From 74cb66c8096682bbd86993fae5754f2b200ee06c Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Wed, 4 Feb 2026 14:10:45 -0800
Subject: [PATCH 1/9] wip: adjust how we call signing process

---
 .devops/build.yml                        | 262 +++++++++--------------
 .devops/templates/annotate-image.yml     |  64 ++++++
 .devops/templates/prepare-annotation.yml |  51 +++++
 scripts/build-image.sh                   |  81 ++++++-
 scripts/image-annotation.sh              |  41 ++--
 5 files changed, 316 insertions(+), 183 deletions(-)
 create mode 100644 .devops/templates/annotate-image.yml
 create mode 100644 .devops/templates/prepare-annotation.yml

diff --git a/.devops/build.yml b/.devops/build.yml
index f6577b2..c01a9a2 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -13,6 +13,7 @@ trigger:
     exclude:
       - .devops
       - .github/workflows
+
 pr: none
 
 parameters:
@@ -20,43 +21,25 @@ parameters:
     type: string
   - name: feed
     type: string
-  - name: package
+  - name: az_package
     type: string
+    displayName: "Oras package name"
+  - name: dryrun
+    displayName: "Execute a dry run?"
+    type: boolean
+    default: false
   - name: jobs
     type: object
     default:
       azurelinux_8:
-        new_LTS_image: false
+        hasExistingImages: true
         distro: azurelinux
         version: 8
         package: temurin-8
         image: "image-repository"
         tag: "3.0"
-      distroless_8:
-        new_LTS_image: false
-        distro: distroless
-        version: 8
-        package: temurin-8
-        installer_image: "image-repository"
-        installer_tag: "3.0"
-        base_image: "image-repository"
-        base_tag: "3.0"
-      ubuntu_11:
-        new_LTS_image: false
-        distro: ubuntu
-        version: 11
-        package: msopenjdk-11
-        image: "image-repository"
-        tag: "image-tag"
-      azurelinux_11:
-        new_LTS_image: false
-        distro: azurelinux
-        version: 11
-        package: msopenjdk-11
-        image: "image-repository"
-        tag: "3.0"
       distroless_11:
-        new_LTS_image: false
+        hasExistingImages: true
         distro: distroless
         version: 11
         package: msopenjdk-11
@@ -65,51 +48,19 @@ parameters:
         base_image: "image-repository"
         base_tag: "3.0"
       ubuntu_17:
-        new_LTS_image: false
+        hasExistingImages: true
         distro: ubuntu
         version: 17
         package: msopenjdk-17
         image: "image-repository"
         tag: "image-tag"
-      azurelinux_17:
-        new_LTS_image: false
-        distro: azurelinux
-        version: 17
-        package: msopenjdk-17
-        image: "image-repository"
-        tag: "3.0"
-      distroless_17:
-        new_LTS_image: false
-        distro: distroless
-        version: 17
-        package: msopenjdk-17
-        installer_image: "image-repository"
-        installer_tag: "3.0"
-        base_image: "image-repository"
-        base_tag: "3.0"
-      ubuntu_21:
-        new_LTS_image: false
-        distro: ubuntu
-        version: 21
-        package: msopenjdk-21
-        image: "image-repository"
-        tag: "image-tag"
       azurelinux_21:
-        new_LTS_image: false
+        hasExistingImages: true
         distro: azurelinux
         version: 21
         package: msopenjdk-21
         image: "image-repository"
         tag: "3.0"
-      distroless_21:
-        new_LTS_image: false
-        distro: distroless
-        version: 21
-        package: msopenjdk-21
-        installer_image: "image-repository"
-        installer_tag: "3.0"
-        base_image: "image-repository"
-        base_tag: "3.0"
 
 resources:
   repositories:
@@ -127,83 +78,82 @@ extends:
         os: windows
     stages:
       - stage: build_internal
-        displayName: "Build Internal"
+        displayName: Build Internal
+        variables:
+          ACR_NAME: msopenjdk
         jobs:
           - job: build_internal
-            displayName: "build internal"
             pool:
               name: JEG-azurelinux-x64-release
               os: linux
             strategy:
               matrix: ${{ parameters.jobs }}
             steps:
-              - task: AzureCLI@2
-                displayName: "Download ORAS"
-                condition: ne( variables['new_LTS_image'], true)
-                inputs:
-                  azureSubscription: "JEG-Infrastructure"
-                  scriptType: "bash"
-                  scriptLocation: "scriptPath"
-                  scriptPath: $(Build.SourcesDirectory)/scripts/install-oras.sh
-                env:
-                  AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
-                  ORAS_VERSION: 1.1.0
-                  ORGANIZATION: ${{ parameters.organization }}
-                  FEED: ${{ parameters.feed }}
-                  NAME: ${{ parameters.package }}
+              - template: /.devops/templates/prepare-annotation.yml@self
+                parameters:
+                  registry: $(INTERNAL_ACR_REGISTRY)
+                  tag: $(version)-$(distro)
 
