Update rules for templates

This is a related to !3605 (closed).

This MR adds explicit rules for most of the jobs that get imported from templates. Many do not run in MR pipelines, so the biggest change is to let these run in MR pipelines, but it also ensures they don't run in pipelines that don't need them, like Upstream Review App pipelines, chores pipelines, etc.

Example of template jobs not showing up in MR pipelines:

• MR pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799439490

Examples of template jobs showing up in the wrong pipelines:

• Review app pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799444870
• Chores pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799382545
• Environments cleanup pipeline: https://gitlab.com/gitlab-org/gitlab-docs/-/pipelines/799386068

Additional details

I considered updating all the templates to their .latest versions:

• https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.latest.gitlab-ci.yml
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml

But these will all be rolled into the main "stable" templates in 16.0 anyways: https://docs.gitlab.com/ee/update/deprecations.html#secure-analyzers-major-version-update

This MR prepares us for that update. The main change in 16.0, as far as config is concerned, is that the latest versions support:

• MR pipelines by default.
• 1 (as well as the original true) for all their respective *_DISABLED variables, used to temporarily disable the scanners without needing to edit the pipeline config.

Making these changes now mean we won't need any tweaks in 16.0, and it should be a seamless update 🤞

Related issues

• Related to #1324 (closed)
• Related to gitlab#389812 (closed)