scontext is the action’s source (httpd_t), tcontext is the action’s target (unconfined_service_t). gitlab is what is running as unconfined_service_t, not nginx.
I would look further into audit2why -i /var/log/audit/audit.log and audit2allow -i /var/log/audit/audit.log and see what new suggestions it gives you.
When we ran git.rockylinux.org with an external nginx, we used to run chcon -t httpd_var_run_t against the sockets. This may work for you, but they stop working during updates/upgrades.