               - bash: |
-                  REGISTRIES=msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-$(distro)
+                  REGISTRIES=$(INTERNAL_ACR_REGISTRY):$(version)-$(distro)
                   if [[ "$(distro)" == "azurelinux" ]]; then
-                    REGISTRIES+=";msopenjdk.azurecr.io/internal/private/openjdk/jdk:$(version)-mariner"
+                    REGISTRIES+=";$(INTERNAL_ACR_REGISTRY):$(version)-mariner"
                   fi
                   echo "##vso[task.setvariable variable=REGISTRIES]$REGISTRIES"
                 displayName: Set REGISTRIES variable
 
-              - task: AzureCLI@2
-                displayName: Annotate previous image
-                condition: ne( variables['new_LTS_image'], true)
-                inputs:
-                  azureSubscription: "JEG-Infrastructure"
-                  scriptType: "bash"
-                  scriptLocation: "scriptPath"
-                  scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
-                env:
-                  ACR_NAME: msopenjdk
-                  REGISTRIES: $(REGISTRIES)
               - task: AzureCLI@2
                 inputs:
                   azureSubscription: "JEG-Infrastructure"
                   scriptType: "bash"
                   scriptLocation: "scriptPath"
                   scriptPath: $(Build.SourcesDirectory)/scripts/build-image.sh
-                displayName: build image
-                env:
-                  REGISTRY_TAGS: $(REGISTRIES)
-                  IMAGE: $(image)
-                  TAG: $(tag)
-                  PACKAGE: $(package)
-                  DISTRIBUTION: $(distro)
-                  INSTALLER_IMAGE: $(installer_image)
-                  INSTALLER_TAG: $(installer_tag)
+                  ${{ if eq(parameters.dryrun, true) }}:
+                    arguments: >
+                      --image $(image)
+                      --tag $(tag)
+                      --package $(package)
+                      --distribution $(distro)
+                      --registries $(REGISTRIES)
+                      --installer-image $(installer_image)
+                      --installer-tag $(installer_tag)
+                      --dryrun
+                  ${{ else }}:
+                    arguments: >
+                      --image $(image)
+                      --tag $(tag)
+                      --package $(package)
+                      --distribution $(distro)
+                      --registries $(REGISTRIES)
+                      --installer-image $(installer_image)
+                      --installer-tag $(installer_tag)
+                displayName: build container image
+
+              - template: /.devops/templates/annotate-image.yml@self
+                parameters:
+                  registry: $(INTERNAL_ACR_REGISTRY)
+                  organization: ${{ parameters.organization }}
+                  feed: ${{ parameters.feed }}
+                  package: ${{ parameters.az_package }}
+                  dryrun: ${{ parameters.dryrun }}
+
 
       - stage: validate_and_publish
         displayName: "Validate & Publish"
         dependsOn: build_internal
         jobs:
+
           - job: wait_for_validation
             displayName: wait for validation
             pool: server
             steps:
               - task: ManualValidation@0
-                # 3 days
-                timeoutInMinutes: 4320
+                timeoutInMinutes: 4320 # Three days
                 inputs:
                   instructions: "please validate the build configuration, artifacts, tests, and resume"
                   onTimeout: "resume"
 
           - job: build_public
-            displayName: "build public "
             dependsOn: wait_for_validation
             pool:
               name: JEG-azurelinux-x64-release
@@ -211,73 +161,69 @@ extends:
             strategy:
               matrix: ${{ parameters.jobs }}
             steps:
-              - task: AzureCLI@2
-                displayName: "Download ORAS"
-                condition: ne( variables['new_LTS_image'], true)
-                inputs:
-                  azureSubscription: "JEG-Infrastructure"
-                  scriptType: "bash"
-                  scriptLocation: "scriptPath"
-                  scriptPath: $(Build.SourcesDirectory)/scripts/install-oras.sh
-                env:
-                  AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
-                  ORAS_VERSION: 1.1.0
-                  ORGANIZATION: ${{ parameters.organization }}
-                  FEED: ${{ parameters.feed }}
-                  NAME: ${{ parameters.package }}
+              - template: /.devops/templates/prepare-annotation.yml@self
+                parameters:
+                  registry: $(ACR_REGISTRY)
+                  tag: $(version)-$(distro)
 
               - bash: |
-                  REGISTRIES=msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-$(distro)
-                  TAGS="$(version)-$(distro)"
+                  REGISTRIES=$(ACR_REGISTRY):$(version)-$(distro)
                   if [[ "$(distro)" == "azurelinux" ]]; then
-                    REGISTRIES+=";msopenjdk.azurecr.io/public/openjdk/jdk:$(version)-mariner"
+                    REGISTRIES+=";$(ACR_REGISTRY):$(version)-mariner"
                   fi
                   echo "##vso[task.setvariable variable=REGISTRIES]$REGISTRIES"
-                  echo "##vso[task.setvariable variable=TAGS]$TAGS"
-                displayName: Set environment variables
+                displayName: Set REGISTRIES variable
 
