Which actions update User.last_sign_in_at?

I have self-hosted omnibus instance with v10.8.2 configured to authenticate purely via saml.
When trying to clean-up old accounts I have found that one (assigned to Jenkins) has very recent last_sign_in_at (today!) however no saml identity.

I don’t think that Jenkins admin is loging in in gitlab gui with those credentials, but definitely tokens and keys are being used to access code.
The log for this user only shows gitaly “executing git command”, nothing else, explicitly no “Successful login” during last days.
Searching in gitlab-ce sources gave no line of code where this attribute could be changed

Any hints where to search? Or list actions which change this attribute?