ACR-based SDK distribution (#2837)

* feat: Oryx SDK regional distribution — pull SDKs from ACR

* feat: Add ACR-based SDK distribution with feature flag

Add two separate ACR SDK providers behind ORYX_ENABLE_ACR_SDK_PROVIDER:

1. ExternalAcrSdkProvider - communicates with LWASv2 via Unix socket
   to pull SDK images from WAWS Images ACR
2. AcrSdkProvider (direct) - downloads SDKs from Oryx ACR
   (oryxsdks.azurecr.io) using OCI Distribution API

New files:
- IExternalAcrSdkProvider.cs / ExternalAcrSdkProvider.cs
- OciRegistryClient.cs - HTTP client for OCI Distribution API
- AcrVersionProviderBase.cs - base class for ACR version discovery
- Per-platform ACR version providers (Node, Python, PHP, DotNetCore)
- publishSdkImageToAcr.sh / publishSdkToAcr.yml - ACR publish pipeline

Modified files:
- Platform install decisions (NodePlatform, PythonPlatform, PhpPlatform,
  DotNetCorePlatform) with ACR branch before existing DynamicInstall
- Version provider orchestrators with ACR provider chain
- PlatformInstallerBase with GetAcrInstallerScriptSnippet()
- Go startup script generator with ACR download path
- DI registrations for all new providers
- Constants, options, settings keys for ACR configuration

All changes are additive and behind feature flags.
Existing blob storage code paths are completely untouched.

* refactor: Simplify ExternalAcrSdkProvider - let LWASv2 handle image resolution

Remove ACR repository/tag construction from ExternalAcrSdkProvider.
Now sends only platform, version, and debianFlavor to LWASv2.
LWASv2 resolves the SDK companion image from LinuxAssets and
handles pinning, containerd pull, mount, and extraction.

* refactor: Remove script-based ACR publish (moved to AAPT-Antares-Oryx OneBranch pipeline)

Remove publishSdkImageToAcr.sh and publishSdkToAcr.yml since SDK images
are now built and pushed using onebranch.pipeline.imagebuildinfo in
the AAPT-Antares-Oryx pipeline, not via custom scripts.

* fix: Default ACR SDK registry to oryxacr.azurecr.io

Use the same ACR that AAPT-Antares-Oryx publishes SDK images to.
Updated both C# constant and Go constant.

* fix: Resolve StyleCop analyzer errors in ACR SDK provider files

- SA1204: Move static GetFirstLayerDigest before instance members (OciRegistryClient.cs)
- SA1124: Remove #region/#endregion around OCI JSON models (OciRegistryClient.cs)
- SA1202: Move protected GetAcrInstallerScriptSnippet before private methods (PlatformInstallerBase.cs)
- SA1116/SA1117: Place multi-line parameters each on own line (ExternalAcrSdkProvider.cs)
- SA1515: Add blank line before single-line comment (DotNetCoreAcrVersionProvider.cs)

* fix: Resolve StyleCop analyzer errors in ACR SDK provider files

- SA1204: Move static GetFirstLayerDigest before instance members (OciRegistryClient.cs)
- SA1124: Remove #region/#endregion around OCI JSON models (OciRegistryClient.cs)
- SA1202: Move protected GetAcrInstallerScriptSnippet before private methods (PlatformInstallerBase.cs)
- SA1116/SA1117: Place multi-line parameters each on own line (ExternalAcrSdkProvider.cs)
- SA1515: Add blank line before single-line comment (DotNetCoreAcrVersionProvider.cs)

* Feature/oryx sdk acr distribution sdks resolver (#2842)

* fix: Resolve StyleCop analyzer errors in ACR SDK provider files

- SA1204: Move static GetFirstLayerDigest before instance members (OciRegistryClient.cs)
- SA1124: Remove #region/#endregion around OCI JSON models (OciRegistryClient.cs)
- SA1202: Move protected GetAcrInstallerScriptSnippet before private methods (PlatformInstallerBase.cs)
- SA1116/SA1117: Place multi-line parameters each on own line (ExternalAcrSdkProvider.cs)
- SA1515: Add blank line before single-line comment (DotNetCoreAcrVersionProvider.cs)

* fix sdk providers logic

* refactor pythonPlatform

* refctor for dotnet,php and node

---------

Co-authored-by: Sarath chandra Bussa <sbussa@microsoft.com>

* fix build and tests (#2843)

* fix to fetch from acr (#2844)

* Update version providers (#2845)

* Refactor version providers (#2846)

* Fix acr version info (#2848)

* Changes for php composer (#2849)

* Clean dead code (#2850)

* Fix priroity in sdk resolver (#2851)

* Fix Uts and version providers (#2852)

* ACR Sdk provider refactor (#2854)

* registryclient improvements

* fix build issue

* Add changes foe external ACR provider (#2855)

* Change flag name for external acr case (#2856)

* Handle multiplatform (#2857)

* Revert "Handle multiplatform (#2857)" (#2858)

This reverts commit 77d9f99.

* Disable external ACR for multiplatform (#2859)

* Fix test case (#2860)

* Refactor external acr provider (#2862)

* update externalacrsdkprovider contract

* Align ExternalAcrSdkProvider and ExternalAcrVersionProviderBase with LWASv2 socket contract

- Fix socket path to /var/sdk-image-sockets/oryx-pull-sdk-image.socket (ACR socket)
- Add ExternalAcrSdksStorageDir constant (/var/OryxAcrSdks) for ACR SDK cache
- Add top-level Action field (pull-sdk / get-version) to request DTOs
- Remove BlobName and UrlParameters from ExternalAcrSdkProvider request
- Accept server-returned filename as success response instead of expecting 'Success$'

* update logic for dotnet and default versions

* update logic for dotnet and default versions (#2864)

* Refactor code for new acr way (#2863)

* nit fix (#2865)

* Refactor ACR SDK provider to return tarball path

* ACR SDK distribution: Refactor direct acr sdk fetching logic (#2866)

* update logic for dotnet and default versions

* Refactor ACR SDK provider to return tarball path

* Cleanup startupscriptgen and refactor ACR SDK distribution constants

* ACR Sdk distribution: Cleanup startupscriptgenerator and fix image repo constants (#2867)

* update logic for dotnet and default versions

* Refactor ACR SDK provider to return tarball path

* Cleanup startupscriptgen and refactor ACR SDK distribution constants

* Refactor ACR SDK provider methods to return boolean status and update related logic across platforms

* Update version provider logic to check for external SDK provider option

* ACR Sdk distribution: Fix failure path for acr sdk fetching (#2868)

* update logic for dotnet and default versions

* Refactor ACR SDK provider to return tarball path

* Cleanup startupscriptgen and refactor ACR SDK distribution constants

* Refactor ACR SDK provider methods to return boolean status and update related logic across platforms

* Update version provider logic to check for external SDK provider option

* Update version provider fallback (#2872)

* Update fallback logic for sdks (#2873)

* version map fix

* fix externalacrprovider for dotnet

* ACR Sdk distribution: fix external ACR sdk provider for dotnet (#2874)

* update logic for dotnet and default versions

* Refactor ACR SDK provider to return tarball path

* Cleanup startupscriptgen and refactor ACR SDK distribution constants

* Refactor ACR SDK provider methods to return boolean status and update related logic across platforms

* Update version provider logic to check for external SDK provider option

* version map fix

* fix externalacrprovider for dotnet

* Feature/oryx sdk acr distribution fix phpand composer (#2875)

* Update PHP and PHP-Composer Platform

* update php and composer

* Enhance OciRegistryClient to support anonymous token acquisition for public repositories

* add logging

* Acr SDK Distribution: Add token for listing sdk images (#2876)

* update logic for dotnet and default versions

* Refactor ACR SDK provider to return tarball path

* Cleanup startupscriptgen and refactor ACR SDK distribution constants

* Refactor ACR SDK provider methods to return boolean status and update related logic across platforms

* Update version provider logic to check for external SDK provider option

* version map fix

* fix externalacrprovider for dotnet

* Enhance OciRegistryClient to support anonymous token acquisition for public repositories

* add logging

* fix build

* suppress auth header from logs

* fix socket paths

* Add a method to fetch all versions for a platform (#2877)

* fix fallback flow

* logging fixes

* logging fixes (#2878)

* fix tar extraction and add more logging

* fix dotnet image pull

* handle gzip stream

* fix php installationscript duplication

* ACR Sdk dist: Enhancements for cache management (#2889)

* add fallback for no versions returned

* improve image caching logic

* handle mcr repo

* Feature/oryx sdk acr distribution pr review 1 (#2888)

* nit fixes in pr review

* nit fixes 2.0

* refactor

* Fix UTs

* ACR SDK dist: Add tests, refactoring and some fixes (#2892)

* Fix composer logic (#2893)

* Fix composer logic

* nit

* fix build (#2894)

* Add .NET SDK versions and composerVersion to constants.yml

Add DOTNET_SDK_80, DOTNET_SDK_90, DOTNET_SDK_100 variables to pair with
existing runtime version variables. Add composerVersion for PHP Composer.
These are consumed by the Official and Buddy pipelines for SDK ACR publishing.

* ACR SDK dist: Refactor version provider and bump up dependencies (#2895)

* fix node logic and some other bugs

* more fixes

* socket helper refactor

* more fixes

* add tests

* refactor version provider

* fix build

* bump version

* ACR SDK dist: Additional test cases (#2896)

* fix node logic and some other bugs

* more fixes

* socket helper refactor

* more fixes

* add tests

* refactor version provider

* fix build

* bump version

* add tests

* follow existing pattern for php composer, add more tests

* Revert "Add .NET SDK versions and composerVersion to constants.yml"

This reverts commit 2f2b67d.

* update comment

* Add VERSIONS_TO_BUILD_OVERRIDE to force-build specific SDK versions (#2897)

- Modify buildPlatform() in __common.sh: when VERSIONS_TO_BUILD_OVERRIDE is set,
  filter versionsToBuild.txt to only matching versions and set OVERWRITE_EXISTING_SDKS=true
  to bypass blob existence checks
- Add ARG/ENV VERSIONS_TO_BUILD_OVERRIDE to nodejs, python, php, and php-composer Dockerfiles
  so the env var reaches build containers via --build-arg

Co-authored-by: Sarath chandra Bussa <sbussa@microsoft.com>

* resolve comments

* nit

* fix comment

---------

Co-authored-by: Sarath chandra Bussa <sbussa@microsoft.com>
Co-authored-by: Akshay Kumar <kumaraksh@microsoft.com>
Co-authored-by: Akshay Kumar <112485097+kumaraksh1@users.noreply.github.com>
Co-authored-by: sartsharma <sartsharma@microsoft.com>

Author: 4 people

platforms/__common.sh

@@ -148,6 +148,50 @@ getSdkFromImage() {
 buildPlatform() {
 	local versionFile="$1"
 	local funcToCall="$2"
+
+	# When VERSIONS_TO_BUILD_OVERRIDE is set (comma-separated list of versions),
+	# only build those specific versions and skip blob existence checks entirely.
+	# This allows force-building specific SDK versions without rebuilding everything.
+	if [ -n "$VERSIONS_TO_BUILD_OVERRIDE" ]; then
+		echo "VERSIONS_TO_BUILD_OVERRIDE is set: $VERSIONS_TO_BUILD_OVERRIDE"
+		echo "Building only specified versions, skipping storage account checks."
+		export OVERWRITE_EXISTING_SDKS="true"
+
+		# Build a lookup set of requested versions
+		IFS=',' read -ra _requested_versions <<< "$VERSIONS_TO_BUILD_OVERRIDE"
+		declare -A _force_set
+		for _v in "${_requested_versions[@]}"; do
+			_v="$(echo "$_v" | xargs)"
+			[ -n "$_v" ] && _force_set["$_v"]=1
+		done
+
+		# Read the version file but only invoke the build function for matching versions.
+		# This preserves extra args (e.g. GPG keys, SHAs) that some platforms need.
+		while IFS= read -r VERSION_INFO || [[ -n $VERSION_INFO ]]; do
+			VERSION_INFO="$(echo -e "${VERSION_INFO}" | sed -e 's/^[[:space:]]*//')"
+			if [ -z "$VERSION_INFO" ] || [[ $VERSION_INFO = \#* ]]; then
+				continue
+			fi
+
+			IFS=',' read -ra VERSION_INFO_PARTS <<< "$VERSION_INFO"
+			lineVersion="$(echo -e "${VERSION_INFO_PARTS[0]}" | sed -e 's/^[[:space:]]*//')"
+
+			if [ -z "${_force_set[$lineVersion]:-}" ]; then
+				continue
+			fi
+
+			echo "Force-building version: $lineVersion"
+			versionArgs=()
+			for arg in "${VERSION_INFO_PARTS[@]}"; do
+				arg="$(echo -e "${arg}" | sed -e 's/^[[:space:]]*//')"
+				versionArgs+=("$arg")
+			done
+
+			$funcToCall "${versionArgs[@]}"
+		done < "$versionFile"
+		return
+	fi
+
 	while IFS= read -r VERSION_INFO || [[ -n $VERSION_INFO ]]
 	do
 		# remove all whitespace before first character

platforms/nodejs/Dockerfile

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR}
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \

platforms/php/Dockerfile

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR} AS php-buildpack-prereqs
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 COPY platforms/php/prereqs /php
 COPY platforms/php/prereqs/build.sh /tmp/
 COPY images/receiveGpgKeys.sh /tmp/receiveGpgKeys.sh

platforms/php/composer/Dockerfile

@@ -2,6 +2,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR} AS php-buildpack-prereqs
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 COPY platforms/php/prereqs /php
 # COPY build/__phpVersions.sh /php/
 COPY platforms/php/prereqs/build.sh /tmp/

platforms/python/Dockerfile

@@ -3,6 +3,8 @@ ARG OS_FLAVOR
 FROM mcr.microsoft.com/mirror/docker/library/buildpack-deps:${OS_FLAVOR}
 ARG OS_FLAVOR
 ENV OS_FLAVOR=$OS_FLAVOR
+ARG VERSIONS_TO_BUILD_OVERRIDE=""
+ENV VERSIONS_TO_BUILD_OVERRIDE=$VERSIONS_TO_BUILD_OVERRIDE
 
 # COPY build/__pythonVersions.sh /tmp/
 

src/BuildScriptGenerator.Common/SdkImageRepositoryHelper.cs

@@ -0,0 +1,21 @@
+// --------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+// --------------------------------------------------------------------------------------------
+
+namespace Microsoft.Oryx.BuildScriptGenerator.Common
+{
+    public static class SdkImageRepositoryHelper
+    {
+        /// <summary>
+        /// Maps a platform name to its OCI SDK image repository path.
+        /// e.g. "nodejs" → "oryx/nodejs-sdk", "php" → "oryx/php-sdk".
+        /// Final image ref: mcr.microsoft.com/oryx/nodejs-sdk:bookworm-20.20.2
+        /// </summary>
+        public static string GetSdkImageRepository(string platformName, string prefix = null)
+        {
+            prefix = string.IsNullOrEmpty(prefix) ? SdkStorageConstants.DefaultAcrSdkRepositoryPrefix : prefix;
+            return $"{prefix}/{platformName}-sdk";
+        }
+    }
+}

src/BuildScriptGenerator.Common/SdkStorageConstants.cs

@@ -21,5 +21,9 @@ public static class SdkStorageConstants
         public const string DotnetRuntimeVersionMetadataName = "Dotnet_runtime_version";
         public const string LegacyDotnetRuntimeVersionMetadataName = "Runtime_version";
         public const string OsTypeMetadataName = "Os_type";
+
+        // OCI image based SDK distribution constants
+        public const string DefaultAcrSdkRegistryUrl = "https://mcr.microsoft.com";
+        public const string DefaultAcrSdkRepositoryPrefix = "oryx";
     }
 }

src/BuildScriptGenerator/AcrSdkProvider.cs

@@ -0,0 +1,212 @@
+// --------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+// --------------------------------------------------------------------------------------------
+
+using System;
+using System.Formats.Tar;
+using System.IO;
+using System.IO.Compression;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Oryx.BuildScriptGenerator.Common;
+
+namespace Microsoft.Oryx.BuildScriptGenerator
+{
+    /// <summary>
+    /// Fetches SDK tarballs directly from an OCI container registry.
+    /// SDK images are single-layer <c>FROM scratch</c> images containing a single
+    /// <c>.tar.gz</c> SDK file. The OCI layer blob is a tar archive of the image
+    /// filesystem, so this provider downloads the layer, extracts the inner SDK
+    /// tarball from it, and caches it locally.
+    /// </summary>
+    /// <remarks>
+    /// Makes direct HTTP calls to the registry (no Unix socket).
+    /// See <see cref="ExternalAcrSdkProvider"/> for the socket-based variant.
+    /// </remarks>
+    public class AcrSdkProvider : IAcrSdkProvider
+    {
+        private readonly ILogger<AcrSdkProvider> logger;
+        private readonly IStandardOutputWriter outputWriter;
+        private readonly BuildScriptGeneratorOptions options;
+        private readonly OciRegistryClient ociClient;
+
+        public AcrSdkProvider(
+            IStandardOutputWriter outputWriter,
+            ILogger<AcrSdkProvider> logger,
+            IOptions<BuildScriptGeneratorOptions> options,
+            OciRegistryClient ociClient)
+        {
+            this.logger = logger;
+            this.outputWriter = outputWriter;
+            this.options = options.Value;
+            this.ociClient = ociClient;
+        }
+
+        /// <inheritdoc/>
+        public async Task<bool> RequestSdkFromAcrAsync(string platformName, string version, string debianFlavor, string runtimeVersion = null)
+        {
+            if (string.IsNullOrEmpty(platformName))
+            {
+                throw new ArgumentException("Platform name cannot be null or empty.", nameof(platformName));
+            }
+
+            if (string.IsNullOrEmpty(version))
+            {
+                throw new ArgumentException("Version cannot be null or empty.", nameof(version));
+            }
+
+            if (string.IsNullOrEmpty(debianFlavor))
+            {
+                debianFlavor = this.options.DebianFlavor ?? "bookworm";
+            }
+
+            var repository = SdkImageRepositoryHelper.GetSdkImageRepository(platformName, this.options.OryxAcrSdkRepositoryPrefix);
+            var tag = string.IsNullOrEmpty(runtimeVersion)
+                ? $"{debianFlavor}-{version}"
+                : $"{debianFlavor}-{version}_{runtimeVersion}";
+            var blobName = $"{platformName}-{debianFlavor}-{version}.tar.gz";
+
+            this.logger.LogInformation(
+                "Requesting SDK from ACR: {Repository}:{Tag}",
+                repository,
+                tag);
+            this.outputWriter.WriteLine(
+                $"Requesting SDK from ACR: {repository}:{tag}");
+
+            // Download to the writable dynamic install directory, NOT /var/OryxSdks (read-only external mount).
+            var downloadDir = Path.Combine(this.options.DynamicInstallRootDir, platformName);
+            var tarballPath = Path.Combine(downloadDir, blobName);
+            var digestPath = Path.Combine(downloadDir, $".{blobName}.digest");
+
+            try
+            {
+                // Get image manifest
+                var remoteDigest = await this.ociClient.GetManifestDigestAsync(repository, tag);
+
+                // Check if cached tarball is still fresh
+                if (File.Exists(tarballPath) && File.Exists(digestPath) && remoteDigest != null)
+                {
+                    var localDigest = File.ReadAllText(digestPath).Trim();
+                    if (string.Equals(localDigest, remoteDigest, StringComparison.OrdinalIgnoreCase))
+                    {
+                        this.logger.LogInformation(
+                            "SDK cache is fresh (digest match): {FilePath}",
+                            tarballPath);
+                        this.outputWriter.WriteLine(
+                            $"SDK tarball already cached and fresh at {tarballPath}");
+                        return true;
+                    }
+
+                    this.logger.LogInformation(
+                        "SDK cache is stale (digest mismatch). Re-downloading.");
+                }
+
+                // Get manifest → extract single layer digest
+                var manifest = await this.ociClient.GetManifestAsync(repository, tag);
+                var layerDigest = OciRegistryClient.GetFirstLayerDigest(manifest);
+
+                if (string.IsNullOrEmpty(layerDigest))
+                {
+                    this.logger.LogWarning(
+                        "No layer found in manifest for {Repository}:{Tag}",
+                        repository,
+                        tag);
+                    this.outputWriter.WriteLine($"No layer found in ACR manifest for {platformName} {version}.");
+                    return false;
+                }
+
+                Directory.CreateDirectory(downloadDir);
+
+                // 2. Download the OCI layer blob to a temp file.
+                //    The layer is a tar archive of the image filesystem (not the SDK tarball itself).
+                var layerTempPath = Path.Combine(downloadDir, $".layer-{Guid.NewGuid():N}.tmp");
+                try
+                {
+                    var downloadSuccess = await this.ociClient.DownloadLayerBlobAsync(
+                        repository,
+                        layerDigest,
+                        layerTempPath);
+
+                    if (!downloadSuccess)
+                    {
+                        this.logger.LogWarning(
+                            "ACR SDK pull failed digest verification: {Repository}:{Tag}",
+                            repository,
+                            tag);
+                        this.outputWriter.WriteLine(
+                            $"Failed to pull SDK from ACR (digest mismatch): {platformName} {version}");
+                        return false;
+                    }
+
+                    // 3. Extract the inner SDK .tar.gz from the layer tar.
+                    //    The image is FROM scratch with a single COPY of the SDK tarball,
+                    //    so the layer contains the .tar.gz as a top-level entry.
+                    this.ExtractFileFromTar(layerTempPath, tarballPath, blobName);
+                }
+                finally
+                {
+                    // Always clean up the temporary layer file
+                    if (File.Exists(layerTempPath))
+                    {
+                        File.Delete(layerTempPath);
+                    }
+                }
+
+                this.logger.LogInformation(
+                    "Successfully pulled SDK from ACR: {Repository}:{Tag} → {FilePath}",
+                    repository,
+                    tag,
+                    tarballPath);
+                this.outputWriter.WriteLine(
+                    $"Successfully pulled SDK from ACR: {platformName} {version}");
+
+                // Write manifest digest sidecar for future freshness checks
+                if (!string.IsNullOrEmpty(remoteDigest))
+                {
+                    File.WriteAllText(digestPath, remoteDigest);
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                this.logger.LogError(
+                    ex,
+                    "Error pulling SDK from ACR: {Repository}:{Tag}",
+                    repository,
+                    tag);
+                this.outputWriter.WriteLine(
+                    $"Error pulling SDK from ACR: {platformName} {version}: {ex.Message}");
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Extracts the expected SDK .tar.gz file from an OCI layer tar archive.
+        /// OCI layers use media type "application/vnd.docker.image.rootfs.diff.tar.gzip",
+        /// so the blob must be decompressed before reading tar entries.
+        /// </summary>
+        private void ExtractFileFromTar(string layerPath, string outputPath, string expectedFileName)
+        {
+            using (var stream = File.OpenRead(layerPath))
+            using (var gzipStream = new GZipStream(stream, CompressionMode.Decompress))
+            using (var tarReader = new TarReader(gzipStream))
+            {
+                TarEntry entry;
+                while ((entry = tarReader.GetNextEntry()) != null)
+                {
+                    var name = entry.Name.TrimStart('.', '/');
+                    if (entry.DataStream != null && name.Equals(expectedFileName, StringComparison.OrdinalIgnoreCase))
+                    {
+                        entry.ExtractToFile(outputPath, overwrite: true);
+                        return;
+                    }
+                }
+            }
+
+            throw new InvalidOperationException($"Expected entry '{expectedFileName}' not found in OCI layer: {layerPath}");
+        }
+    }
+}