[go: up one dir, main page]
Skip to content

Enable Git-based Updates for Protected Tags

Problem to solve

Currently, GitLab protected tags cannot be updated (moved to point to a different commit) through standard Git commands, even by users with appropriate permissions. This creates several issues:

  1. No native update mechanism: To "update" a protected tag to point to a new commit, users must delete the protection rule in the UI, delete the tag, recreate it, and re-protect it. This is cumbersome and interrupts automated workflows.
  2. Inconsistent with Git workflows: Standard Git operations like git tag -f <tag-name> (force update a tag) or git push origin --delete <tag-name> followed by git push origin <tag-name> are blocked for protected tags, even for maintainers/owners who have permissions.
  3. Confusing error messages: When attempting to delete a protected tag via Git, the error message states "Only a project maintainer or owner can delete a protected tag," but the documentation indicates that protected tags cannot be manipulated via Git at all, even by maintainers.
  4. Forces workarounds: Teams must build custom tooling using the GitLab HTTP API to delete and recreate tags, which violates the principle of least astonishment and adds unnecessary complexity to CI/CD pipelines.
  5. Blocks legitimate use cases: Teams using protected tags for deployment markers (e.g., deploy_production) need to update these tags to point to new commits as part of their release process, but cannot do so through their existing Git-based tooling.

Proposal

Extend the protected tags feature to allow users with appropriate permissions (defined in the "Allowed to create" list) to update protected tags through Git commands, similar to how protected branches work. Specifically:

  • Users listed in "Allowed to create" for a protected tag should be able to delete and recreate that tag using Git commands
  • Rename the "Allowed to create" field to "Allowed to create and update" to clarify these permissions
  • Support the standard Git workflow: git push --delete origin <tag> followed by git push origin <tag> (or git push --force origin <tag>)
  • Maintain protection against accidental deletion while enabling authorized updates