Restrict users from deleting tag in GitHub

Question

Want to restrict all users in GitHub from deleting an existing tag. Please let us know if there is any way to achieve it. I have found one article where we can protect branches: https://github.com/blog/2051-protected-branches-and-required-status-check

Similarly if there is something through which we can protect tags in GitHub.

Answer 1

That seems to have been implemented in March 2022, as illustrated by the changelog post:

Tag protection rules

Repository owners can now configure tag protection rules to protect tags in all public repositories and in private repositories on the Pro, Teams or Enterprise plans on GitHub.

Once protected by a tag protection rule, tags matching specified patterns can only be created and deleted by users with "Maintain" or "Admin" permissions to the repository.

For more information, see our documentation.

And, now in public beta:

Protected tags

Our beta tag protection feature gives repo admins the option to protect tags on their repo.
If they choose to do so, only maintainers and admins will be able to create these tags, and only admins will be able to modify or delete these tags.

Tags are protected by patterns - you could protect all tags by using the "*" pattern, but you don’t have to.

To set up and manage these tag protections, we’ve introduced three endpoints, which any repo admin should be able to use:

GET /repos/{owner/{repo}/tags/protection

Returns a list of tag protection rules.

POST /repos/{owner}/{repo}/tags/protection

Creates a new tag protection rule. Payload must include a pattern - example:

curl -" "Authorization: token $GITHUB_TOK"N" -XPOST -d '{"pattern": "*"}' https://api.github.com/repos/JasonEtco/testing/tags/protection

{
"id": 123456,
"pattern": "*",
"created_at": "2022-01-12T12:01:47.094-05:00",
"updated_at": "2022-01-12T12:01:47.094-05:00"
}

DELETE /repos/{owner}/{repo}/tags/protection/{tag_protection_id}

Deletes a tag protection rule.

Answer 2

GitHub currently does not support protecting tags. This means anyone with write access to a repository can push any tag and delete any existing tag. (Unfortunately, I could not find references for this. Thus, I today did an experiment from an account with Collaborator access to a repository owned by a different account, and the Collaborator could push any tag and delete any existing tag. Repository settings only allow protecting branches, not tags.)

There is an open feature request in the GitHub support community, where a GitHub staff member commented in February 2019 that they "are tracking an internal issue about this".

As a workaround, GitHub support suggests to "set up a webhook to be notified if a tag is deleted using [their] API: https://developer.github.com/v3/activity/events/types/#deleteevent ". You could create a GitHub Actions workflow triggered by the delete event, where you could check whether a user (sender field) is allowed to delete a given tag. If deletion is not allowed, you could restore the tag.

Competing products, such as GitLab and Bitbucket Server, apparently do support tag protection.