Skip to content

Add registry/repository-level write-once tag immutability #890

Description

@lanni-energinet

Problem

We need a native implementation for write-once semantics.

Today, preventing tag overwrite requires pipeline-side logic and post-push locking steps.

This is operationally fragile because:

Protection is not atomic.
Governance and audit requirements are harder to satisfy.
This creates risk for supply-chain integrity, reproducibility, and compliance.

Requested capability

First-class immutability policy controls:

Registry-level policy: enforce write-once globally
Repository-level policy: enforce write-once for selected repos

Expected behavior

First push of repo:tag succeeds.
Any subsequent push to same repo:tag fails with deterministic error (e.g. HTTP 409/denied: immutable tag).

Value

Stronger software supply-chain security (SLSA-style provenance confidence)
Lower operational complexity vs custom scripts
Better compliance posture (SOX/ISO/NIS2/internal controls)

Acceptance criteria

Admin can enable immutability at registry/repo scope.
Overwrite attempts are blocked server-side
Behavior is consistent across Docker/OCI clients and ACR Tasks.
Policy configuration available in Portal, CLI, ARM/Bicep, Terraform.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestIssues that request new features

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions