Discovered during https://gitlab.com/gitlab-org/release-tools/issues/348, but also something I'm fairly certain we've encountered before. Because security mirrors are in a `security` sub-group of `gitlab-org`, they don't have access to the milestones from the parent `gitlab-org` group, which may pose a problem during validation. cc @gitlab-org/delivery