Update trestle release process to assure OpenSSF best practice regarding CVE's is followed

[degenaro]

Issue description / feature objectives

Update the trestle release process to assure that the below OpenSSF Best practice is complied with.

OpenSSF Best Practice:

The release notes MUST identify every publicly known run-time vulnerability fixed in this release that already had a CVE assignment or similar when the release was created. This criterion may be marked as not applicable (N/A) if users typically cannot practically update the software themselves (e.g., as is often true for kernel updates). This criterion applies only to the project results, not to its dependencies. If there are no release notes or there have been no publicly known vulnerabilities, choose N/A.

Caveats / Assumptions

None.

Completion Criteria

The release process is augmented with reminder or check or automation that assures the CVE best practice is followed.

[butler54]

We already have a CVE reporting process. However, today our release process is automated. We should do this a few places

1. A manual release process stage where release notes are updated with CVE information via a process.
2. An automated fix integrated in the release pipelines - To be created as a separate issue.