azdo-pipelines: Publish NPM release to internal feed in addition to npmjs.org

[bwateratmsft]

TODO

• Passing build (since install step is affected): https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=14391425&view=results, https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=14391647&view=results
• Passing release:

Summary

Updates the NPM release template (azdo-pipelines/1es-mb-release-npm.yml) to optionally publish the released package to an internal Azure Artifacts feed, in addition to the existing ESRP/MicroBuild publish to npmjs.org.

Changes

• Added an optional feedBaseUrl parameter (the Azure Artifacts feed base URL, e.g. https://devdiv.pkgs.visualstudio.com/DevDiv/_packaging/azcode). When set, the same tarball is also published to that feed.
• The internal-feed publish runs after the ESRP publish to npmjs.org has completed successfully (ESRP uses waitForReleaseCompletion: true, and the new steps run sequentially after it).
• Factored the .npmrc creation + npmAuthenticate@0 logic shared with setup.yml into a reusable azdo-pipelines/templates/write-npmrc-auth.yml. It respects a checked-in .npmrc when present, otherwise writes one with registry=<feedBaseUrl>/npm/registry/.
• Same-org Azure Artifacts feeds authenticate with the build identity, so no service connection is required — none is added.
• The same dryRun compile-time guard applies to the internal-feed publish.
• Publishes the exact pre-built tarball via an Npm@1 task (command: custom, publish "$(tgzFileName)" --ignore-scripts), so the task handles exit-code failures and no lifecycle/build scripts run in the release pool.
• Documented feedBaseUrl and the Feed Publisher (Contributor) permission requirement (publish permission is not automatic even for same-org feeds) in README.md.

Notes

Draft PR for review before merge. Note: a service connection is intentionally not included — cross-org/external feeds are out of scope, and same-org feeds authenticate via the build identity.