Add security clarification comments for buildScript usage

Added comments to clarify that buildScript comes from pipeline YAML configuration, not external user input, making Invoke-Expression safe in this context.

Co-authored-by: T-Gro <[email protected]>

Author: Copilot

eng/templates/regression-test-jobs.yml

@@ -61,6 +61,8 @@ jobs:
         Get-ChildItem -Name
         
         # Check if buildScript is a built-in dotnet command or a file-based script
+        # Note: buildScript comes from the pipeline YAML configuration (testMatrix parameter),
+        # not from external user input, so it's safe to use
         $buildScript = "${{ item.buildScript }}"
         if ($buildScript -like "dotnet*") {
           Write-Host "Build command is a built-in dotnet command: $buildScript"
@@ -154,6 +156,8 @@ jobs:
         $buildScript = "${{ item.buildScript }}"
         
         # Check if it's a built-in dotnet command or a file-based script
+        # Note: buildScript comes from the pipeline YAML configuration (testMatrix parameter),
+        # not from external user input, so using Invoke-Expression is safe here
         if ($buildScript -like "dotnet*") {
           Write-Host "Executing built-in command: $buildScript"
           Invoke-Expression $buildScript