Private PR validation pipeline publishes tags to ACR based only on `internal` TEAMPROJECT variable

[dagood]

If the build is internal, this adds --push:

https://github.com/dotnet/docker-tools/blob/e7f18726f562a97522eaf71ceaad64b316c6998b/eng/common/templates/jobs/build-images.yml#L66-L68

Running PR validation of a private repo on an internal pipeline ends up publishing Docker images to the ACR in a build-staging/{build-id}/... repo. This isn't dangerous, but:

• PR submitters might need to be aware of this to avoid posting infra PRs that would have bad effects on the ACR when these internal checks are true.
• CI costs more due to the ACR publish.

It seems worthwhile to me to tweak my copy of eng/common to avoid the drawbacks for now.

(There are other checks for internal throughout the templates, but I'm not sure if they're as impactful.)

It might be out of scope for dotnet/docker-tools to support private repo PR validation. The repo I'm working on now is only temporarily private, anyway.

[dotnet-issue-labeler[bot]]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.