               - task: AzureCLI@2
-                displayName: Annotate previous image
-                condition: ne( variables['new_LTS_image'], true)
                 inputs:
                   azureSubscription: "JEG-Infrastructure"
                   scriptType: "bash"
                   scriptLocation: "scriptPath"
-                  scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
-                env:
-                  ACR_NAME: msopenjdk
-                  REGISTRIES: $(REGISTRIES)
+                  scriptPath: $(Build.SourcesDirectory)/scripts/build-image.sh
+                  ${{ if eq(parameters.dryrun, true) }}:
+                    arguments: >
+                      --image $(image)
+                      --tag $(tag)
+                      --package $(package)
+                      --distribution $(distro)
+                      --registries $(REGISTRIES)
+                      --installer-image $(installer_image)
+                      --installer-tag $(installer_tag)
+                      --dryrun
+                  ${{ else }}:
+                    arguments: >
+                      --image $(image)
+                      --tag $(tag)
+                      --package $(package)
+                      --distribution $(distro)
+                      --registries $(REGISTRIES)
+                      --installer-image $(installer_image)
+                      --installer-tag $(installer_tag)
+                displayName: build container image
 
-              - task: AzureCLI@2
-                inputs:
-                  azureSubscription: "JEG-Infrastructure"
-                  scriptType: "bash"
-                  scriptLocation: "scriptPath"
-                  scriptPath: scripts/build-image.sh
-                displayName: build image
-                env:
-                  REGISTRY_TAGS: $(REGISTRIES)
-                  IMAGE: $(image)
-                  TAG: $(tag)
-                  PACKAGE: $(package)
-                  DISTRIBUTION: $(distro)
-                  INSTALLER_IMAGE: $(installer_image)
-                  INSTALLER_TAG: $(installer_tag)
+              - template: /.devops/templates/annotate-image.yml@self
+                parameters:
+                  registry: $(ACR_REGISTRY)
+                  organization: ${{ parameters.organization }}
+                  feed: ${{ parameters.feed }}
+                  package: ${{ parameters.az_package }}
+                  dryrun: ${{ parameters.dryrun }}
 
