Make push rules that verify users apply to tags

Context

Push rules which verify users such as:

• Reject unverified users
• Reject inconsistent user name
• Reject unsigned commits
• Check whether the commit author is a GitLab user

only apply to commits and not tags. (as documented here)

Problem to solve

Customers would like push rules to apply to tags (git push origin <tag>) in addition to commits (git push origin).

Current Behavior

With push rules which verify users enabled on a project, these push rules are not enforced when users push tags.

git clone https://gitlab.com/<group>/<project>.git
cd <project>
git config --local user.name "Imaginary User"
git config --local user.email "non-existent-email@example.com"
echo "test" > README.md
git add README.md
git commit -m "Fake commit by imaginary user"
git push
   ! [remote rejected] main -> main (pre-receive hook declined)
  error: failed to push some refs to 'gitlab.com/group/project.git'
git tag -a tag <commit-SHA>
git push origin tag tag
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 16 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 1.04 KiB | 1.04 MiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
To gitlab.com/group/project.git
 * [new tag]         tag -> tag

Example: greg/reject-unverified-users-push-rule@478ef9f6

Desired Behavior

When push rules which verify users are enabled on a project, push rules are enforced and block users from pushing tags when the push rule requirements are not met.

git clone https://gitlab.com/<group>/<project>.git
cd <project>
git config --local user.name "Imaginary User"
git config --local user.email "non-existent-email@example.com"
echo "test" > README.md
git add README.md
git commit -m "Fake commit by imaginary user"
git tag -a tag <commit-SHA>
git push origin tag tag
   ! [remote rejected] main -> main (pre-receive hook declined)
  error: failed to push to 'gitlab.com/group/project.git'

Intended users

• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)
• Cameron (Compliance Manager)

Proposal

Make push rules that verify user identity apply to tags in addition to commits.

Documentation

This change would require updating the following documentation: https://gitlab.com/gitlab-org/gitlab/-/blob/22ee7dfe53c0afda4f32da2ee311500959dccf2b/doc/user/project/repository/push_rules.md#L65

Available Tier

• Premium/Silver
• Ultimate/Gold

Links / references

• https://docs.gitlab.com/ee/user/project/repository/push_rules.html#verify-users