I got a pipeline in Azure Devops which has a task that pushes a Docker image to an Azure Container Registry. I want to know if there's a way to prevent this task to overwrite any existing Docker tags/images.
1 Answers
5
votes
By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.
However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can't accidentally delete or overwrite.
Using the Azure CLI, to lock a single image by tag:
az acr repository update \
--name myregistry --image myrepo/myimage:tag \
--write-enabled false
You can also lock the entire repository:
az acr repository update \
--name myregistry --repository myrepo/myimage \
--write-enabled false
There's also a --delete-enabled argument to prevent images or repos from being deleted (though they can still be overwritten.)
Azure CLItask to run the the lock step in your pipeline. If the answer could solve your issue, you could consider accepting it as answer. – Kevin Lu-MSFT