Clarify the correct milestone for security fixes in `master`

What does this MR do?

Security releases happen after the main monthly release, so the first "backport" will actually be for the most recent release.

This frequently causes confusion and authors end up creating an unnecessary backport for an older release, instead of the latest one.

This is explained in the security workflow documentation, but we should also clarify this in the security issue and merge request templates.

We don't really need a milestone on the MR merging into master, so we also change the Danger rules to not require one.

Example

To clarify, here's an example to think through:

1. An issue is scheduled for milestone 14.2.
2. An engineer implements a fix either during 14.2, or early in 14.3.
3. The main MR merges into master
   • This MR doesn't really need a milestone, but you can think of it as being in milestone 14.3.
   • This MR also doesn't end up in its own release, it's just to make sure the fix gets synced back to gitlab-org/gitlab.
4. The backport MRs merge into the stable branches for the "last 3 releases", which will be 14.2/14.1/14.0 by the time the security release happens.
   • For these MRs the milestone corresponds to the target branch.

And then what often happens is that the MR author will set 14.2 for the master MR (rather than 14.3) and create backports for 14.1/14.0/13.12 (rather than 14.2/14.1/14.0).

Manual QA

We don't have specs for the Dangerfiles so I tested this change manually:

• Milestone required:
  • Non-security MR: https://gitlab.com/gitlab-org/gitlab/-/jobs/1520204482
  • Security MR merging into 14-2-stable-ee: https://gitlab.com/gitlab-org/security/gitlab/-/jobs/1520222925
• Milestone not required:
  • Security MR merging into master: https://gitlab.com/gitlab-org/security/gitlab/-/jobs/1520212832

Related issues

Many attempts were made to clarify this in the past 😅

• gitlab-org/release/docs@3e388294
• gitlab-org/release/docs@62365fdf
• gitlab-org/release/docs@43e996dd
• gitlab-org/release/docs@df3bd159

Author's checklist

• Follow the:
  • Documentation Guidelines.
  • Style Guide.
• [-] Ensure that the product tier badge is added to topic's h1.
• Request a review based on the:
  • The documentation page's metadata.
  • The associated Technical Writer.

If you are only adding documentation, do not add any of the following labels:

• ~"feature"
• ~"frontend"
• ~"backend"
• ~"bug"
• ~"database"

These labels cause the MR to be added to code verification QA issues.

Review checklist

Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.

• If the content requires it, ensure the information is reviewed by a subject matter expert.
• Technical writer review items:
  • [-] Ensure docs metadata is present and up-to-date.
  • [-] Ensure the appropriate labels are added to this MR.
  • If relevant to this MR, ensure content topic type principles are in use, including:
    • [-] The headings should be something you'd do a Google search for. Instead of Default behavior, say something like Default behavior when you close an issue.
    • [-] The headings (other than the page title) should be active. Instead of Configuring GDK, say something like Configure GDK.
    • Any task steps should be written as a numbered list.
    • If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
• Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
• Ensure a release milestone is set.