How do I make sure only a GitHub release can create a tag on my repository.
In GitHub we use releases to create tags. I added a rullset to my repository to protect my tags name and protect is from deletion and updating. However if I protect it from being created, then also my releases can no longer create a tag.
I tried to add an additional rull set with a bypass for releases, however I could not find such a bypass.
I also tried to add an github action to protect tag creation, however the action only runs on tag-push, but it does not run. The tag is probably only pushed if the rulles are already met.
I’d be glad to help you with that. Here’s a comprehensive guide on how to restrict tag creation to releases in your GitHub repository:
1. Protect Your Branches:
Go to your repository’s Settings > Branches .
Click on the Manage branches dropdown.
Click on the Add branch protection rule button.
In the Branch name pattern field, enter .* to match all branches.
Enable the Require pull request reviews before merging option.
Enable the Require status checks to pass option and configure the required status checks.
Enable the Restrict who can push to this branch option and select the appropriate user groups or individuals.
Enable the Require approval from code owners option if desired.
Click on the Create protection rule button.
2. Use a GitHub Action to Validate Tag Creation:
Create a new GitHub Action workflow.
Define the workflow to trigger on push events to the refs/tags/* branch.
Inside the workflow, use the github.event.ref context to get the tag name.
Validate the tag name against your desired criteria (e.g., ensure it starts with a specific prefix like v ).
If the validation fails, use the core.set-failed action to fail the workflow.
Example GitHub Action workflow:
YAML
name: Validate Tag Creation
on:
push:
refs:
- refs/tags/*
jobs:
validate-tag:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Validate tag name
run: |
tag_name="{{ github.event.ref.replace('refs/tags/', '') }}"
if [[ ! "$tag_name" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Invalid tag name. It should start with 'v' and follow semantic versioning."
exit 1
fi
Explanation:
The branch protection rule ensures that only approved changes can be merged into protected branches, preventing unauthorized tag creation.
The GitHub Action validates the tag name to ensure it follows your desired format (e.g., semantic versioning).
If the tag name is invalid, the action fails, preventing the tag from being pushed.
Additional Considerations:
You can customize the branch protection rule and GitHub Action to fit your specific needs.
Consider using additional checks in your GitHub Action to validate other aspects of the tag, such as release notes or associated commit messages.
You can use other tools or services to further enhance tag management and security.
By following these steps and customizing them to your requirements, you can effectively restrict tag creation to releases in your GitHub repository, ensuring that only approved changes are tagged.