feat(ci-templates): Bitbucket + Azure parity with the GitHub Action (closes #32)

[Metbcy]

Closes #32.

Brings the Bitbucket Pipelines and Azure DevOps templates up to the v0.9.7 GitHub Action input surface, so non-GitHub callers can configure the same bomdrift diff knobs the action exposes.

What's added (on both platforms)

VEX: vex (list), emit-vex, vex-author, vex-default-justification
License policy: allow-licenses, deny-licenses, allow-exception, deny-exception, allow-ambiguous-licenses
Enrichment toggles: no-epss, no-kev, no-registry, fail-on-epss
Calibration: recently-published-days, typosquat-similarity-threshold, young-maintainer-days, cache-ttl-hours, multi-major-delta
Attestation: before-attestation, after-attestation, cosign-identity, cosign-issuer, require-attestation
Plugins: plugin (list)

Implementation

Both templates use the same pattern: a small bash helper block defines add_value / add_bool / add_list, then builds an args=() array from BOMDRIFT_* env vars and appends "${args[@]}" after the existing --output markdown --platform <name> flags. Unset / empty inputs contribute zero CLI args, so the default invocation is byte-identical for users who don't set any of the new variables.

• Bitbucket reads inputs from repository variables (prefix BOMDRIFT_*).
• Azure declares them as parameters: (snake_case because ${{ parameters.x-y }} won't expand cleanly with hyphens) and maps them through the env: block on the diff step to the same BOMDRIFT_* names.

Verification

• Both YAML files parse with python3 -c "import yaml; yaml.safe_load(...)".
• Inline bash passes bash -n.
• Empty-input invocation reduces to the pre-PR command shape (confirmed by inspection of the args-building helpers — add_value/add_bool/add_list all short-circuit on empty/non-true values).
• Docs sections in bitbucket.md and azure-devops.md mirror the action.yml descriptions verbatim where the brief allowed, abridged where length required.

Notes for maintainer

Repo policy: main requires verified signatures. This branch is unsigned; "Merge" or "Squash" via the GitHub UI auto-signs.

The Azure JSON schema doesn't model boolean parameter defaults so the editor LSP will flag a warning on the default: false lines — the syntax is still valid Azure Pipelines YAML (verified against the public docs). Left as-is.

[github-actions]

Coverage report

Line coverage: 84.7% (10033 / 11851 lines)

Full lcov report available as workflow artifact coverage-lcov: download from this run.

_{v0.9.8 introduces this report; --fail-under-lines will be added once coverage is visible across 2–3 releases.}