Fix scan execution policy without ci file

This fixes the bug that scan jobs defined in a scan execution
pipeline are not triggered if the target project does not have a
.gitlab-ci.yml file.

Changelog: fixed
EE: true

ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb

@@ -26,6 +26,8 @@ def perform
             return @config if valid_security_orchestration_policy_configurations.blank?
             return @config unless extend_configuration?
 
+            @config[:workflow] = { rules: [{ when: 'always' }] } if @config.empty?
+
             merged_config = @config.deep_merge(merged_security_policy_config)
 
             if custom_scan_actions_enabled? && active_scan_custom_actions.any?

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -186,6 +186,14 @@
     context 'when policy is applicable on branch from the pipeline' do
       let(:ref) { 'refs/heads/master' }
 
+      context 'and the project does not have a CI configuration' do
+        let_it_be(:config) { {} }
+
+        it 'adds a workflow rule' do
+          expect(subject).to include({ workflow: { rules: [when: 'always'] } })
+        end
+      end
+
       context 'when DAST profiles are not found' do
         it 'does not modify the config' do
           expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })