microsoft · sarsharma · Apr 8, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -148,6 +148,50 @@ getSdkFromImage() {
 buildPlatform() {
 	local versionFile="$1"
 	local funcToCall="$2"
+
+	# When VERSIONS_TO_BUILD_OVERRIDE is set (comma-separated list of versions),
+	# only build those specific versions and skip blob existence checks entirely.
+	# This allows force-building specific SDK versions without rebuilding everything.
+	if [ -n "$VERSIONS_TO_BUILD_OVERRIDE" ]; then
+		echo "VERSIONS_TO_BUILD_OVERRIDE is set: $VERSIONS_TO_BUILD_OVERRIDE"
+		echo "Building only specified versions, skipping storage account checks."
+		export OVERWRITE_EXISTING_SDKS="true"
+
+		# Build a lookup set of requested versions
+		IFS=',' read -ra _requested_versions <<< "$VERSIONS_TO_BUILD_OVERRIDE"
+		declare -A _force_set
+		for _v in "${_requested_versions[@]}"; do
+			_v="$(echo "$_v" | xargs)"
+			[ -n "$_v" ] && _force_set["$_v"]=1
+		done
+
+		# Read the version file but only invoke the build function for matching versions.
+		# This preserves extra args (e.g. GPG keys, SHAs) that some platforms need.
+		while IFS= read -r VERSION_INFO || [[ -n $VERSION_INFO ]]; do
+			VERSION_INFO="$(echo -e "${VERSION_INFO}" | sed -e 's/^[[:space:]]*//')"
+			if [ -z "$VERSION_INFO" ] || [[ $VERSION_INFO = \#* ]]; then
+				continue
+			fi
+
+			IFS=',' read -ra VERSION_INFO_PARTS <<< "$VERSION_INFO"
+			lineVersion="$(echo -e "${VERSION_INFO_PARTS[0]}" | sed -e 's/^[[:space:]]*//')"
+
+			if [ -z "${_force_set[$lineVersion]:-}" ]; then
+				continue
+			fi
+
+			echo "Force-building version: $lineVersion"
+			versionArgs=()
+			for arg in "${VERSION_INFO_PARTS[@]}"; do
+				arg="$(echo -e "${arg}" | sed -e 's/^[[:space:]]*//')"
+				versionArgs+=("$arg")
+			done
+
+			$funcToCall "${versionArgs[@]}"
+		done < "$versionFile"
+		return
+	fi
+
 	while IFS= read -r VERSION_INFO || [[ -n $VERSION_INFO ]]
 	do
 		# remove all whitespace before first character

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR}
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR} AS php-buildpack-prereqs
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 COPY platforms/php/prereqs /php
 COPY platforms/php/prereqs/build.sh /tmp/
 COPY images/receiveGpgKeys.sh /tmp/receiveGpgKeys.sh

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR} AS php-buildpack-prereqs
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 COPY platforms/php/prereqs /php
 # COPY build/__phpVersions.sh /php/
 COPY platforms/php/prereqs/build.sh /tmp/

@@ -3,6 +3,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR}
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 
 # COPY build/__pythonVersions.sh /tmp/
 

@@ -0,0 +1,21 @@
+// --------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+// --------------------------------------------------------------------------------------------
+
+namespace Microsoft.Oryx.BuildScriptGenerator.Common
+{
+    public static class SdkImageRepositoryHelper
+    {
+        /// <summary>
+        /// Maps a platform name to its OCI SDK image repository path.
+        /// e.g. "nodejs" → "oryx/nodejs-sdk", "php" → "oryx/php-sdk".
