Disable SDL codesign auto-scan on the package job (#40657)

The Guardian CodeSign post-analysis scans the entire source checkout and
flags every in-repo .ps1 as unsigned (17 errors, breaking the release
build). Two prior attempts to filter the findings via the documented
ob_sdl_codeSignValidation_excludes variable - at pipeline-level
(b011cf7) and at the package job's variables block (PR #40653) - were
both silently ignored.

Disable the auto-scan on the package job; the msixbundle and nupkg
outputs are explicitly signed AND verified by the EsrpCodeSigning tasks
in the same job (SigntoolVerify / NuGetVerify operations), so signing
coverage on the actual release artifacts is preserved. The build_x64 /
build_arm64 jobs keep codesign validation enabled.

Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

.pipelines/package-stage.yml

@@ -45,7 +45,8 @@ stages:
           ob_outputDirectory: '$(Build.SourcesDirectory)\out'
           ob_artifactBaseName: 'drop_wsl'
           ob_artifactSuffix: '_package'
-          ob_sdl_codeSignValidation_excludes: -|**\*.ps1
+          # Outputs are explicitly signed+verified by the EsrpCodeSigning tasks below.
+          ob_sdl_codeSignValidation_enabled: false
           buildStagePackageVersion: $[ stageDependencies.build_x64.build_x64.outputs['version.WSL_PACKAGE_VERSION'] ]
           buildStageNugetVersion: $[ stageDependencies.build_x64.build_x64.outputs['version.WSL_NUGET_PACKAGE_VERSION'] ]