devops(docker): enhance Docker image publishing with ORAS end-of-life tagging (#641)

This tags the images we publish as EOL immediately in order to get excluded from the image scanning. Like we do upstream in microsoft/playwright.
2025-07-25 07:52:27 +08:00 · 2025-07-07 23:08:12 +02:00 · 2025-07-07 23:08:12 +02:00 · f5b68dc590
commit f5b68dc590
parent 875bd3b6ec
1 changed files with 15 additions and 0 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -44,6 +44,7 @@ jobs:
      - name: Login to ACR
        run: az acr login --name playwright
      - name: Build and push Docker image
+        id: build-push
        uses: docker/build-push-action@v6
        with:
          context: .
@ -53,3 +54,17 @@ jobs:
          tags: |
            playwright.azurecr.io/public/playwright/mcp:${{ github.event.release.tag_name }}
            playwright.azurecr.io/public/playwright/mcp:latest
+      - uses: oras-project/setup-oras@v1
+      - name: Set oras tags
+        run: |
+          attach_eol_manifest() {
+            local image="$1"
+            local today=$(date -u +'%Y-%m-%d')
+            # oras is re-using Docker credentials, so we don't need to login.
+            # Following the advice in https://portal.microsofticm.com/imp/v3/incidents/incident/476783820/summary
+            oras attach --artifact-type application/vnd.microsoft.artifact.lifecycle --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$today" $image
+          }
+          # for each tag, attach the eol manifest
+          for tag in $(echo ${{ steps.build-push.outputs.metadata['image.name'] }} | tr ',' '\n'); do
+            attach_eol_manifest $tag
+          done