under GMA enforcement.

Similar to https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75023

ee/app/models/ee/project_member.rb

@@ -8,7 +8,7 @@ module EE
       extend ::Gitlab::Utils::Override
 
       validate :sso_enforcement, if: -> { group && user }
-      validate :gma_enforcement, if: :group, unless: :project_bot
+      validate :gma_enforcement, if: -> { group && user }
       validate :group_domain_limitations, if: -> { group && group_has_domain_limitations? }, on: :create
 
       before_destroy :delete_member_branch_protection

ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb

@@ -9,6 +9,8 @@ module Gitlab
         end
 
         def can_add_user?(user)
+          return true if user.project_bot?
+
           check_project_membership(user) && check_source_project_membership(user)
         end
 

ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb

@@ -16,6 +16,12 @@ RSpec.describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
     stub_licensed_features(group_saml: true)
   end
 
+  it 'allows adding a project bot to project' do
+    project_bot = create(:user, :project_bot)
+
+    expect(subject.can_add_user?(project_bot)).to be_truthy
+  end
+
   context 'when user is group-managed' do
     it 'allows adding user to project' do
       expect(subject.can_add_user?(managed_user)).to be_truthy