doc,meta: codify security release commit message

The release commit message for security releases have conventionally
started with the phrase `This is a security release.`. Codify this
as part of the release process so that the distribution indexer can
use this to detect and mark releases as security releases.

Fixes: nodejs/Release#437
Refs: #27612 (comment)
Refs: nodejs/nodejs-dist-indexer#9

PR-URL: #27643
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Franziska Hinkelmann <[email protected]>
Reviewed-By: Anto Aravinth <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

Author: richardlau

doc/releases.md

@@ -345,6 +345,21 @@ Notable changes:
 * Copy the notable changes list here, reformatted for plain-text
 ```
 
+For security releases, begin the commit message with the phrase
+`This is a security release.` to allow the
+[distribution indexer](https://github.com/nodejs/nodejs-dist-indexer) to
+identify it as such:
+
+```txt
+YYYY-MM-DD, Version x.y.z (Release Type)
+
+This is a security release.
+
+Notable changes:
+
+* Copy the notable changes list here, reformatted for plain-text
+```
+
 ### 6. Propose Release on GitHub
 
 Push the release branch to `nodejs/node`, not to your own fork. This allows