patches: add support for notifying failing security patches

When configured, scap can now notify of any security patches that fail to apply while checking out a MedaWiki version (the prep command)

The notifications are sent for each individual failing patch in the form of a comment on the associated security task with a description of the issue, including which MW release is being blocked by the failure and instructions to fix the patch in the deployment server. The task is also set to Unbreak Now! and the relevant release task set as parent.

Currently this functionality is meant to be used as part of the nightly checks we run on the patches. The bot needs to have access to security tasks on Phabricator, so we can only run this code in a place where we can ensure the bot token can be accessed only by scap. Ufortunately, that doesn't include the deployment server at the moment

Bug: T350065