diff --git a/app/models/concerns/protected_ref.rb b/app/models/concerns/protected_ref.rb
index ab28eb19b64..7c0183952a0 100644
--- a/app/models/concerns/protected_ref.rb
+++ b/app/models/concerns/protected_ref.rb
@@ -8,7 +8,7 @@ module ProtectedRef
 
     delegate :matching, :matches?, :wildcard?, to: :ref_matcher
 
-    def self.protected_ref_accessible_to?(ref, user, action: :push)
+    def self.protected_ref_accessible_to?(ref, user, action:)
       access_levels_for_ref(ref, action: action).any? do |access_level|
         access_level.check_access(user)
       end
@@ -20,7 +20,7 @@ module ProtectedRef
       end
     end
 
-    def self.access_levels_for_ref(ref, action: :push)
+    def self.access_levels_for_ref(ref, action:)
       self.matching(ref).map(&:"#{action}_access_levels").flatten
     end
 
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 6af5de4dc08..54728e5ff0e 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -32,7 +32,7 @@ module Gitlab
       return false unless can_access_git?
 
       if ProtectedTag.protected?(project, ref)
-        project.protected_tags.protected_ref_accessible_to?(ref, user)
+        project.protected_tags.protected_ref_accessible_to?(ref, user, action: :create)
       else
         user.can?(:push_code, project)
       end