-              - task: AzureCLI@2
-                displayName: Trigger image signing
-                env:
-                  AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
-                inputs:
-                  azureSubscription: "JEG-Infrastructure"
-                  scriptType: "bash"
-                  scriptLocation: "inlineScript"
-                  inlineScript: |
-                    az pipelines run \
-                      --branch main \
-                      --org ${{ parameters.organization }} \
-                      --project $(OPENJDK_PROJECT) \
-                      --id $(OPENJDK_SIGNING_ID) \
-                      --parameters openjdk_tags="[$(TAGS)]" \
-                        image_registry="msopenjdk.azurecr.io/public/openjdk" \
-                        image_name="jdk"
+              - ${{ if ne(parameters.dryrun, true) }}:
+                - task: AzureCLI@2
+                  displayName: Trigger signing
+                  env:
+                    AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
+                  inputs:
+                    azureSubscription: "JEG-Infrastructure"
+                    scriptType: "bash"
+                    scriptLocation: "inlineScript"
+                    inlineScript: |
+                      az pipelines run \
+                        --branch main \
+                        --org ${{ parameters.organization }} \
+                        --project $(OPENJDK_PROJECT) \
+                        --id $(OPENJDK_SIGNING_ID) \
+                        --parameters registry="$(ACR_REGISTRY)" \
+                          reference="$(containerImageDigest)" \
+                          reference_type="container_digest"
\ No newline at end of file
diff --git a/.devops/templates/annotate-image.yml b/.devops/templates/annotate-image.yml
new file mode 100644
index 0000000..68449cf
--- /dev/null
+++ b/.devops/templates/annotate-image.yml
@@ -0,0 +1,64 @@
+parameters:
+  - name: registry
+    type: string
+  - name: organization
+    type: string
+  - name: feed
+    type: string
+  - name: package
+    type: string
+  - name: dryrun
+    type: boolean
+    default: false
+
+steps:
+  - task: AzureCLI@2
+    displayName: Download ORAS
+    condition: eq(variables['hasExistingImages'], 'true')
+    inputs:
+      azureSubscription: "JEG-Infrastructure"
+      scriptType: "bash"
+      scriptLocation: "scriptPath"
+      scriptPath: $(Build.SourcesDirectory)/scripts/install-oras.sh
+    env:
+      AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
+      ORAS_VERSION: 1.1.0
+      ORGANIZATION: ${{ parameters.organization }}
+      FEED: ${{ parameters.feed }}
+      NAME: ${{ parameters.package }}
+
+  - task: AzureCLI@2
+    displayName: Annotate previous amd64 as EOL
+    condition: eq(variables['hasExistingImages'], 'true')
+    inputs:
+      azureSubscription: "JEG-Infrastructure"
+      scriptType: "bash"
+      scriptLocation: "scriptPath"
+      scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
+      ${{ if eq(parameters.dryrun, true) }}:
+        arguments: >
+          -r ${{ parameters.registry }}
+          -m $(imageDigestAmd64)
+          -d
+      ${{ else }}:
+        arguments: >
+          -r ${{ parameters.registry }}
+          -m $(imageDigestAmd64)
+
+  - task: AzureCLI@2
+    displayName: Annotate previous arm64 as EOL
+    condition: eq(variables['hasExistingImages'], 'true')
+    inputs:
+      azureSubscription: "JEG-Infrastructure"
+      scriptType: "bash"
+      scriptLocation: "scriptPath"
+      scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
+      ${{ if eq(parameters.dryrun, true) }}:
+        arguments: >
+          -r ${{ parameters.registry }}
+          -m $(imageDigestArm64)
+          -d
+      ${{ else }}:
+        arguments: >
+          -r ${{ parameters.registry }}
+          -m $(imageDigestArm64)
\ No newline at end of file
diff --git a/.devops/templates/prepare-annotation.yml b/.devops/templates/prepare-annotation.yml
new file mode 100644
index 0000000..d3f92ec
--- /dev/null
+++ b/.devops/templates/prepare-annotation.yml
@@ -0,0 +1,51 @@
+parameters:
+  - name: registry
+    type: string
+  - name: tag
+    type: string
+
+steps:
+
+  - task: AzureCLI@2
+    displayName: Gather container image manifests
+    condition: eq(variables['hasExistingImages'], 'true')
+    inputs:
+      azureSubscription: "JEG-Infrastructure"
+      scriptType: "bash"
+      scriptLocation: inlineScript
+      inlineScript: |
+        az acr login --name $(ACR_NAME)
+        manifest=$(az acr manifest show ${{ parameters.registry }}:${{ parameters.tag }} -o json | jq -c .)
+        echo "##vso[task.setvariable variable=manifest]$manifest"
+
+  - task: PythonScript@0
+    displayName: Output image digest variables
+    condition: eq(variables['hasExistingImages'], 'true')
+    env:
+      manifest: $(manifest)
+    inputs:
+      scriptSource: 'inline'
+      script: |
+        import json
+        import os
+
+        amd64_digest = ""
+        arm64_digest = ""
+        manifest = json.loads(os.environ.get('manifest', {}))
+
+        if not manifest:
+            print("##vso[task.logissue type=error]Container image manifest is empty or null. Unable to retrieve image digests!")
+            exit(1)
+
+        for descriptor in manifest['manifests']:
+            if descriptor['platform']['architecture'] == 'amd64':
+                amd64_digest = descriptor['digest']
+            elif descriptor['platform']['architecture'] == 'arm64':
+                arm64_digest = descriptor['digest']
+
+        # Theoretically, we should always have both, but log a warning in the event one is not found
+        if not amd64_digest or not arm64_digest:
+            print(f"##vso[task.logissue type=warning]Missing one of amd64_digest: {amd64_digest} or arm64_digest: {arm64_digest}.")
+
+        print(f"##vso[task.setvariable variable=imageDigestAmd64]{amd64_digest}")
+        print(f"##vso[task.setvariable variable=imageDigestArm64]{arm64_digest}")
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
index 16628dc..4d4f84c 100644
--- a/scripts/build-image.sh
+++ b/scripts/build-image.sh
@@ -1,18 +1,83 @@
 #!/bin/bash
+
+dryRun=false
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -i | --image)
+            image="$2";
+            shift 2
+            ;;
+        -t | --tag)
+            tag="$2";
+            shift 2
+            ;;
+        -p | --package)
+            package="$2";
+            shift 2
+            ;;
+        -d | --distribution)
+            distro="$2";
+            shift 2
+            ;;
+        -r | --registries)
+            registryTags="$2";
+            shift 2
+            ;;
+        -D | --dryrun)
+            dryRun=true
+            shift
+            ;;
+        -I | --installer-image)
+            installerImg="$2";
+            shift 2
+            ;;
+        -T | --installer-tag)
+            installerTag="$2";
+            shift 2
+            ;;
+        *) echo "Unknown parameter passed: $1"; exit 1 ;;
+    esac
+done
+
 az acr login -n junipercontainerregistry
-docker buildx create --name mybuilder --driver docker-container --driver-opt image=junipercontainerregistry.azurecr.io/mirror/moby/buildkit --platform linux/amd64,linux/arm64 --use
+az acr login -n "$ACR_NAME"
+
+docker buildx create \
+    --name mybuilder \
+    --driver docker-container \
+    --driver-opt image=junipercontainerregistry.azurecr.io/mirror/moby/buildkit \
+    --platform linux/amd64,linux/arm64 \
+    --use
 
-az acr login -n msopenjdk
 
-if [[ '$DISTRIBUTION' != 'distroless' ]]; then
-    BUILD_ARGS="--build-arg IMAGE=$IMAGE --build-arg TAG=$TAG --build-arg package=$PACKAGE"
+if [[ "$distro" != "distroless" ]]; then
+    buildArgs="--build-arg IMAGE=$image --build-arg TAG=$tag --build-arg package=$package"
 else
-    BUILD_ARGS="--build-arg INSTALLER_IMAGE=$INSTALLER_IMAGE --build-arg INSTALLER_TAG=$INSTALLER_TAG --build-arg BASE_IMAGE=$(base_image) --build-arg BASE_TAG=$(base_tag) --build-arg package=$PACKAGE"
+    buildArgs="--build-arg INSTALLER_IMAGE=$installerImg --build-arg INSTALLER_TAG=$installerTag --build-arg BASE_IMAGE=$(base_image) --build-arg BASE_TAG=$(base_tag) --build-arg package=$package"
 fi
 
