Summary

As the title states, security updates should immediately be available in release channels.

Use Cases

It is difficult to individually perform releases and currently is a manual process, which also is to say that it is error prone, humans may accidentally miss out on critical security fixes when rolling a new release. While the end goal would be some kind of full automation to the release process, we could setup the security updates from dependabot to be automated.

Sounds like a subissue of #12592.

Afaik, dependabot doesn't run on other branches, so this would be largely the same as what we discussed in #12592, automatically cherry-picking into currently supported branches.

which also is to say that it is error prone

Due to that, there can still be a merge conflict on cherry-picking / backporting, especially with deps, so this may never be fully automated either.

we could setup the security updates from dependabot to be automated.

Since dependabot is only doing security updates now after #12487, we could detect these.

Otherwise, we do have to manually do some updates (as they're major bumps or require code changes etc), and there isn't necessarily a good way to detect those other than the labels (which have to be manually added)

I didn't know that dependabot doesn't run on other branches, that is a shame to hear.

I do have a dirty ugly hack for this, I can create two forks of workflows and each set the default branch to be release-3.4 and release-3.5. This way there should be automatic updates to those forks.
From there I can push those changes here.
It won't be completely automatic, but it will resolve the manual conflict resolution.

I feel like I deserve some abuse for this proposal hahaha, it is such a hack but should keep us going.