🆕 Public beta: Protected tags #10906
Replies: 60 comments 63 replies
-
Query: What is used for pattern matching? For example, I'd like to protect SemVer tags (vX.Y.Z.T), but I didn't know if the official SemVer regexes work with the parser GitHub uses. I could do I mean, I'll be testing it out, but you might reply faster than I'll be able to test. 😄 |
Beta Was this translation helpful? Give feedback.
-
Hey @emmaviolet I would like to try this new feature for "globalid" organization. |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet this is great to see - I'd love to have it enabled for my user, as well as the "theliturgists" organization. |
Beta Was this translation helpful? Give feedback.
-
Hi @emmaviolet Awesome to see this being added. Can you please enable it for "OutSystems" organization? (no need for my user) |
Beta Was this translation helpful? Give feedback.
-
I want to get it enabled for me. |
Beta Was this translation helpful? Give feedback.
-
Hi @emmaviolet , if possible please enable this feature for the 'chartrequest' organization, as we're using tags to trigger production builds |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet I can think of a possible use case that might be nice, though it might not be possible to support. It would be nice if certain tag patterns could only be pushed by certain users. In some of my repos, there are semi-official tags that aren't "final" SemVer tags, but are pretty important and we'd prefer not to have those overwritten. I know I could give that user Maintainer status but with that does come a lot of extra power... |
Beta Was this translation helpful? Give feedback.
-
Hi @emmaviolet 🎉 It's great news 🚀 I want to use protected tags to protect against accidental Go module releases in orgs I'm a member of. Would you mind enabling it for the following orgs? |
Beta Was this translation helpful? Give feedback.
-
Hey @emmaviolet I would like to try this new feature for "@brickdoc" organization. |
Beta Was this translation helpful? Give feedback.
-
Could you please enable this feature for the @Flatbook org? |
Beta Was this translation helpful? Give feedback.
-
Enabled for all requestors now. Thanks, all! |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet Can you please enable for the @acst org as well? Thanks! |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet can you please enable it for [name-redacted] org as well. Thank you. |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet could you pls enable it for my org @MorphosisApps . Thank you. |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet can you please enable for https://github.com/telus-health. thanks! |
Beta Was this translation helpful? Give feedback.
-
@emmaviolet Hello, only a simple feedback from my team. Currently the feature is working as expected but I think there is something missing about Deploy Keys with writing access that can't create/delete tags when protected tags are enabled. Currently the error is "protected tag hook declined" - even if the deploy key used has write access. What I understand it should work like branch protection and Deploy keys has the same admin permissions when they have write access. Ref.: https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys |
Beta Was this translation helpful? Give feedback.
-
Getting an error from an action (https://github.com/mathieudutour/github-tag-action) when it attempts to write a protected tag.
When I removed tag protection the action succeeded. |
Beta Was this translation helpful? Give feedback.
-
Hi, any plans to make this configurable at the organization level as well, so that it can be enforced for all repositories in it? |
Beta Was this translation helpful? Give feedback.
-
It seems like this feature launched without the ability for the GHA actor to push to protected tags. I want to prevent normal users of the repo from pushing tags in a certain format because it screws up our tag and release job, but I can't have both a tag protection rule and run my tag and release job using the actions actor so I can't really use this feature. |
Beta Was this translation helpful? Give feedback.
-
As per https://github.com/orgs/community/discussions/31177 being able to protect tags from deletion but not creation and/or the ability to protect a Regex/glob of tags (e.g. v1.0.0 but not v1.0.0-alpha) is really critical for us. |
Beta Was this translation helpful? Give feedback.
-
I use |
Beta Was this translation helpful? Give feedback.
-
So, am I understanding correctly, there is no way to prevent someone from pushing a tag from an arbitrary branch? So hypothetically speaking, if I have CICD that fires on every tag push, I can't stop people from making up random branch names and pushing tags? Or if I just don't want tags to be in the repo for any other reason except when an allowed person creates one? |
Beta Was this translation helpful? Give feedback.
-
Apologies, folks, I have been reading along here but haven't managed to get this prioritised yet. Sending over to another team who may be able to assist. |
Beta Was this translation helpful? Give feedback.
-
For our use case, we would like to require our protected tags for production to be based on protected branches. This would leverage a lot of features offered by protected branches (status checks, reviewers, PRs, etc) |
Beta Was this translation helpful? Give feedback.
-
It would be also nice to have a dedicated event, that apps can subscribe to, like https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#branch_protection_rule. For our use case we would like our github app to update AWS Assume policy on a role (OIDC), based on protected branches set in the repository. |
Beta Was this translation helpful? Give feedback.
-
Hey y'all, We've introduced the beta of repository rules, which include Tag rulesets, which include most of the feature you loved from branch protections and brought them to tags. If you're on GitHub enterprise you can also protect tag from the org level for all or some repos. Check it out and let us know what you think. |
Beta Was this translation helpful? Give feedback.
-
I'm not sure if I'm misunderstanding how this feature works or if this is a bug, but it's not working the way I thought it would work after reading the docs. I've created a protected tag called However, a user on our team with "Write" permission was able to create a Release with a name similar to that above, and was able to kick off a release. Am I misunderstanding this feature? |
Beta Was this translation helpful? Give feedback.
-
Is it possible to make a ruleset that only allows tags to be made on commits that are on the |
Beta Was this translation helpful? Give feedback.
-
There may be a permission for protected tag missing from permissions to allow the
|
Beta Was this translation helpful? Give feedback.
-
Found a solution to the problem of pushing tags from the CI that involves the usage of a write deploy key and is safe you add the key as a secret to an environment bound to a branch/tag:
|
Beta Was this translation helpful? Give feedback.
-
Public beta: Protected tags
👋 We currently have some APIs that will allow repo admins to protect tags on their repos. Details of how this works below!
Related
#5529
https://github.community/t/feature-request-protected-tags/1742
isaacs/github#1091
What we've built
Our beta tag protection feature gives repo admins the option to protect tags on their repo. If they choose to do so, only maintainers and admins will be able to create these tags, and only admins will be able to modify or delete these tags. Tags are protected by patterns - you could protect all tags by using the “*” pattern, but you don’t have to.
To set up and manage these tag protections, we’ve introduced three endpoints, which any repo admin should be able to use:
GET /repos/{owner/{repo}/tags/protection
Returns a list of tag protection rules.
POST /repos/{owner}/{repo}/tags/protection
Creates a new tag protection rule. Payload must include a
pattern
- example:curl -" "Authorization: token $GITHUB_TOK"N"
-XPOST -d '{"pattern": "*"}'
https://api.github.com/repos/JasonEtco/testing/tags/protection
{
"id": 123456,
"pattern": "*",
"created_at": "2022-01-12T12:01:47.094-05:00",
"updated_at": "2022-01-12T12:01:47.094-05:00"
}
DELETE /repos/{owner}/{repo}/tags/protection/{tag_protection_id}
Deletes a tag protection rule.
Beta Was this translation helpful? Give feedback.
All reactions