Delete Tag endpoint should return forbidden when a tag is protected and users is not a maintainer or owner

Issue

The tags endpoint to delete a tag currently does not check if the tag is protected at all

We check if the user is logged in and can read code here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/tags.rb#L10

We then check if a user can admin_tag here https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/tags.rb#L132

This permission is granted to anyone that can push_code https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/policies/project_policy.rb#L640

push_code is enabled for developers https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/policies/project_policy.rb#L509-524

This means when a tag is protected and a developer tries to delete it, we actually attempt to delete it but when the changes are pushed to the repository the tag_check logic rejects it resulting in a 500 error.

Proposal

Remove the admin_tag permission check and add a new policy for the Gitlab::Git::Tag class which should enabled a new ability called delete_tag which checks if the tag is protected.

Logic should allow non-protected tags to be deleted by developers, maintainers, and owners. Protected tags can be deleted by maintainers and owners but not developers.

The API should then return a forbidden (or unathorized) response instead of a 500