how to protect tagging as our deployment happens based on tagging and this is problematic as if any junior developer push tag goes a deploy unstable code.
If you have a workflow that is triggered by tag creation, then you could add an
if condition to its jobs that check the actor name and only allow run the deployment code if it’s someone from the hard-coded list. This is not a very satisfactory solution, however.
There’s already a discussion about “protected tags” over here: