Pipelines: exclude in-repo .ps1 scripts from CodeSign post-analysis (#40541)

The Guardian CodeSign tool was scanning all .ps1 files in the source tree
and failing the release build on diagnostic / dev / test helper scripts that
aren't shipped (the OneBranch codesign targetGlob already restricts signing
to .dll/.exe/.sys/.msi/.msix/.appx/.nupkg).

Set ob_sdl_codeSignValidation_excludes to skip **\*.ps1 at the pipeline
level for the release, nightly, and PR OneBranch pipelines, and combine
with the existing testbin\** exclude in build-job.yml.

Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.pipelines/build-job.yml

@@ -70,8 +70,7 @@ jobs:
       ob_artifactBaseName: 'drop_wsl'
       ob_artifactSuffix: '${{ parameters.artifactSuffix }}'
       packageStagingDir: '$(Build.SourcesDirectory)\packageStagingDir'
-      ${{ if parameters.includeTestArtifacts }}:
-        ob_sdl_codeSignValidation_excludes: -|**testbin\**
+      ob_sdl_codeSignValidation_excludes: -|**\*.ps1;-|**\testbin\**
       ${{ if parameters.includeCodeQL }}:
         Codeql.PublishDatabaseLog: true
         Codeql.SourceRoot: src

.pipelines/wsl-build-nightly-onebranch.yml

@@ -11,6 +11,7 @@ schedules:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories:

.pipelines/wsl-build-pr-onebranch.yml

@@ -7,6 +7,7 @@ trigger:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories:

.pipelines/wsl-build-release-onebranch.yml

@@ -21,6 +21,7 @@ trigger:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories: