fix(ci): downgrade npm auth token list check to warning

[Copilot]

The verifyNpmAuth function in .ado/scripts/prepublish-check.mjs was failing in CI with:

❌ Auth token for 'https://registry.npmjs.org/' returned error code E403

This occurred because the function performs two npm checks:

1. npm whoami --registry <registry> - verifies user authentication ✅
2. npm token list --registry <registry> - attempts to list user tokens ❌

While the first check succeeds (confirming the user is authenticated), the second check fails with E403 because some npm tokens don't have permission to list tokens, even though they can publish packages successfully.

Solution

Made a minimal change to treat E403 errors from npm token list as non-fatal warnings:

// Before - All token list errors were fatal
throw new Error(`Auth token for '${registry}' returned error code ${errorCode}`);

// After - E403 is non-fatal, others still throw
if (errorCode === "E403") {
  info(`Token verification skipped: token doesn't have permission to list tokens (${errorCode})`);
} else {
  throw new Error(`Auth token for '${registry}' returned error code ${errorCode}`);
}

Benefits

• ✅ Fixes CI publishing - No more E403 failures blocking npm publish jobs
• ✅ Maintains security - npm whoami still validates authentication properly
• ✅ Preserves existing behavior - All other error codes (E401, ENEEDAUTH, etc.) still throw as before
• ✅ Zero breaking changes - Fully backward compatible
• ✅ Clear logging - Informative message when E403 occurs

Testing

• Script syntax validation passes
• Code formatting with Prettier is correct
• Manual testing confirms E403 errors are now non-fatal
• All other error scenarios continue to work as expected
• Script runs successfully with all existing options

This surgical fix resolves the specific CI authentication issue while preserving all existing safeguards and functionality.

Fixes #2546.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Saadnajmi]

I looked into it, and indeed our NPM access token / account doesn't want to be listed (but still works). So the change is sound, but I need to refactor a bit, so I'll probably fork this.