As we start to support NIST's Secure Software Development Framework, source code provenance is a significant feature.  Having a build account usually means more than one person knows the credentials, which means you don't have provenance to an individual who has committed code when a generic build account is used. Therefore, we'd like our build accounts to NOT be able to write commits to the repo, but we would like to be able to create a tag and push it as part of our build process.  Generally, more finer-grained (scoped) permissions would be appreciated.