Make sure that CE-only merge requests don't break EE for security MRs

Recently we hit couple of issues when a security MR prepared for CE worked fine on CE but when picked into EE CI was failing for a valid reason (e.g. because we overlooked that an additional change is needed in EE codebase).

This may be a problem for security MRs because workflow when merging security MRs is slightly different - MRs are only approved during preparation phase but merged later by a release manager when preparing a security release when he tries to sync CE to EE on security branch. This is quite late. It would be nice to discover potential EE issues with CE-only MRs sooner.

Perhaps we could extend CI to run something like this?

if MR is for CE and there is no EE version of the MR and target-branch's prefix is 'security-` then
  create a new branch from EE version of the target branch (security-...-ee)
  apply MR in this branch
  run CI on this branch

Another option suggested by @smcgivern / @mdelaossa would be to update security MR workflow and instruct developers to always create EE-version of the security MR at least for master branch.