Handle components using dev for security fixes
This changes ReleaseTools::ReleaseMetadata so it supports tracking components that still use dev.gitlab.org for security fixes. Not supporting this means that we will error when trying to obtain the tag of a component, as we'll be trying to look it up on a GitLab.com project that may not exist.
Currently the GitLab ElasticSearch indexer project is the only project still using dev, but it's not clear how long it will take for this to change. See issue gitlab-com/gl-infra/delivery#708 (closed) for more information about creating a security mirror for this project.