docs: clarify immutable releases tag deletion (#60647)

joshjohanning · web-flow · commit 611263139e32 · 2026-04-09T12:20:12.000Z
diff --git a/content/code-security/concepts/supply-chain-security/immutable-releases.md b/content/code-security/concepts/supply-chain-security/immutable-releases.md
@@ -18,7 +18,7 @@ category:
 
 When you enable immutable releases, the following protections are enforced:
 
-* **Git tags cannot be moved or deleted**: Once an immutable release is published, its associated Git tag is locked to a specific commit and cannot be changed or removed.
+* **Git tags cannot be moved**: Once an immutable release is published, its associated Git tag is locked to a specific commit, cannot be changed, and cannot be deleted while the release exists. If you delete the immutable release, you can delete the tag, but you cannot reuse the same tag name.
 * **Release assets cannot be modified or deleted**: All files attached to the release (such as binaries and archives) are protected from modification or deletion.
 
 Additionally, creating an immutable release automatically generates a **release attestation**, which is a cryptographically verifiable record of a release containing the release tag, commit SHA, and release assets. Consumers can use this attestation to make sure the releases and artifacts they are using exactly match the published {% data variables.product.github %} releases.
diff --git a/data/release-notes/enterprise-server/3-20/0-rc1.yml b/data/release-notes/enterprise-server/3-20/0-rc1.yml
@@ -161,7 +161,7 @@ sections:
       notes:
         # https://github.com/github/releases/issues/6063
         - |
-          Releases support immutability, locking release assets from being added, modified, or deleted after publication and protecting the release tag from being moved or deleted. This helps protect distributed artifacts from supply chain attacks. Release attestations are not supported on GHES and are only available on GitHub.com.
+          Releases support immutability, locking release assets from being added, modified, or deleted after publication. The release tag cannot be moved, and cannot be deleted while the release exists. If the release is deleted, the tag can be removed but cannot be reused. This helps protect distributed artifacts from supply chain attacks. Release attestations are not supported on GHES and are only available on GitHub.com.
   
   changes:
     - |
diff --git a/data/release-notes/enterprise-server/3-20/0.yml b/data/release-notes/enterprise-server/3-20/0.yml
@@ -157,7 +157,7 @@ sections:
       notes:
         # https://github.com/github/releases/issues/6063
         - |
-          Releases support immutability, locking release assets from being added, modified, or deleted after publication and protecting the release tag from being moved or deleted. This helps protect distributed artifacts from supply chain attacks. Release attestations are not supported on GHES and are only available on GitHub.com.
+          Releases support immutability, locking release assets from being added, modified, or deleted after publication. The release tag cannot be moved, and cannot be deleted while the release exists. If the release is deleted, the tag can be removed but cannot be reused. This helps protect distributed artifacts from supply chain attacks. Release attestations are not supported on GHES and are only available on GitHub.com.
   
   changes:
     - |
