Cleanup pruneEol fails: "unauthorized: authentication required"

[dagood]

We hit this in a test dry run of microsoft/go-images#564:

https://dev.azure.com/dnceng/internal/_build/results?buildId=2939182&view=logs&j=d914c6e3-666d-5b7e-797f-34f264e6df90&t=cf6164b4-11fd-54ea-3066-60e182c39bec&l=730

10:30:47 info: ExecuteHelper[0] EXECUTING: oras discover --artifact-type application/vnd.microsoft.artifact.lifecycle --format json golangimages[...]
Error response from registry: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: e3256c4c-f580-41d3-a0cf-4742ab139a06

This is also happening in .NET Docker Tools cleanup:

https://dev.azure.com/dnceng/internal/_build/results?buildId=2938992&view=logs&j=d914c6e3-666d-5b7e-797f-34f264e6df90&t=cf6164b4-11fd-54ea-3066-60e182c39bec&l=262

Copilot suggests that it's because oras doesn't accept OIDC (or rather... get the current auth? I didn't read carefully 😄):

Root cause: The CleanAcrImagesCommand (in docker-tools ImageBuilder) authenticates to ACR via Azure SDK using OIDC — this works for listing/deleting manifests via the ACR API. However, the pruneEol action calls HasExpiredEol() → LifecycleMetadataService.IsDigestAnnotatedForEol() → OrasClient.RunOrasCommand(), which shells out to the oras CLI binary. The oras CLI uses a completely separate credential path (~/.docker/config.json), and no docker login or oras login is performed anywhere before these calls.

For comparison, other ImageBuilder commands that use ORAS (e.g., AnnotateEolDigestsCommand) wrap their execution in ExecuteWithCredentialsAsync(), which performs docker login before and docker logout after. CleanAcrImagesCommand does not do this.

The delete action (for build-staging/*) does not use ORAS and is unaffected — only pruneEol is broken.

Some talk here but not totally sure it's relevant:

• oras push failed with az login using AAD credentials oras-project/oras#1876

[gdams]

I think this was caused by #2044 (comment) although I suspect the oras rewrite will fix this issue.

[lbussell]

Yeah -- I'm aware. Fixing this is my top priority. #2044 is the cause. The ORAS rewrite will fix it, but since the previous iteration was working, I'm going to submit a PR to revert #2044.