Feature Request: Protected Tags

See https://github.com/isaacs/github/issues/1091:

Right now, it’s basically impossible to have any protection around tags:

* Anyone with write access to a repo can push any tags.
* There’s no auditing/logging of tag changes.

Any number of things could be done to improve this:

* Add an option to protect individual tags (or better yet, any tags that match a given regex/have a certain prefix), like how how branches can be protected.
* Include tagging events in the per-organization audit logs.
* Allow tag pushes to be locked down more tightly, like only allowing admins to push tags.

147 Likes

Hi @jeffnappi ,

Thanks for taking the time to write this feedback, we are tracking an internal issue about this. 

Though I can’t guarantee anything or share a timeline for this, I can tell you that it’s been shared with the appropriate teams for consideration.

Please let me know if you have any other questions.

Cheers!

5 Likes

I agree that this would be a valuable feature.  I would like to prevent non-admins from deleting tags.  This is important for a use-case where code versions are recorded in Github tags instead of in the source code.  I would like to prevent non-admins from deletings tag like version/*.

1 Like

GitLab has this exact functionality. And it is an invaluable, and simple to implement by the GitLab devs (and GitHub devs if they want to offer tag protection).

6 Likes

Yeah, this feature is also useful for the CI/CD pipeline with the tag based deploy model, in the case that we could prevent unintentional tag being pushed to github to trigger our deploying.

11 Likes

@sevenryze wrote:

Yeah, this feature is also useful for the CI/CD pipeline with the tag based deploy model, in the case that we could prevent unintentional tag being pushed to github to trigger our deploying.

I don’t follow, how does a deploy model work? How does tags help the development model? Some examples please

+1 for adding this missing feature.  

My organization is being migrated to GitHub, and we can no longer configure any protections around tags.  This is especially a problem considering we leverage tags for production releases. 

BitBucket and GitLab both support this, GitHub should too.  

6 Likes

This is something that would be really helpful. We run a process to create a release using github actions and, after the github action completes for performing the release, it would be nice to lock the tag to prevent somebody’s local configuration from accidentally changing the tag.

2 Likes

this is an incredibly helpful feature in organizations. it would be amazing, if you could add this.

5 Likes

What are the road blocks as to why protection around tags is not implemented? Even if there wasn’t a robust permissions model for tags like there is for branches, just having a simple checkbox to only allow admins to create and delete tags would be a huge improvement.

Developer pushes code to branch makes pull request to master triggering CI; successful unit & integration testing allows merge to master; merge in master deploys application to staging for further regression & performance (& if we are talking any legacy application in existance… some semblance of manual testing), tag is the semantic version which COULD be used to trigger a workflow (Jenkins pipeline/job, github action, etc…) that deploys to prod however, without the ability to prevent someone accidentally tagging the version, we can’t use that as a trigger.

4 Likes

Acked. Circling back internally!

3 Likes

Add an option to protect individual tags (or better yet, any tags that match a given regex/have a certain prefix), like how how branches can be protected. * Include tagging events in the per-organization audit logs. * Allow tag pushes to be locked down more tightly, like only allowing admins to push tags.  MySchoolBucks

1 Like

Tagging gives you a snap shot of code at certain point. If a tag being moved (deleted/created) or removed by mistake or ill purposed, it could cause problem in future when you try to go back the code on that tag. It is very valuable feature needed for git repo.

+1 have used this feature a lot on Gitlab. We use tags for production releases from the master branch. 

1 Like

Great suggestion!

I usually use next settings as Web developer.

* Staging Environment Deploy Trigger : master branch commit push

* Production Environment Deploy Trigger : git tag push like “v1.2.6”

I can protect wrong Staging Environment Deploy Trigger with branch protection.

But I can not protect wrong Production Environment Deploy Trigger that is caused by wrong tag push.

Maybe new member who is not familiar git may do tag push.

So I want feature for protection git tag push.

1 Like

This should be a feature. I am actually surprised it is not. Frankly, protecting tags is probably more important than protecting branches.

Definite :+1: for adding support for this.

1 Like

This is so important, and finding it is not supported is even ridiculous. Only this feature makes us use GitLab for proyects on wich we need to protect our tags for version/release documentation.
It should be basic, super basic, functionality.

Also need this feature

Hi @andreagriffiths11 - it’s been more than a year now. Any update on this?