See also https://gitlab.com/gitlab-org/gitlab/-/issues/334157
Topic on Talk:GitLab/Workflows/Security patches
Thanks for the heads up. We hadn't planned on using that feature right away, so this is a good issue to keep track of as we assess future workflow changes. I've subscribed to it (turned on notifications).
Yes, until/unless we enable issue-tracking within Gitlab (which may or may not ever happen AIUI), we cannot use confidential merge requests. Hence the somewhat clunky, less-than-ideal-but-still-workable process described within this article for manually creating and deploying security patches to Wikimedia production.