[golang/go] x/build/cmd/relui: automate process of upstreaming private-track security CLs on release day (for the main branch)

### ROOT CAUSE The process for upstreaming security CLs (Changes-Landing) from the private track to the main branch lacks automation and proper conflict resolution mechanisms. The issue highlights that while the process resembles that of release branches, the main branch requires special handling for merge conflicts, which are not addressed in the current implementation. This creates a gap in the release workflow, necessitating a dedicated automated solution. ### CODE FIX To automate the upstreaming of private-track security CLs to the main branch, extend the `relui` tool with a new command `security-upstream`. This command should: 1. **Integrate with the security metadata workflow** (tracked in #76157) to fetch CLs designated for upstreaming. 2. **Handle CLs from the private track** by cherry-picking commits into the main branch, resolving conflicts via a three-way merge strategy. 3. **Sequence the command** after the security metadata and combined monthly release workflows. **Implementation Steps:** ```go // In relui/cmd/relui/security_upstream.go package main import ( "log" "os" "strings" // Import necessary modules for CL tracking and conflict resolution ) type SecurityCL struct { CommitHash string Branch string // e.g., "security-branch" } func upstreamSecurityCLs(releaseVersion string) error { // Fetch security CLs from private track (e.g., from issue tracker or internal system) clList, err := getSecurityCLsForRelease(releaseVersion) if err != nil { return err } for _, cl := range clList { // Cherry-pick the CL commit into the main branch cmd := exec.Command("git", "cherry-pick", cl.CommitHash) cmd.Dir = "main-branch-dir" output, err := cmd.CombinedOutput() if err != nil { // Handle conflicts if strings.Contains(string(output), "merge conflict") { log.Printf("Conflict detected for CL %s. Attempting three-way merge...\n", cl.CommitHash) if err := threeWayMerge(cl.Branch); err != nil { return err } } } } return nil } // Implement getSecurityCLsForRelease and threeWayMerge functions to fetch CLs and resolve conflicts ``` **Workflow Integration:** - Add `security-upstream` to the `relui` command list. - Sequence it in the release workflow after security metadata and before the monthly release steps. This solution automates the upstreaming process, reduces manual intervention, and ensures security CLs are merged with minimal conflicts.