Protected Tags #5529

mathomp4 · 2021-09-08T18:37:48Z

mathomp4
Sep 8, 2021

In case this is the "right place" for these sort of feature requests, I'd like to start a discussion here about Protected Tags. This is something that has been on github.community for 2+ years and before that on issacs/github since 2017

Per @jeffnappi:

Right now, it’s basically impossible to have any protection around tags:

Anyone with write access to a repo can push any tags.

There’s no auditing/logging of tag changes.

Any number of things could be done to improve this:

Add an option to protect individual tags (or better yet, any tags that match a given regex/have a certain prefix), like how how branches can be protected.

Include tagging events in the per-organization audit logs.

Allow tag pushes to be locked down more tightly, like only allowing admins to push tags.

I for one would love to protect all v* tags on the repos I manage as we consider Semver tags "official" but the fact that any user with write access could push those tags willy-nilly is frightening. We have protected branches, so please consider protected tags.

Answered by michellemerrill

Feb 2, 2022

Hey everyone👋🏼 - Noting our Private Beta Opportunity over here. Locking this thread for now, so we can centralize feedback in #10906

View full answer

ocervell · 2021-09-14T10:08:31Z

ocervell
Sep 14, 2021

+1 a nice workflow is to push to production when a v*.. semantic version is pushed. If anyone can push such a tag, anyone can deploy to production...

0 replies

brycesteinhoff · 2021-09-19T21:35:15Z

brycesteinhoff
Sep 19, 2021

We have a need for this, too. It would be nice to have some pattern matching for protected tags, or even configurability allowing different people/teams to manage tags with certain patterns.

0 replies

parkerroan · 2021-11-30T21:22:15Z

parkerroan
Nov 30, 2021

+1 even if we just had the option to restrict tag creation to a group of users or the higher Maintain role over just basic Write that would be useful.

0 replies

mockjv · 2022-01-06T22:59:34Z

mockjv
Jan 6, 2022

Absolute +1, but also would add that it would be great if this would also affect whoever had rights to manipulate releases (add/remove files, change release details, etc). This is the main reason that our team hasn't been able to fully utilize releases yet because the ability to change those is just too broad.

0 replies

connor4312 · 2022-01-07T16:20:27Z

connor4312
Jan 7, 2022

This would be quite helpful for us at VS Code 🙂 microsoft/vscode#140207

1 reply

mathomp4 Jan 7, 2022
Author

Ooh. If another part of the Mothership has a want for it... 😄

emmaviolet · 2022-02-01T15:47:32Z

emmaviolet
Feb 1, 2022

👋 Just dropping in as we currently have some APIs that will allow repo admins to protect tags on their repos. Details of how this works below - it's currently behind a feature flag but if anyone here wants me to enable this for their organization or their user, please do let me know. We expect this to be a starting point rather than the final solution, so we'd love your thoughts on how we can improve it!

What we've built
Our beta tag protection feature gives repo admins the option to protect tags on their repo. If they choose to do so, only maintainers and admins will be able to create these tags, and only admin will be able to modify or delete these tags. Tags are protected by patterns - you could protect all tags by using the “*” pattern, but you don’t have to.

To set up and manage these tag protections, we’ve introduced three endpoints, which any repo admin should be able to use:

GET /repos/{owner/{repo}/tags/protection

Returns a list of tag protection rules.

POST /repos/{owner}/{repo}/tags/protection

Creates a new tag protection rule. Payload must include a pattern - example:

curl -" "Authorization: token $GITHUB_TOK"N"
-XPOST -d '{"pattern": "*"}'
https://api.github.com/repos/JasonEtco/testing/tags/protection

{
"id": 123456,
"pattern": "*",
"created_at": "2022-01-12T12:01:47.094-05:00",
"updated_at": "2022-01-12T12:01:47.094-05:00"
}

DELETE /repos/{owner}/{repo}/tags/protection/{tag_protection_id}

Deletes a tag protection rule.

4 replies

mathomp4 Feb 1, 2022
Author

@emmaviolet I'd be onboard with trying it (as evidenced by my starting this thread 😄). (ETA: I'd like it on an org I manage as well as my user.)

So you're saying it's API only at the moment until things clear out and it becomes "website enabled"?

emmaviolet Feb 1, 2022

Enabled for you! It's API only for now for a few reasons:

trying to build API first for organizations with a lot of repos
limited design capacity
testing until we commit to a UI implementation

But we are working on the UI and hope to have that shipped soon :-)

mathomp4 Feb 1, 2022
Author

@emmaviolet Thanks. Is it just for me or for my org (GEOS-ESM) as well? My org has about...50 repos, so might not be "a lot" on the scale of many here!

And now my task for tomorrow: learn some gh api...

emmaviolet Feb 2, 2022

Now enabled for your org too!

ruby script I've used for testing below in case helpful...

require 'httparty'
require 'json'

class Runner

	admin_access_token = <pat>
	collaborator_access_token = <pat>
	ADMIN_AUTH = { username: <admin username>, password: admin_access_token}
	COLLABORATOR_AUTH = { username: <collaborator username>, password: collaborator_access_token}

	TAG_PROTECTION_API = 'https://api.github.com/repos/<org>/<repo>/tags/protection'

	def create_tag_protection(as_admin: false)
		auth = as_admin ? ADMIN_AUTH : COLLABORATOR_AUTH
		response = HTTParty.post(TAG_PROTECTION_API, basic_auth: auth, body: { pattern: "v*" }.to_json)
		puts response
	end

	def get_tag_protections(as_admin: false)
		auth = as_admin ? ADMIN_AUTH : COLLABORATOR_AUTH
		response = HTTParty.get(TAG_PROTECTION_API, basic_auth: auth)
		puts response
	end

	def delete_tag_protection(id, as_admin: false)
		auth = as_admin ? ADMIN_AUTH : COLLABORATOR_AUTH
		response = HTTParty.delete("#{TAG_PROTECTION_API}/#{id}", basic_auth: auth)
		puts response
	end
end

mockjv · 2022-02-01T15:58:37Z

mockjv
Feb 1, 2022

Sorry for the delayed response. Unfortunately, we may be limited in our testing of this particular beta feature until it’s made available in the on-premise instance since that’s all we use at this time. That said, I’m very glad to hear that this is making progress!

I do have a couple of small questions though. Does this keep from tags being altered only, or does it also keep unapproved individuals from altering the files associated with a release?

1 reply

emmaviolet Feb 1, 2022

No worries and thank you!

Does this keep from tags being altered only, or does it also keep unapproved individuals from altering the files associated with a release?

Afraid it only keeps tags from being altered - will make a note of this though and look into it.

michellemerrill · 2022-02-02T16:39:58Z

michellemerrill
Feb 2, 2022

Hey everyone👋🏼 - Noting our Private Beta Opportunity over here. Locking this thread for now, so we can centralize feedback in #10906

0 replies

Protected Tags #5529

Uh oh!

Uh oh!

Replies: 8 comments · 6 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mathomp4 Jan 7, 2022 Author

Uh oh!

Uh oh!

Uh oh!

mathomp4 Feb 1, 2022 Author

Uh oh!

Uh oh!

mathomp4 Feb 1, 2022 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 8 comments 6 replies

mathomp4 Jan 7, 2022
Author

mathomp4 Feb 1, 2022
Author

mathomp4 Feb 1, 2022
Author