-REGISTRY_TAGS="-t ${REGISTRY_TAGS/;/ -t }"
+registryTags="-t ${registryTags/;/ -t }"
 
 # To push to a registry use --push
 # To build locally use --output=type=image,push=false
-echo "docker buildx build --platform linux/amd64,linux/arm64 ${BUILD_ARGS} ${REGISTRY_TAGS} -f docker/$DISTRIBUTION/Dockerfile.$PACKAGE-jdk . --push"
-docker buildx build --platform linux/amd64,linux/arm64 ${BUILD_ARGS} ${REGISTRY_TAGS} -f docker/$DISTRIBUTION/Dockerfile.$PACKAGE-jdk . --push
\ No newline at end of file
+
+if [[ "$dryRun" == true ]]; then
+    echo "[DRY-RUN] Running in dry-run mode. No changes will be made."
+    echo "[DRY-RUN] Command that would be executed:"
+    echo "docker buildx build --platform linux/amd64,linux/arm64 ${buildArgs} ${registryTags} -f docker/$distro/Dockerfile.$package-jdk . --metadata-file metadata.json --push"
+else
+    echo "docker buildx build --platform linux/amd64,linux/arm64 ${buildArgs} ${registryTags} -f docker/$distro/Dockerfile.$package-jdk . --push"
+
+    docker buildx build \
+        --platform linux/amd64,linux/arm64 \
+        ${buildArgs} \
+        ${registryTags} \
+        -f docker/$distro/Dockerfile.$package-jdk . \
+        --metadata-file metadata.json \
+        --push
+
+    containerImageDigest=$(cat metadata.json | grep -oP '(?<="containerimage.digest": ")[^"]+')
+    echo "##vso[task.setvariable variable=containerImageDigest]$containerImageDigest"
+    rm metadata.json
+fi
\ No newline at end of file
diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
index 5e5a277..e63cdc4 100644
--- a/scripts/image-annotation.sh
+++ b/scripts/image-annotation.sh
@@ -1,36 +1,43 @@
 #!/bin/bash
-az acr login -n msopenjdk
+az acr login -n "$ACR_NAME"
 
 if [[ $? -ne 0 ]]; then
     echo "Failed to login to ACR"
     exit 1
 fi
 
-IFS=';' read -ra REGISTRIES_ARRAY <<< "$REGISTRIES"
+debug=false
 
-for REGISTRY in "${REGISTRIES_ARRAY[@]}"; do
-    echo "Pulling... $REGISTRY"
+while getopts "r:m:d" opt; do
+    case $opt in
+        r) registry="$OPTARG" ;;
+        m) manifest="$OPTARG" ;;
+        d) debug=true ;;
+        *) echo "Invalid option: -$OPTARG" ;;
+    esac
+done
 
-    docker pull "$REGISTRY"
-    if [[ $? -ne 0 ]]; then
-        echo "Failed to pull image $REGISTRY"
-        exit 1
-    fi
+if [[ -z "$manifest" ]]; then
+    echo "##vso[task.logissue type=error]Container image manifest is empty or null. Unable to add annotation!"
+fi
 
-    manifest=$(docker image inspect "$REGISTRY" | jq)
-    digest=$(echo $manifest | jq '.[0].RepoDigests[0]')
-    digest=${digest//\"/}
-    endOfLifeDate=$(date "+%Y-%m-%d")
+endOfLifeDate=$(date "+%Y-%m-%d")
 
-    echo "Annotating image $digest with end-of-life date $endOfLifeDate"
+echo "Annotating image ${registry}@${manifest} with end-of-life date ${endOfLifeDate}T00:00:00Z"
+
+if [[ "$debug" == true ]]; then
+    echo "[DRY-RUN] Running in dry-run mode. No changes will be made."
+    echo "[DRY-RUN] Command that would be executed:"
+    echo "oras attach --artifact-type \"application/vnd.microsoft.artifact.lifecycle\" --annotation \"vnd.microsoft.artifact.lifecycle.end-of-life.date=${endOfLifeDate}T00:00:00Z\" $registry@$manifest --verbose"
+else
     oras attach \
     --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
     --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=${endOfLifeDate}T00:00:00Z" \
-    $digest --verbose
+    $registry@$manifest \
+    --verbose
 
     if [[ $? -ne 0 ]]; then
         echo "Failed to annotate image!"
         exit 1
     fi
-
-done
\ No newline at end of file
+fi

From 569173ece4959df637e8325a34487ef210e62ae4 Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 10 Feb 2026 11:36:03 -0800
Subject: [PATCH 2/9] Update annotations

---
 scripts/image-annotation.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
index e63cdc4..529e7de 100644
--- a/scripts/image-annotation.sh
+++ b/scripts/image-annotation.sh
@@ -19,11 +19,12 @@ done
 
 if [[ -z "$manifest" ]]; then
     echo "##vso[task.logissue type=error]Container image manifest is empty or null. Unable to add annotation!"
+    exit 1
 fi
 
 endOfLifeDate=$(date "+%Y-%m-%d")
 
-echo "Annotating image ${registry}@${manifest} with end-of-life date ${endOfLifeDate}T00:00:00Z"
+echo "Annotating image ${registry}@${manifest} with end-of-life date ${endOfLifeDate}T00:00:00"
 
 if [[ "$debug" == true ]]; then
     echo "[DRY-RUN] Running in dry-run mode. No changes will be made."

