Pipelines: exclude .ps1 from CodeSign in package stage (#40653)

The Guardian CodeSign post-analysis in the package job is failing on
in-repo .ps1 scripts (collect-wsl-logs.ps1, deploy/*.ps1, etc.) that
are not shipped and don't need signing.

PR #40541 fixed this for the build job and added the exclusion as a
pipeline-level variable, but the package job in package-stage.yml
declares its own variables block and OneBranch's SDL injection only
honors ob_sdl_* variables at job scope, so the pipeline-level value
isn't applied.

Add ob_sdl_codeSignValidation_excludes: -|**\*.ps1 to the package job's
variables, mirroring what build-job.yml does.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: benhillis

.pipelines/package-stage.yml

@@ -45,6 +45,7 @@ stages:
           ob_outputDirectory: '$(Build.SourcesDirectory)\out'
           ob_artifactBaseName: 'drop_wsl'
           ob_artifactSuffix: '_package'
+          ob_sdl_codeSignValidation_excludes: -|**\*.ps1
           buildStagePackageVersion: $[ stageDependencies.build_x64.build_x64.outputs['version.WSL_PACKAGE_VERSION'] ]
           buildStageNugetVersion: $[ stageDependencies.build_x64.build_x64.outputs['version.WSL_NUGET_PACKAGE_VERSION'] ]