Make repository tags immutable

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

When mirroring a repository with a workflow that mirrors tags from the upstream repo, we may need to make sure the tag once mirrored can be set to immutable for security purposes in the case where the upstream repository were to be compromised and make changes to the tags.

A customer ticket requested this feature from this ticket (Internal only):

What we need is a mechanism that ensures once a tag has been mirrored from the upstream repo, it never changes again (i.e. becomes immutable).

Alternatives tried

• Use of protected tags by using wildcard tags - this fails with the error `You are not allowed to create tags: 'x.y.z' as they are protected
• Using single protected tags - would be tedious to set every new tag.