Add compliance pipeline

[jakebailey]

To aid in NOTICE generation.

[Copilot]

Pull Request Overview

Adds a dedicated Azure Pipelines configuration to generate compliance artifacts (e.g., NOTICE file) as part of CI.

• Introduces a new _build/azure-pipelines.compliance.yml that triggers on main.
• Extends the shared 1ES pipeline template and enables production SDL checks.
• Installs Node package manager, Go toolchain, and runs the hereby build step.

Comments suppressed due to low confidence (1)

_build/azure-pipelines.compliance.yml:54

• To guard against a malicious or corrupted download, consider verifying the Go archive's checksum or signature before extracting it.

curl -SL -o '$(Agent.BuildDirectory)/golang.tar.gz' https://aka.ms/golang/release/latest/go${version}.linux-amd64.tar.gz

[Copilot]

Use the POSIX-standard $(...) syntax instead of backticks for command substitution to improve readability and avoid nesting issues, e.g., npm install -g $(node -e 'console.log(JSON.parse(fs.readFileSync("package.json", "utf8")).packageManager)').

Suggested change

	npm install -g `node -e 'console.log(JSON.parse(fs.readFileSync("package.json", "utf8")).packageManager)'`
	npm install -g $(node -e 'console.log(JSON.parse(fs.readFileSync("package.json", "utf8")).packageManager)')

[Copilot]

The grep -P (Perl-compatible regex) option is not guaranteed on all images; consider using grep -E or a sed/awk command to reliably extract the Go version from go.mod.

Suggested change

	version=$(grep -oP '^go \K[0-9]+\.[0-9]+' go.mod)
	version=$(grep -Eo '^go [0-9]+\.[0-9]+' go.mod | awk '{print $2}')

[Copilot]

Wrap this step in a multi-line shell block with set -euo pipefail to ensure any errors in the build command cause the pipeline to fail.

Suggested change

	- bash: npx hereby build
	- bash: |
	set -euo pipefail
	npx hereby build

[jakebailey]

What this pipeline does doesn't really matter; it's the extra result of it running and getting CG that does.