Does this action also auto-creates tags, while protecting from malicious tag override?

[Vadorequest]

I'm planning on using this action to lower the risk associated to GitHub Actions we are using in my company.

Basically, referencing an external action in our actions, such as: uses: rlespinasse/[email protected] might result in fatal failure if the repository owner (rlespinasse in this case) would delete their repository from GitHub.

Also, referencing tags (e.g: v3.4) isn't actually safe, as a repository could be hacked, or an error could be made, and a git tag could be changed to point to another commit containing malicious code. Therefore, forking a repository is the safest way of protecting our own work, by not relying on something that might break at any time, due to unforeseen and uncontrollable circumstances.

That's why I'm thinking to manually fork each action and use those forks, instead of using the real action. But then, keeping those forks up to date becomes a real pain.

That's where I'm thinking of using your work tgymnich/fork-sync, to keep those forks up-to-date.
And I need to auto-update the fork based on the source's changes (which is supported), but I'd also need to auto-create the new tags, but not allow editing of existing tags (e.g v4.3.1), unless they're allowed to be updated (e.g: v4.x, v3).

Is that something you might consider adding? I'm interested to know a bit better what's your personal use-case for using this action.

[tgymnich]

I am using this action just to periodically merge changes from a forked repository into my fork. Creating tags would still fit into the scope of this action. The verification logic not so much, because it is quite a special use case. At the moment I personally don't have enough time on hand to work on those features.