Security release process

Right now, we don't really document how-to-do security releases in workhorse, which creates significant friction when someone comes to it for the first time.

The current process is a bit crazy, and we have automation goals that will improve matters, but documenting where we are now is still important.

cc @nolith @jacobvosmaer-gitlab @steveazz @grzesiek @ashmckenzie @patrickbajao