+        /// Final image ref: mcr.microsoft.com/oryx/nodejs-sdk:bookworm-20.20.2
+        /// </summary>
+        public static string GetSdkImageRepository(string platformName, string prefix = null)
+        {
+            prefix = string.IsNullOrEmpty(prefix) ? SdkStorageConstants.DefaultAcrSdkRepositoryPrefix : prefix;
+            return $"{prefix}/{platformName}-sdk";
+        }
+    }
+}
@@ -21,5 +21,9 @@ public static class SdkStorageConstants
         public const string DotnetRuntimeVersionMetadataName = "Dotnet_runtime_version";
         public const string LegacyDotnetRuntimeVersionMetadataName = "Runtime_version";
         public const string OsTypeMetadataName = "Os_type";
+
+        // OCI image based SDK distribution constants
+        public const string DefaultAcrSdkRegistryUrl = "https://mcr.microsoft.com";
+        public const string DefaultAcrSdkRepositoryPrefix = "oryx";
     }
 }
@@ -0,0 +1,212 @@
+// --------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+// --------------------------------------------------------------------------------------------
+
+using System;
+using System.Formats.Tar;
+using System.IO;
+using System.IO.Compression;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Oryx.BuildScriptGenerator.Common;
+
+namespace Microsoft.Oryx.BuildScriptGenerator
+{
+    /// <summary>
+    /// Fetches SDK tarballs directly from an OCI container registry.
+    /// SDK images are single-layer <c>FROM scratch</c> images containing a single
+    /// <c>.tar.gz</c> SDK file. The OCI layer blob is a tar archive of the image
+    /// filesystem, so this provider downloads the layer, extracts the inner SDK
+    /// tarball from it, and caches it locally.
+    /// </summary>
+    /// <remarks>
+    /// Makes direct HTTP calls to the registry (no Unix socket).
+    /// See <see cref="ExternalAcrSdkProvider"/> for the socket-based variant.
+    /// </remarks>
+    public class AcrSdkProvider : IAcrSdkProvider
+    {
+        private readonly ILogger<AcrSdkProvider> logger;
+        private readonly IStandardOutputWriter outputWriter;
+        private readonly BuildScriptGeneratorOptions options;
+        private readonly OciRegistryClient ociClient;
+
+        public AcrSdkProvider(
+            IStandardOutputWriter outputWriter,
+            ILogger<AcrSdkProvider> logger,
+            IOptions<BuildScriptGeneratorOptions> options,
+            OciRegistryClient ociClient)
+        {
+            this.logger = logger;
+            this.outputWriter = outputWriter;
+            this.options = options.Value;
+            this.ociClient = ociClient;
+        }
+
+        /// <inheritdoc/>
+        public async Task<bool> RequestSdkFromAcrAsync(string platformName, string version, string debianFlavor, string runtimeVersion = null)
+        {
+            if (string.IsNullOrEmpty(platformName))
+            {
+                throw new ArgumentException("Platform name cannot be null or empty.", nameof(platformName));
+            }
+
+            if (string.IsNullOrEmpty(version))
+            {
+                throw new ArgumentException("Version cannot be null or empty.", nameof(version));
+            }
+
+            if (string.IsNullOrEmpty(debianFlavor))
+            {
+                debianFlavor = this.options.DebianFlavor ?? "bookworm";
+            }
+
+            var repository = SdkImageRepositoryHelper.GetSdkImageRepository(platformName, this.options.OryxAcrSdkRepositoryPrefix);
+            var tag = string.IsNullOrEmpty(runtimeVersion)
+                ? $"{debianFlavor}-{version}"
+                : $"{debianFlavor}-{version}_{runtimeVersion}";
+            var blobName = $"{platformName}-{debianFlavor}-{version}.tar.gz";
+
+            this.logger.LogInformation(
+                "Requesting SDK from ACR: {Repository}:{Tag}",
+                repository,
+                tag);
+            this.outputWriter.WriteLine(
+                $"Requesting SDK from ACR: {repository}:{tag}");
+
+            // Download to the writable dynamic install directory, NOT /var/OryxSdks (read-only external mount).
