Protected tags

Protected tags:

  • Allow control over who has permission to create tags.
  • Prevent accidental update or deletion once created.

Each rule allows you to match either:

  • An individual tag name.
  • Wildcards to control multiple tags at once.

This feature evolved out of protected branches

Who can modify a protected tag

By default:

  • To create tags, you must have the Maintainer role.
  • No one can update or delete tags.

Configuring protected tags

To protect a tag, you need to have at least the Maintainer role.

  1. Go to the project’s Settings > Repository.

  2. From the Tag dropdown menu, select the tag you want to protect or type and click Create wildcard. In the screenshot below, we chose to protect all tags matching v*:

    Protected tags page

  3. From the Allowed to create dropdown, select users with permission to create matching tags, and click Protect:

    Allowed to create tags dropdown

  4. After done, the protected tag displays in the Protected tags list:

    Protected tags list

Wildcard protected tags

You can specify a wildcard protected tag, which protects all tags matching the wildcard. For example:

Wildcard Protected Tag Matching Tags
v* v1.0.0, version-9.1
*-deploy march-deploy, 1.0-deploy
*gitlab* gitlab, gitlab/v1
* v1.0.1rc2, accidental-tag

Two different wildcards can potentially match the same tag. For example, *-stable and production-* would both match a production-stable tag. In that case, if any of these protected tags have a setting like Allowed to create, then production-stable also inherit this setting.

If you click on a protected tag’s name, GitLab displays a list of all matching tags:

Protected tag matches

Prevent tag creation with the same name as branches

A tag and a branch with identical names can contain different commits. If your tags and branches use the same names, users running git checkout commands might check out the tag qa when they instead meant to check out the branch qa.

To prevent this problem:

  1. Identify the branch names you do not want used as tags.
  2. As described in Configuring protected tags, create a protected tag:

    • For the Name, provide a name, such as stable. You can also create a wildcard like stable-* to match multiple names, like stable-v1 and stable-v2.
    • For Allowed to Create, select No one.
    • Select Protect.

Users can still create branches, but not tags, with the protected names.