diff --git a/utils/docker/.gitignore b/utils/docker/.gitignore
new file mode 100644
index 0000000000..8803f25de0
--- /dev/null
+++ b/utils/docker/.gitignore
@@ -0,0 +1 @@
+oras/
diff --git a/utils/docker/publish_docker.sh b/utils/docker/publish_docker.sh
index 370299defe..5035ef39e3 100755
--- a/utils/docker/publish_docker.sh
+++ b/utils/docker/publish_docker.sh
@@ -48,6 +48,27 @@ tag_and_push() {
   echo "-- tagging: $target"
   docker tag $source $target
   docker push $target
+  attach_eol_manifest $target
+}
+
+attach_eol_manifest() {
+  local image="$1"
+  local today=$(date -u +'%Y-%m-%d')
+  install_oras_if_needed
+  # oras is re-using Docker credentials, so we don't need to login.
+  # Following the advice in https://portal.microsofticm.com/imp/v3/incidents/incident/476783820/summary
+  ./oras/oras attach --artifact-type application/vnd.microsoft.artifact.lifecycle --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$today" $image
+}
+
+install_oras_if_needed() {
+  if [[ -x oras/oras ]]; then
+    return
+  fi
+  local version="1.1.0"
+  curl -sLO "https://github.com/oras-project/oras/releases/download/v${version}/oras_${version}_linux_amd64.tar.gz"
+  mkdir -p oras
+  tar -zxf oras_${version}_linux_amd64.tar.gz -C oras
+  rm oras_${version}_linux_amd64.tar.gz
 }
 
 publish_docker_images_with_arch_suffix() {