Allow only top level groups for ApprovalGroupRules

Changelog: changed
EE: true
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144438

ee/app/models/approval_rules/approval_group_rule.rb

@@ -21,6 +21,7 @@ class ApprovalGroupRule < ApplicationRecord
       scope: :group_id,
       message: proc { _('any-approver for the group already exists') }
     }, if: :any_approver?
+    validates :group, presence: true, top_level_group: true
 
     def audit_add(_model)
       # currently no audit on group add, only on project.

ee/spec/models/approval_rules/approval_group_rule_spec.rb

@@ -23,6 +23,23 @@
           'Validation failed: Applies to all protected branches must be enabled.')
       end
     end
+
+    context 'for groups' do
+      let_it_be(:parent) { create(:group) }
+      let_it_be(:child) { create(:group, parent: parent) }
+
+      it 'supports top level groups' do
+        group_approval_rule.update!(group: parent)
+        expect(group_approval_rule.group).to eq(parent)
+      end
+
+      it 'child groups are not supported' do
+        expect do
+          group_approval_rule.update!(group: child)
+        end.to raise_error(ActiveRecord::RecordInvalid,
+          'Validation failed: Group must be a top level Group')
+      end
+    end
   end
 
   describe 'associations' do