Add tag protection policy documentation to repository.readme.md

[Copilot]

The tag protection policy configuration was undocumented in repository.readme.md, despite being implemented in TagProtectionChecks.ts and present in repository.yml.

Changes

• repository.readme.md: Added Tag Protection section documenting all configuration options

  • enforcement: active/disabled/evaluate modes
  • scope: include/exclude patterns with wildcard and ~ALL token support
  • operations: create/update/delete restrictions
  • naming: pattern matching operators (starts_with, ends_with, contains, regex)
  • bypass: actor configuration for org admins, teams, integrations, repository roles, deploy keys

• repository.threats.md: Added threat model for unauthorized tag modification/deletion

  • Security controls for tag protection
  • SLSA.dev threat mappings: Submit unauthorized change, Upload modified package
  • MS DevOps threat matrix: Persistence, Privilege escalation

Example configuration:

tags:
  enforcement: active
  scope:
    include:
      - "v*"
    exclude:
      - "v*-rc*"
      - "v*-beta*"
  operations:
    create: restricted
    update: restricted
    delete: restricted
  naming:
    enabled: true
    operator: regex
    pattern: "^v\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z.-]+)?$"

Documentation follows existing format used for branch protection, actions, and other policies.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add Tag settings to repository.readme.md</issue_title>
<issue_description>Add the description of how to use the tag policy into repository.readme.md following the same format used in the file

# define the protected tags for the repository
tags:
  enforcement: active           # disabled | active | evaluate
  target: tag                   # fixed for tag rules so we can also not specify it here but fix it in code

  scope:
    include:
      - "v*"                    # e.g., protect all version tags
      # - "~ALL"                # special token: all tags
    exclude: []                 # patterns to exclude, e.g., ["v0.*"]

  operations:                   # who can perform actions on matching tags
    create: restricted          # allowed | restricted (restricted = bypass-only)
    update: restricted
    delete: restricted

  naming:                       # optional: constrain tag names
    enabled: true
    operator: regex             # starts_with | ends_with | contains | regex
    pattern: "^v\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z.-]+)?$"
    negate: false               # true = pattern disallowed

  bypass:                       # actors allowed to bypass protections
    organization_admins: always # always | exempt
    teams:
      - id: 1234567             # example team id
        mode: always            # always | exempt
    integrations:
      - id: 987654              # GitHub App id
        mode: always
    repository_roles:
      - id: 3                   # e.g., Maintainer role id
        mode: always
    deploy_keys:
      allow: true               # DeployKeys can bypass when true
      mode: always

 ```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

Custom agent used: Documentation Agent
Agent that is an expert in writing documentation related to the policies.

• Fixes Add Tag settings to repository.readme.md #37

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[david3107]

it works