run PR builds on NOTICES updates (#8931)

CHANGELOG_BEGIN
CHANGELOG_END

ci/cron/daily-compat.yml

@@ -210,12 +210,6 @@ jobs:
         persistCredentials: true
       - bash: ci/dev-env-install.sh
         displayName: 'Build/Install the Developer Environment'
-      - bash: ci/configure-bazel.sh
-        displayName: 'Configure Bazel'
-        env:
-          IS_FORK: $(System.PullRequest.IsFork)
-          # to upload to the bazel cache
-          GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
       - bash: |
           set -euo pipefail
           eval "$(dev-env/bin/dade assist)"
@@ -227,9 +221,11 @@ jobs:
         displayName: 'Build'
       - bash: |
           set -euo pipefail
-          eval "$(./dev-env/bin/dade-assist)"
+          eval "$(dev-env/bin/dade-assist)"
 
-          #needs to be specified since blackduck can not scan all bazel dependency types in one go, haskell has to be scanned separatey and code location name uniquely identified to avoid stomping
+          #needs to be specified since blackduck can not scan all bazel
+          #dependency types in one go, haskell has to be scanned separatey and
+          #code location name uniquely identified to avoid stomping
           BAZEL_DEPENDENCY_TYPE="haskell_cabal_library"
 
           bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) \
@@ -247,9 +243,10 @@ jobs:
           BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
       - bash: |
           set -euo pipefail
-          eval "$(./dev-env/bin/dade-assist)"
+          eval "$(dev-env/bin/dade-assist)"
 
-          #avoid stomping any previous bazel haskell scans for this repository by qualifying as a maven_install (aka jvm) bazel blackduck scan
+          #avoid stomping any previous bazel haskell scans for this repository
+          #by qualifying as a maven_install (aka jvm) bazel blackduck scan
           BAZEL_DEPENDENCY_TYPE="maven_install"
 
           bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) \
@@ -281,14 +278,37 @@ jobs:
           eval "$(./dev-env/bin/dade-assist)"
           source $(bash_lib)
 
+          branch="notices-update-$(Build.BuildId)"
+
           tr -d '\015' <*_Black_Duck_Notices_Report.txt | grep -v digital-asset_daml >NOTICES
           if git diff --exit-code -- NOTICES; then
               echo "NOTICES file already up-to-date."
+              setvar need_to_build false
           else
               git add NOTICES
-              open_pr "notices-update-$(Build.BuildId)" "update NOTICES file"
+              open_pr "$branch" "update NOTICES file"
+              setvar need_to_build true
           fi
         displayName: open PR
-        condition: and(succeeded(),
-                       eq(variables['Build.SourceBranchName'], 'main'))
+        name: out
       - template: ../daily_tell_slack.yml
+
+  - job: run_notices_pr_build
+    timeoutInMinutes: 60
+    dependsOn: ["blackduck_scan"]
+    pool:
+      vmImage: ubuntu-20.04
+    variables:
+      need_to_build: $[ dependencies.blackduck_scan.outputs['out.need_to_build'] ]
+    steps:
+      - bash: |
+          if [ "$(need_to_build)" == "true" ]; then
+              branch="notices-update-$(Build.BuildId)"
+              az extension add --name azure-devops
+              trap "az devops logout" EXIT
+              echo "$(System.AccessToken)" | az devops login --org "https://dev.azure.com/digitalasset"
+              az pipelines build queue --branch "$branch" \
+                                       --definition-name "PRs" \
+                                       --org "https://dev.azure.com/digitalasset" \
+                                       --project daml
+          fi