Add instructions for using lifecycle annotations (#6239)

Co-authored-by: Matt Thalman <[email protected]>

Author: lbussell

documentation/scripts/check-tag-support.ps1

@@ -9,7 +9,9 @@ Prerequisites:
 * Dockerfile of the container image being reported upon
   * Name of the .NET image the Dockerfile is based on (e.g. `mcr.microsoft.com/dotnet/aspnet:8.0`)
 * Architecture of the container image being reported upon (e.g. `amd64`)
-* [Docker installation](https://docs.docker.com/desktop) to run commands locally
+* [Docker](https://docs.docker.com/desktop)
+* [ORAS CLI](https://oras.land/)
+* [`jq`](https://jqlang.org/), [PowerShell](https://github.com/PowerShell/PowerShell), or Windows PowerShell
 * Whether the container image is a [Linux or Windows image](#how-can-i-determine-whether-my-image-is-based-on-linux-or-windows)
   * For Linux images, it's also important to [know the Linux distro and version](#how-can-i-determine-the-os-version-of-a-linux-image) (e.g. `Debian Bookworm`, `Alpine 3.20`, `Ubuntu Noble`, `Azure Linux 3.0`)
 * If you're using Docker Desktop for Windows and investigating a vulnerability in a Linux image, [change your settings](https://docs.docker.com/desktop/settings/windows/) to target Linux containers.
@@ -120,9 +122,8 @@ Rerun the scan of your image using your scanning tool. Ensure you get the latest
 When .NET drops support for an image tag, it means it will no longer be updated, even when there is a new base OS image available.
 This means that vulnerabilities will be reported for that image over time if it continues to be used.
 Our [supported tag policy](supported-tags.md) provides detailed information about when these tags are no longer supported.
-The simple rule to follow: only the tags shown in our tag listing are supported:
 
-Complete tag lists:
+The simple rule to follow: only the tags shown in our full tag listings are supported:
 
 * [runtime-deps](../README.runtime-deps.md#full-tag-listing)
 * [runtime](../README.runtime.md#full-tag-listing)
@@ -134,25 +135,54 @@ Complete tag lists:
 * [samples](../README.samples.md#full-tag-listing)
 * [Microsoft Artifact Registry](https://mcr.microsoft.com/en-us/catalog?search=dotnet/)
 
-This script can be used to determine if the .NET image tag is supported:
+#### Image Lifecycle Annotations
 
-#### macOS/Linux
+When .NET images or tags go out of support, a lifecycle annotation is added to the registry indicating that the image has reached end-of-life.
+The following command will output the latest lifecycle artifact associated with a .NET image.
 
-Requires [PowerShell to be installed](https://learn.microsoft.com/powershell/scripting/install/installing-powershell-on-linux).
+##### macOS/Linux (sh)
 
-```shell
-dotnetImage="<insert-dotnet-image-tag>" # example: mcr.microsoft.com/dotnet/aspnet:8.0
-curl -sSL https://raw.githubusercontent.com/dotnet/dotnet-docker/main/documentation/scripts/check-tag-support.ps1 | pwsh /dev/stdin $dotnetImage
+```sh
+dotnetImage="<insert-dotnet-image-tag>" # example EOL image: mcr.microsoft.com/dotnet/aspnet:6.0
+oras discover \
+  --format "json" \
+  --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+  $dotnetImage \
+    | jq '.manifests | sort_by(.annotations."org.opencontainers.image.created") | reverse | first'
 ```
 
-#### Windows
+##### PowerShell (any platform)
 
-```powershell
-$dotnetImage="<insert-dotnet-image-tag>" # example: mcr.microsoft.com/dotnet/aspnet:8.0
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-&([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://raw.githubusercontent.com/dotnet/dotnet-docker/main/documentation/scripts/check-tag-support.ps1'))) $dotnetImage
+```pwsh
+$dotnetImage = "<insert-dotnet-image-tag>" # example EOL image: mcr.microsoft.com/dotnet/aspnet:6.0
+$artifacts = oras discover --format "json" --artifact-type "application/vnd.microsoft.artifact.lifecycle" $dotnetImage | ConvertFrom-Json
+$artifacts.manifests | Sort-Object { $_.annotations.'org.opencontainers.image.created' } -Descending | Select-Object -First 1
 ```
 
+##### Output
+
+If the image has no lifecycle manifest attached, then there will be no output.
+This means the image is supported and a newer image has not been released yet.
+However, if the image has a lifecycle manifest attached and it contains an end-of-life date, the image is unsupported.
+
+For example:
+
+```json
+{
+  "reference": "mcr.microsoft.com/dotnet/aspnet@sha256:6e81022bab60ff3ce884cc118115d5394341d5ddf95dede357d2e17ea8920074",
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "digest": "sha256:6e81022bab60ff3ce884cc118115d5394341d5ddf95dede357d2e17ea8920074",
+  "size": 788,
+  "annotations": {
+    "org.opencontainers.image.created": "2025-01-14T05:32:10Z",
+    "vnd.microsoft.artifact.lifecycle.end-of-life.date": "2024-11-12"
+  },
+  "artifactType": "application/vnd.microsoft.artifact.lifecycle"
+}
+```
+
+The lifecycle artifact above indicates that the image `mcr.microsoft.com/dotnet/aspnet@sha256:6e81022b...` reached end of life on `2024-11-12`.
+
 #### Response
 
 * `Yes`: go to "[E. Is your image built from the latest .NET image?](#e-is-your-image-built-from-the-latest-net-image)"