ci(scripts): add compute_change_set.sh; CT pipeline adopts it

[dmcilvaney]

Introduces .github/workflows/scripts/components/compute_change_set.sh, which wraps the three-step compute used by every PR-scoped gate:

1. azldev component changed --from --to
2. git diff --name-only --
3. compute_render_set.py over both, drop deleted components

into a single script that writes 'changed-components.json', 'specs-diff.txt', and 'render-set.txt' to a caller-chosen output directory. All azldev invocations use an inline AZLDEV_ALLOW_ROOT=1 prefix per .github/instructions/ado-pipeline.instructions.md.

CT's render_and_verify.sh used to do the same thing with a slightly different argument shape, so it is deleted and the CT pipeline's 'Compute changed components' + 'Verify rendered specs' steps are restructured to call compute_change_set.sh + an inline 'xargs azldev component render --check-only --' over the resulting render-set.txt. xargs gets '-x' to fail loudly if a multi-batch invocation would silently hide drift in batches past the first.

Also tightens the CT render-check step to fail loud when the renderSetFile is unset/missing (distinguishing a 'Prepare change set' crash from a legitimately empty change set), so a job-level continueOnError cannot mask an upstream supply-chain tripwire.

The GH render gate adopts this helper in a follow-up commit.

Adds a README.md to scripts/components/ documenting the shared-library status and the inline AZLDEV_ALLOW_ROOT=1 convention.

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

Change Log

• Change
• Change
• Change

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX

Test Methodology

• Pipeline build id: xxxx

[Copilot]

Pull request overview

This PR centralizes PR-scoped component change-set computation for the Control Tower ADO pipeline by adding a shared component helper and replacing the deleted Control Tower-specific render helper.

Changes:

• Adds compute_change_set.sh to produce changed-components, specs-diff, and render-set outputs.
• Updates the Control Tower ADO stages to call the shared helper and render-check from render-set.txt.
• Documents the shared helper directory and updates ADO pipeline authoring guidance.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.github/workflows/scripts/control-tower/render_and_verify.sh	Removes the old Control Tower-specific render/change-set helper.
.github/workflows/scripts/components/README.md	Documents shared component helper scripts and their intended callers.
.github/workflows/scripts/components/compute_change_set.sh	Adds shared change-set orchestration for changed components and rendered spec diffs.
.github/workflows/ado/templates/sources-upload-stages.yml	Wires the Control Tower pipeline to compute a change set and render-check from the generated render set.
.github/workflows/ado/sources-upload.yml	Updates comments describing helper script locations.
.github/instructions/ado-pipeline.instructions.md	Extends helper-script layout guidance to cover shared component helpers.

Comments suppressed due to low confidence (1)

.github/workflows/scripts/components/compute_change_set.sh:35

• The script only checks that the commit arguments are non-empty before passing them to azldev/git diff. The ADO pipeline security guidance requires strict regex validation of PR-supplied commit SHAs before using them in shell commands, so validate source_commit and target_commit as expected SHA values here rather than relying on each caller.

[[ -z "${output_dir:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage