ci(extension): lint lockfile tarball hosts against the dotnet-public-npm mirror

[radical]

The internal microsoft-aspire pipeline runs yarn install from extension/Extension.proj and can only reach the dotnet-public-npm mirror at pkgs.dev.azure.com. Any resolved URL in extension/yarn.lock or extension/package-lock.json that points elsewhere makes the install fail with connect EACCES 192.0.2.14:443. This has now broken main twice — PR #16489 (postcss/uuid) and PR #17361 (tree-sitter, #17399) — and both times the bad URLs cleared PR CI undetected because GitHub runners have unrestricted egress and silently pulled from registry.npmjs.org.

The fix

New workflow .github/workflows/extension-lockfile-lint.yml, triggered on PRs and pushes touching extension/**. It asserts:

• Every resolved URL in extension/yarn.lock and extension/package-lock.json points at the dotnet-public-npm mirror.
• extension/.npmrc and extension/.yarnrc do not contain replace-registry-host=never (the knob Use parser-backed AppHost resource parsing #17361 used to disable Yarn's default host rewrite).

Sub-second pure-grep step, no network or Node dependency.

Verified by replaying the lint against origin/main: it exits 1 and flags all six bad resolved URLs plus the .npmrc knob. Against the tree from #17402 (the unblock-main PR) it exits 0.

Why not also switch PR CI to yarn

I considered flipping extension_tests_win from npm install to yarn install --frozen-lockfile so PR CI uses the same toolchain as the internal pipeline. Two reasons not to:

• It does not strengthen detection of this failure mode — the lint catches it cleanly.
• GitHub Actions runs anonymously against dnceng/public. The feed serves cached tarballs anonymously but returns 401 for any tarball upstream hasn't been lazily pulled yet ("please provide authentication to access versions from upstream that have not yet been saved to your feed"). So every PR adding a new transitive dep would 401 in PR CI until an authenticated internal run primes the cache — a new flaky failure mode for no added coverage. Killing the npm/yarn divergence properly would mean deleting extension/package-lock.json and the overrides block; better as its own PR.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17403

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17403"