I got a pipeline in Azure Devops which has a task that pushes a Docker image to an Azure Container Registry. I want to know if there's a way to prevent this task to overwrite any existing Docker tags/images.
By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.
However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can't accidentally delete or overwrite.
Using the Azure CLI, to lock a single image by tag:
az acr repository update \
--name myregistry --image myrepo/myimage:tag \
--write-enabled false
You can also lock the entire repository:
az acr repository update \
--name myregistry --repository myrepo/myimage \
--write-enabled false
There's also a --delete-enabled argument to prevent images or repos from being deleted (though they can still be overwritten.)