From dbb5543ad78b8a6befc512325b8642d0efbd37ea Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 10 Feb 2026 11:43:32 -0800
Subject: [PATCH 3/9] Add retries for build image

---
 .devops/build.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.devops/build.yml b/.devops/build.yml
index c01a9a2..c94b559 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -103,6 +103,7 @@ extends:
                 displayName: Set REGISTRIES variable
 
               - task: AzureCLI@2
+                retryCountOnTaskFailure: 2
                 inputs:
                   azureSubscription: "JEG-Infrastructure"
                   scriptType: "bash"
@@ -175,6 +176,7 @@ extends:
                 displayName: Set REGISTRIES variable
 
               - task: AzureCLI@2
+                retryCountOnTaskFailure: 2
                 inputs:
                   azureSubscription: "JEG-Infrastructure"
                   scriptType: "bash"

From 8b0923ab41359d2d5605d4b768c268d1028c621a Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 10 Feb 2026 11:56:41 -0800
Subject: [PATCH 4/9] Add short digest tag

---
 .devops/build.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.devops/build.yml b/.devops/build.yml
index c94b559..f6afe29 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -211,6 +211,11 @@ extends:
                   package: ${{ parameters.az_package }}
                   dryrun: ${{ parameters.dryrun }}
 
+              - bash: |
+                  short_digest=$(echo "$(containerImageDigest)" | cut -c1-15)
+                  echo "##vso[build.addbuildtag]$short_digest"
+                displayName: Add build tag from image digest
+
               - ${{ if ne(parameters.dryrun, true) }}:
                 - task: AzureCLI@2
                   displayName: Trigger signing

From e91df274c091dec31c3444a1082ab59b4e215993 Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 10 Feb 2026 15:04:40 -0800
Subject: [PATCH 5/9] Add missing args

---
 .devops/build.yml      |  8 ++++++++
 scripts/build-image.sh | 10 +++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.devops/build.yml b/.devops/build.yml
index f6afe29..ac963cb 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -118,6 +118,8 @@ extends:
                       --registries $(REGISTRIES)
                       --installer-image $(installer_image)
                       --installer-tag $(installer_tag)
+                      --base-image $(base_image)
+                      --base-tag $(base_tag)
                       --dryrun
                   ${{ else }}:
                     arguments: >
@@ -128,6 +130,8 @@ extends:
                       --registries $(REGISTRIES)
                       --installer-image $(installer_image)
                       --installer-tag $(installer_tag)
+                      --base-image $(base_image)
+                      --base-tag $(base_tag)
                 displayName: build container image
 
               - template: /.devops/templates/annotate-image.yml@self
@@ -191,6 +195,8 @@ extends:
                       --registries $(REGISTRIES)
                       --installer-image $(installer_image)
                       --installer-tag $(installer_tag)
+                      --base-image $(base_image)
+                      --base-tag $(base_tag)
                       --dryrun
                   ${{ else }}:
                     arguments: >
@@ -201,6 +207,8 @@ extends:
                       --registries $(REGISTRIES)
                       --installer-image $(installer_image)
                       --installer-tag $(installer_tag)
+                      --base-image $(base_image)
+                      --base-tag $(base_tag)
                 displayName: build container image
 
               - template: /.devops/templates/annotate-image.yml@self
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
index 4d4f84c..5cbe4ca 100644
--- a/scripts/build-image.sh
+++ b/scripts/build-image.sh
@@ -4,6 +4,14 @@ dryRun=false
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
+        -b | --base-image)
+            baseImage="$2"
+            shift 2
+            ;;
+        -g | --base-tag)
+            baseTag="$2"
+            shift 2
+            ;;
         -i | --image)
             image="$2";
             shift 2
@@ -54,7 +62,7 @@ docker buildx create \
 if [[ "$distro" != "distroless" ]]; then
     buildArgs="--build-arg IMAGE=$image --build-arg TAG=$tag --build-arg package=$package"
 else
-    buildArgs="--build-arg INSTALLER_IMAGE=$installerImg --build-arg INSTALLER_TAG=$installerTag --build-arg BASE_IMAGE=$(base_image) --build-arg BASE_TAG=$(base_tag) --build-arg package=$package"
+    buildArgs="--build-arg INSTALLER_IMAGE=$installerImg --build-arg INSTALLER_TAG=$installerTag --build-arg BASE_IMAGE=$baseImage --build-arg BASE_TAG=$baseTag --build-arg package=$package"
 fi
 
 registryTags="-t ${registryTags/;/ -t }"

From cdd53d3dd360205d03354084bdc24285b2071f6a Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Thu, 12 Feb 2026 13:26:13 -0800
Subject: [PATCH 6/9] PR feedback

