Problem
We need a native implementation for write-once semantics.
Today, preventing tag overwrite requires pipeline-side logic and post-push locking steps.
This is operationally fragile because:
Protection is not atomic.
Governance and audit requirements are harder to satisfy.
This creates risk for supply-chain integrity, reproducibility, and compliance.
Requested capability
First-class immutability policy controls:
Registry-level policy: enforce write-once globally
Repository-level policy: enforce write-once for selected repos
Expected behavior
First push of repo:tag succeeds.
Any subsequent push to same repo:tag fails with deterministic error (e.g. HTTP 409/denied: immutable tag).
Value
Stronger software supply-chain security (SLSA-style provenance confidence)
Lower operational complexity vs custom scripts
Better compliance posture (SOX/ISO/NIS2/internal controls)
Acceptance criteria
Admin can enable immutability at registry/repo scope.
Overwrite attempts are blocked server-side
Behavior is consistent across Docker/OCI clients and ACR Tasks.
Policy configuration available in Portal, CLI, ARM/Bicep, Terraform.
Problem
We need a native implementation for write-once semantics.
Today, preventing tag overwrite requires pipeline-side logic and post-push locking steps.
This is operationally fragile because:
Protection is not atomic.
Governance and audit requirements are harder to satisfy.
This creates risk for supply-chain integrity, reproducibility, and compliance.
Requested capability
First-class immutability policy controls:
Registry-level policy: enforce write-once globally
Repository-level policy: enforce write-once for selected repos
Expected behavior
First push of repo:tag succeeds.
Any subsequent push to same repo:tag fails with deterministic error (e.g. HTTP 409/denied: immutable tag).
Value
Stronger software supply-chain security (SLSA-style provenance confidence)
Lower operational complexity vs custom scripts
Better compliance posture (SOX/ISO/NIS2/internal controls)
Acceptance criteria
Admin can enable immutability at registry/repo scope.
Overwrite attempts are blocked server-side
Behavior is consistent across Docker/OCI clients and ACR Tasks.
Policy configuration available in Portal, CLI, ARM/Bicep, Terraform.