attach EOL during image creation

.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh

@@ -204,12 +204,14 @@ function initialization {
     # the below value of DISTRO_IDENTIFIER in the image tag.
     # TODO: We may need to update this value for Azure Linux 3.0.
     DISTRO_IDENTIFIER="cm"
+    END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
 
     echo "Golden Image Name             -> $GOLDEN_IMAGE_NAME"
     echo "Base ACR Container Name       -> $BASE_IMAGE_NAME"
     echo "Base ACR Container Tag        -> $BASE_IMAGE_TAG"
     echo "Azure Linux Version           -> $AZURE_LINUX_VERSION"
     echo "Distro Identifier             -> $DISTRO_IDENTIFIER"
+    echo "End of Life                   -> $END_OF_LIFE_1_YEAR"
 }
 
 function prepare_dockerfile {
@@ -322,16 +324,31 @@ function finalize {
     echo "$GOLDEN_IMAGE_NAME_FINAL" >> "$OUTPUT_DIR/PublishedContainers-$IMAGE.txt"
 }
 
+function oras_attach {
+    local image_name=$1
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
+
 function publish_to_acr {
     CONTAINER_IMAGE=$1
     if [[ ! "$PUBLISH_TO_ACR" =~ [Tt]rue ]]; then
         echo "+++ Skip publishing to ACR"
         return
     fi
+    local oras_access_token
+
+    echo "+++ az login into Azure ACR $ACR"
+    oras_access_token=$(az acr login --name "$ACR" --expose-token --output tsv --query accessToken)
+    oras login "$ACR.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+
     echo "+++ Publish container $CONTAINER_IMAGE"
-    echo "login into ACR: $ACR"
-    az acr login --name "$ACR"
     docker image push "$CONTAINER_IMAGE"
+    oras_attach "$CONTAINER_IMAGE"
 }
 
 function generate_image_sbom {

.pipelines/containerSourceData/scripts/PublishContainers.sh

@@ -264,13 +264,11 @@ do
 
         amd64_image=${image_name%-*}-amd64
         docker pull "$amd64_image"
-        oras_attach "$amd64_image"
 
         # Some container images are only built for AMD64 architecture.
         if [[ $ARCHITECTURE_TO_BUILD == *"ARM64"*  ]]; then
             arm64_image=${image_name%-*}-arm64
             docker pull "$arm64_image"
-            oras_attach "$arm64_image"
         fi
 
         if [[ $container_registry != "$TARGET_ACR" ]]; then