---
 .devops/build.yml                        | 74 ++++++++++++------------
 .devops/templates/prepare-annotation.yml |  2 +-
 scripts/build-image.sh                   |  1 -
 scripts/image-annotation.sh              | 17 ++++--
 4 files changed, 52 insertions(+), 42 deletions(-)

diff --git a/.devops/build.yml b/.devops/build.yml
index ac963cb..64c93f0 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -111,27 +111,27 @@ extends:
                   scriptPath: $(Build.SourcesDirectory)/scripts/build-image.sh
                   ${{ if eq(parameters.dryrun, true) }}:
                     arguments: >
-                      --image $(image)
-                      --tag $(tag)
-                      --package $(package)
-                      --distribution $(distro)
-                      --registries $(REGISTRIES)
-                      --installer-image $(installer_image)
-                      --installer-tag $(installer_tag)
-                      --base-image $(base_image)
-                      --base-tag $(base_tag)
+                      --image             $(image)
+                      --tag               $(tag)
+                      --package           $(package)
+                      --distribution      $(distro)
+                      --registries        $(REGISTRIES)
+                      --installer-image   $(installer_image)
+                      --installer-tag     $(installer_tag)
+                      --base-image        $(base_image)
+                      --base-tag          $(base_tag)
                       --dryrun
                   ${{ else }}:
                     arguments: >
-                      --image $(image)
-                      --tag $(tag)
-                      --package $(package)
-                      --distribution $(distro)
-                      --registries $(REGISTRIES)
-                      --installer-image $(installer_image)
-                      --installer-tag $(installer_tag)
-                      --base-image $(base_image)
-                      --base-tag $(base_tag)
+                      --image             $(image)
+                      --tag               $(tag)
+                      --package           $(package)
+                      --distribution      $(distro)
+                      --registries        $(REGISTRIES)
+                      --installer-image   $(installer_image)
+                      --installer-tag     $(installer_tag)
+                      --base-image        $(base_image)
+                      --base-tag          $(base_tag)
                 displayName: build container image
 
               - template: /.devops/templates/annotate-image.yml@self
@@ -165,6 +165,8 @@ extends:
               os: linux
             strategy:
               matrix: ${{ parameters.jobs }}
+            variables:
+              ACR_NAME: msopenjdk
             steps:
               - template: /.devops/templates/prepare-annotation.yml@self
                 parameters:
@@ -188,27 +190,27 @@ extends:
                   scriptPath: $(Build.SourcesDirectory)/scripts/build-image.sh
                   ${{ if eq(parameters.dryrun, true) }}:
                     arguments: >
-                      --image $(image)
-                      --tag $(tag)
-                      --package $(package)
-                      --distribution $(distro)
-                      --registries $(REGISTRIES)
-                      --installer-image $(installer_image)
-                      --installer-tag $(installer_tag)
-                      --base-image $(base_image)
-                      --base-tag $(base_tag)
+                      --image             $(image)
+                      --tag               $(tag)
+                      --package           $(package)
+                      --distribution      $(distro)
+                      --registries        $(REGISTRIES)
+                      --installer-image   $(installer_image)
+                      --installer-tag     $(installer_tag)
+                      --base-image        $(base_image)
+                      --base-tag          $(base_tag)
                       --dryrun
                   ${{ else }}:
                     arguments: >
-                      --image $(image)
-                      --tag $(tag)
-                      --package $(package)
-                      --distribution $(distro)
-                      --registries $(REGISTRIES)
-                      --installer-image $(installer_image)
-                      --installer-tag $(installer_tag)
-                      --base-image $(base_image)
-                      --base-tag $(base_tag)
+                      --image             $(image)
+                      --tag               $(tag)
+                      --package           $(package)
+                      --distribution      $(distro)
+                      --registries        $(REGISTRIES)
+                      --installer-image   $(installer_image)
+                      --installer-tag     $(installer_tag)
+                      --base-image        $(base_image)
+                      --base-tag          $(base_tag)
                 displayName: build container image
 
               - template: /.devops/templates/annotate-image.yml@self
diff --git a/.devops/templates/prepare-annotation.yml b/.devops/templates/prepare-annotation.yml
index d3f92ec..ea795f8 100644
--- a/.devops/templates/prepare-annotation.yml
+++ b/.devops/templates/prepare-annotation.yml
@@ -31,7 +31,7 @@ steps:
 
         amd64_digest = ""
         arm64_digest = ""
-        manifest = json.loads(os.environ.get('manifest', {}))
+        manifest = json.loads(os.environ.get('manifest', '{}'))
 
         if not manifest:
             print("##vso[task.logissue type=error]Container image manifest is empty or null. Unable to retrieve image digests!")
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
index 5cbe4ca..6bb3a25 100644
--- a/scripts/build-image.sh
+++ b/scripts/build-image.sh
@@ -75,7 +75,6 @@ if [[ "$dryRun" == true ]]; then
     echo "[DRY-RUN] Command that would be executed:"
     echo "docker buildx build --platform linux/amd64,linux/arm64 ${buildArgs} ${registryTags} -f docker/$distro/Dockerfile.$package-jdk . --metadata-file metadata.json --push"
 else
-    echo "docker buildx build --platform linux/amd64,linux/arm64 ${buildArgs} ${registryTags} -f docker/$distro/Dockerfile.$package-jdk . --push"
 
