Use security mirrors for candidate commit URLs
Now that we auto-deploy from the security mirrors, the candidate commit SHAs may not be on the canonical projects (e.g. during a security release). This ensures we use URLs that always work.
Now that we auto-deploy from the security mirrors, the candidate commit SHAs may not be on the canonical projects (e.g. during a security release). This ensures we use URLs that always work.