Right now, it’s basically impossible to have any protection around tags:
* Anyone with write access to a repo can push any tags.
* There’s no auditing/logging of tag changes.
Any number of things could be done to improve this:
* Add an option to protect individual tags (or better yet, any tags that match a given regex/have a certain prefix), like how how branches can be protected.
* Include tagging events in the per-organization audit logs.
* Allow tag pushes to be locked down more tightly, like only allowing admins to push tags.