     docker buildx build \
         --platform linux/amd64,linux/arm64 \
diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
index 529e7de..60f8543 100644
--- a/scripts/image-annotation.sh
+++ b/scripts/image-annotation.sh
@@ -10,10 +10,19 @@ debug=false
 
 while getopts "r:m:d" opt; do
     case $opt in
-        r) registry="$OPTARG" ;;
-        m) manifest="$OPTARG" ;;
-        d) debug=true ;;
-        *) echo "Invalid option: -$OPTARG" ;;
+        r)
+            registry="$OPTARG"
+            ;;
+        m)
+            manifest="$OPTARG"
+            ;;
+        d)
+            debug=true
+            ;;
+        *)
+            echo "Invalid option: -$OPTARG"
+            exit 1
+            ;;
     esac
 done
 

From b230217accf05032823b2860a31bbbf7fdc12791 Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Thu, 12 Feb 2026 13:44:11 -0800
Subject: [PATCH 7/9] Add condition

---
 .devops/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.devops/build.yml b/.devops/build.yml
index 64c93f0..31b59db 100644
--- a/.devops/build.yml
+++ b/.devops/build.yml
@@ -225,6 +225,7 @@ extends:
                   short_digest=$(echo "$(containerImageDigest)" | cut -c1-15)
                   echo "##vso[build.addbuildtag]$short_digest"
                 displayName: Add build tag from image digest
+                condition: ne(${{ parameters.dryrun }}, true)
 
               - ${{ if ne(parameters.dryrun, true) }}:
                 - task: AzureCLI@2

From b9e4190adddafae3250dd64212c8bf53cc64a24a Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 17 Feb 2026 11:07:36 -0800
Subject: [PATCH 8/9] PR feedback

---
 .devops/templates/annotate-image.yml | 20 ++++++++++----------
 scripts/image-annotation.sh          | 24 ++++++++++++------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/.devops/templates/annotate-image.yml b/.devops/templates/annotate-image.yml
index 68449cf..b669a75 100644
--- a/.devops/templates/annotate-image.yml
+++ b/.devops/templates/annotate-image.yml
@@ -37,13 +37,13 @@ steps:
       scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
       ${{ if eq(parameters.dryrun, true) }}:
         arguments: >
-          -r ${{ parameters.registry }}
-          -m $(imageDigestAmd64)
-          -d
+          --registry ${{ parameters.registry }}
+          --manifest $(imageDigestAmd64)
+          --debug
       ${{ else }}:
         arguments: >
-          -r ${{ parameters.registry }}
-          -m $(imageDigestAmd64)
+          --registry ${{ parameters.registry }}
+          --manifest $(imageDigestAmd64)
 
   - task: AzureCLI@2
     displayName: Annotate previous arm64 as EOL
@@ -55,10 +55,10 @@ steps:
       scriptPath: $(Build.SourcesDirectory)/scripts/image-annotation.sh
       ${{ if eq(parameters.dryrun, true) }}:
         arguments: >
-          -r ${{ parameters.registry }}
-          -m $(imageDigestArm64)
-          -d
+          --registry ${{ parameters.registry }}
+          --manifest $(imageDigestArm64)
+          --debug
       ${{ else }}:
         arguments: >
-          -r ${{ parameters.registry }}
-          -m $(imageDigestArm64)
\ No newline at end of file
+          --registry ${{ parameters.registry }}
+          --manifest $(imageDigestArm64)
\ No newline at end of file
diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
index 60f8543..c95201e 100644
--- a/scripts/image-annotation.sh
+++ b/scripts/image-annotation.sh
@@ -8,21 +8,21 @@ fi
 
 debug=false
 
-while getopts "r:m:d" opt; do
-    case $opt in
-        r)
-            registry="$OPTARG"
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -r | --registry)
+            registry="$2"
+            shift 2
             ;;
-        m)
-            manifest="$OPTARG"
+        -m | --manifest)
+            manifest="$2"
+            shift 2
             ;;
-        d)
-            debug=true
-            ;;
-        *)
-            echo "Invalid option: -$OPTARG"
-            exit 1
+        -d | --debug)
+            debug="$2";
+            shift 2
             ;;
+        *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac
 done
 

From 9ab2e4adfa5c97bd48a84b82037b21ac0ef7bada Mon Sep 17 00:00:00 2001
From: joe-braley <joebraley@microsoft.com>
Date: Tue, 17 Feb 2026 13:20:31 -0800
Subject: [PATCH 9/9] Wip: Fix args

---
 scripts/image-annotation.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/image-annotation.sh b/scripts/image-annotation.sh
index c95201e..c24808c 100644
--- a/scripts/image-annotation.sh
+++ b/scripts/image-annotation.sh
@@ -19,8 +19,8 @@ while [[ "$#" -gt 0 ]]; do
             shift 2
             ;;
         -d | --debug)
-            debug="$2";
-            shift 2
+            debug=true;
+            shift 1
             ;;
         *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac