feat: create-git-tag safe output

[jamesadevine]

Summary

Add a create-git-tag safe output that allows agents to create annotated git tags on commits in Azure DevOps repositories.

ADO API

POST /_apis/git/repositories/{repo}/refs?api-version=7.1

Request body:

[{
  "name": "refs/tags/v1.2.3",
  "oldObjectId": "0000000000000000000000000000000000000000",
  "newObjectId": "{commitSha}"
}]

For annotated tags, first create the tag object via:
POST /_apis/git/repositories/{repo}/annotatedtags?api-version=7.1

Agent Parameters

• name (required) — Tag name (e.g., v1.2.3)
• commit (optional) — Commit SHA to tag (default: HEAD of default branch)
• message (optional) — Tag annotation message
• repository (optional) — Repository alias (default: self)

Front Matter Configuration (safe-outputs.create-git-tag)

• tag-pattern — Regex pattern tags must match (e.g., ^v\d+\.\d+\.\d+$ for semver)
• allowed-repositories — Restrict which repos can be tagged
• message-prefix — Prefix for tag messages (e.g., [Agent] )

Use Cases

• Release agents creating version tags
• Version bump agents marking milestones
• CI/CD agents tagging successful builds

Security Considerations

• Tag name regex validation prevents injection (no special chars, path traversal)
• Repository allow-list (reuse checkout: list)
• Commit SHA validation (must be valid hex)
• Standard text sanitization on message
• Overwriting existing tags should be rejected (create-only)

Priority

Tier 2 — Solid addition. Low-medium complexity.