From f98ad20dcc801e6627f05e9e1fd76de3037be29c Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Thu, 7 Mar 2024 20:18:20 +0100
Subject: [PATCH] devops: mark Docker images as EOL (#1505)

---
 utils/docker/.gitignore        |  2 ++
 utils/docker/publish_docker.sh | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 utils/docker/.gitignore

diff --git a/utils/docker/.gitignore b/utils/docker/.gitignore
new file mode 100644
index 00000000..f5ca1e18
--- /dev/null
+++ b/utils/docker/.gitignore
@@ -0,0 +1,2 @@
+oras/
+
diff --git a/utils/docker/publish_docker.sh b/utils/docker/publish_docker.sh
index 9811d8b0..1564c52c 100755
--- a/utils/docker/publish_docker.sh
+++ b/utils/docker/publish_docker.sh
@@ -56,6 +56,27 @@ tag_and_push() {
   echo "-- tagging: $target"
   docker tag $source $target
   docker push $target
+  attach_eol_manifest $target
+}
+
+attach_eol_manifest() {
+  local image="$1"
+  local today=$(date -u +'%Y-%m-%d')
+  install_oras_if_needed
+  # oras is re-using Docker credentials, so we don't need to login.
+  # Following the advice in https://portal.microsofticm.com/imp/v3/incidents/incident/476783820/summary
+  ./oras/oras attach --artifact-type application/vnd.microsoft.artifact.lifecycle --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$today" $image
+}
+
+install_oras_if_needed() {
+  if [[ -x oras/oras ]]; then
+    return
+  fi
+  local version="1.1.0"
+  curl -sLO "https://github.com/oras-project/oras/releases/download/v${version}/oras_${version}_linux_amd64.tar.gz"
+  mkdir -p oras
+  tar -zxf oras_${version}_linux_amd64.tar.gz -C oras
+  rm oras_${version}_linux_amd64.tar.gz
 }
 
 publish_docker_images_with_arch_suffix() {