When doing a patch release that also contains security fixes, the blog
MR should be created in the security mirror
(gitlab-org/security/www-gitlab-com) so that the security fixes are
not publicised until the release is published.

This commit refactors the `MergeRequest` class to use a method called
project_path when calling the GitLab API. This method can be
overridden by classes that inherit from MergeRequest in order to
change which mirror the API calls go to.

In PatchRelease::BlogMergeRequest, we override the `project_path`
method to return the security mirror path if the blog post
contains security content.