Add protected tags configuration at instance level
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
In my company, roles are assigned depending of the teams you are part of. Admin accesses are reserved for infra team, while development team users received regular access with developer roles except for DevOps engineers (in the same team) who receive maintainer role.
Production deployments are triggered in CI/CD pipelines by creation of git tags following prod-v* pattern.
These tags are protected and, to ensure segregation of duties and to control over who has permission to create them, restricted to only one (technical) user.
Our problem is that the segregation of duties is not strict per definition because users with maintainer role can unprotected the tag or change user/group allowed to create them.
My proposal to improve segregation of duties and avoid maintainer to unprotected/change settings of certain tags is to have a way to set protected tags at the instance level, in the same way as is done for merge request approval settings.
At project level, implementation should let a way to define other protected tags showing tags as protected at instance level (also like for MR approval setting "Setting enforced - This setting is configured at the instance level and can only be changed by an administrator.")
User experience goal
An admin can configure this setting protected tags at instance level. Regular users can add protected tags at project level but not alter protected tags defined at instance level.