Upgrades release/client/2.23 pipeline deployment jobs to be 1ES compliant

[seanimam]

Read THIS FIRST

This change is being ported from main: #24026

Below is a repeat of the description from the above linked PR. The goal here is to ensure that if we decide to rerelease this fluid version that our deployment pipeline is 1ES compliant.

Description

1es pipelines have warnings requiring that all deployment jobs transition to release jobs (see Custom Release Job | 1ES On EngHub).

The include-publish-npm-package-deployment.yml is a template included in many pipelines, including the build client pipeline. This template includes a deployment job that needed to be upgraded to a 1ES compliant.

To that effort, a few changes have been made to pipelines:

1. The FF repo is no longer checked out in include-publish-npm-package-deployment.yml. This was necessary to install build tools properly.
2. 'Build - Build tools' is now a specified as a 'pipeline resource' in upstream pipelines such as build-npm-client-package which enables us to selectively download its artifacts in the deployment job within include-publish-npm-package-deployment.yml.
3. The original code for installing build tools within include-publish-npm-package-deployment.yml using the downloaded FF repo was removed and replaced with a bash script that installs the build tools from the tarball artifact from the 'Build - Build Tools' pipeline.
4. A new template context section was added to include-publish-npm-package-deployment.yml which specifies variables necessary to make is a 1ES deployment job and this also includes a dynamic isProduction variable based on the 'testBuild' parameter from include-vars.yml pipeline template
5. include-publish-npm-package-deployment.yml uses the new templateContext section to download the pipeline artifact from 'Build - Build tools' using the inputs parameter rather than a explicitly defined task. This also applies to downloading the pack artifact from the build stage of the pipeline

Reviewer Guidance

1ES Release Job Requirements: (see links above for more details)

• You have to classify the release job as production or non-production based on whether you deploy to a production or non-production environment (in the case of deploying to Azure, this must match the Azure subscription classification in Service Tree).
• You have to declare all the artifacts required for the release as inputs for the job (this is similar to the concept of outputs in a standard build job).
• You can't build source code in a release job (this is to ensure all artifacts have been binary scanned in a build job output).
• You can't check out repositories. All artifacts must be generated and published from a 1ES PT build job and declared as an input.
• All 1ES PT pipelines must use a 1ES hosted pool.

[github-actions]

Warning

WARNING: This PR is targeting a release branch!

All changes must first be merged into main and then backported to the target release branch.
Please include a link to the main PR in the description of this PR.

Changes to release branches require approval from the Patch Triage group before merging.
You should have already discussed this change with them so they know to expect it.

For more details, see our internal documentation for the patch policy and processes for
patch releases.