+            var downloadDir = Path.Combine(this.options.DynamicInstallRootDir, platformName);
+            var tarballPath = Path.Combine(downloadDir, blobName);
+            var digestPath = Path.Combine(downloadDir, $".{blobName}.digest");
+
+            try
+            {
+                // Get image manifest
+                var remoteDigest = await this.ociClient.GetManifestDigestAsync(repository, tag);
+
+                // Check if cached tarball is still fresh
+                if (File.Exists(tarballPath) && File.Exists(digestPath) && remoteDigest != null)
+                {
+                    var localDigest = File.ReadAllText(digestPath).Trim();
+                    if (string.Equals(localDigest, remoteDigest, StringComparison.OrdinalIgnoreCase))
+                    {
+                        this.logger.LogInformation(
+                            "SDK cache is fresh (digest match): {FilePath}",
+                            tarballPath);
+                        this.outputWriter.WriteLine(
+                            $"SDK tarball already cached and fresh at {tarballPath}");
+                        return true;
+                    }
+
+                    this.logger.LogInformation(
+                        "SDK cache is stale (digest mismatch). Re-downloading.");
+                }
+
+                // Get manifest → extract single layer digest
+                var manifest = await this.ociClient.GetManifestAsync(repository, tag);
+                var layerDigest = OciRegistryClient.GetFirstLayerDigest(manifest);
+
+                if (string.IsNullOrEmpty(layerDigest))
+                {
+                    this.logger.LogWarning(
+                        "No layer found in manifest for {Repository}:{Tag}",
+                        repository,
+                        tag);
+                    this.outputWriter.WriteLine($"No layer found in ACR manifest for {platformName} {version}.");
+                    return false;
+                }
+
+                Directory.CreateDirectory(downloadDir);
+
+                // 2. Download the OCI layer blob to a temp file.
+                //    The layer is a tar archive of the image filesystem (not the SDK tarball itself).
+                var layerTempPath = Path.Combine(downloadDir, $".layer-{Guid.NewGuid():N}.tmp");
+                try
+                {
+                    var downloadSuccess = await this.ociClient.DownloadLayerBlobAsync(
+                        repository,
+                        layerDigest,
+                        layerTempPath);
+
+                    if (!downloadSuccess)
+                    {
+                        this.logger.LogWarning(
+                            "ACR SDK pull failed digest verification: {Repository}:{Tag}",
+                            repository,
+                            tag);
+                        this.outputWriter.WriteLine(
+                            $"Failed to pull SDK from ACR (digest mismatch): {platformName} {version}");
+                        return false;
+                    }
+
+                    // 3. Extract the inner SDK .tar.gz from the layer tar.
+                    //    The image is FROM scratch with a single COPY of the SDK tarball,
+                    //    so the layer contains the .tar.gz as a top-level entry.
+                    this.ExtractFileFromTar(layerTempPath, tarballPath, blobName);
+                }
+                finally
+                {
+                    // Always clean up the temporary layer file
+                    if (File.Exists(layerTempPath))
+                    {
+                        File.Delete(layerTempPath);
+                    }
+                }
+
+                this.logger.LogInformation(
+                    "Successfully pulled SDK from ACR: {Repository}:{Tag} → {FilePath}",
+                    repository,
+                    tag,
+                    tarballPath);
+                this.outputWriter.WriteLine(
+                    $"Successfully pulled SDK from ACR: {platformName} {version}");
+
+                // Write manifest digest sidecar for future freshness checks
+                if (!string.IsNullOrEmpty(remoteDigest))
+                {
+                    File.WriteAllText(digestPath, remoteDigest);
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                this.logger.LogError(
+                    ex,
+                    "Error pulling SDK from ACR: {Repository}:{Tag}",
+                    repository,
+                    tag);
+                this.outputWriter.WriteLine(
+                    $"Error pulling SDK from ACR: {platformName} {version}: {ex.Message}");
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Extracts the expected SDK .tar.gz file from an OCI layer tar archive.
+        /// OCI layers use media type "application/vnd.docker.image.rootfs.diff.tar.gzip",
+        /// so the blob must be decompressed before reading tar entries.
+        /// </summary>
+        private void ExtractFileFromTar(string layerPath, string outputPath, string expectedFileName)
+        {
+            using (var stream = File.OpenRead(layerPath))
+            using (var gzipStream = new GZipStream(stream, CompressionMode.Decompress))
+            using (var tarReader = new TarReader(gzipStream))
+            {
+                TarEntry entry;
+                while ((entry = tarReader.GetNextEntry()) != null)
+                {
+                    var name = entry.Name.TrimStart('.', '/');
+                    if (entry.DataStream != null && name.Equals(expectedFileName, StringComparison.OrdinalIgnoreCase))
+                    {
+                        entry.ExtractToFile(outputPath, overwrite: true);
+                        return;
+                    }
+                }
+            }
+
+            throw new InvalidOperationException($"Expected entry '{expectedFileName}' not found in OCI layer: {layerPath}");
+        }
+    }
+}