Put security changelog compilation behind flag

While testing security_remote, we want to avoid compiling changelogs for fake versions.