Merge remote-tracking branch 'upstream/master' into 30634-protected-pipeline

* upstream/master: (25 commits)
  Remove unneeded asserts and add tests for inactive RequestStore
  Rename the methods to make it fit with current name
  Follow feedback on the merge request
  Make sure it checks against the tag only when it's a tag
  Renamed Gitaly services
  fix transient rspec failure due to Poll.js race condition
  Refactor variables initialization in dropzone_input.js
  cache the cache key...
  avoid #respond_to? in Cache.id_for
  cache DeclarativePolicy.class_for at the class level
  Update 9.3-to-9.4.md
  fix padding on filtered search dropdown. Styles should only apply to li in list
  Cache Note#notable for commits and fix tests
  Add changelog entry
  Update the comments for the new functionality
  Use RequestStoreWrap for Commit#author
  Skip dead jobs queue for web hooks and project services
  Add RequestStoreWrap to cache via RequestStore
  Don't track cached queries in Gitlab::PerformanceBar::PeekQueryTracker
  Add changelog entry
  ...

1 files changed, 7 insertions, 3 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 129ed756477..00adb51e7de 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -1,9 +1,13 @@
 module Ci
   class BuildPolicy < CommitStatusPolicy
     condition(:user_cannot_update) do
-      !::Gitlab::UserAccess
-        .new(@user, project: @subject.project)
-        .can_push_or_merge_to_branch?(@subject.ref)
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      if @subject.tag?
+        !access.can_create_tag?(@subject.ref)
+      else
+        !access.can_push_or_merge_to_branch?(@subject.ref)
+      end
     end
 
     rule { user_cannot_update }.prevent :update_build