How to enable access only to push tags?

Our Jenkins CI build user (the user on all our jenkins build slaves/agents) has access to create and push tags to any repositories. The user does not have access to push any other refs, This is with repositories in Gitolite.

How can the same be done in GitLab?

Deploy Token seems to only support access to cloning repositories.

Do we need to create a user for Jenkins in GitLab? I have seen no option to restrict access only to push tags for a single user. He will then be a Developer role and can do much more.

Is it even possible?

I think I read somewhere that GitLab should support everything that is possible with Gitolite, but I do not see that. GitLab lacks the same low-level access control, specially to restrict push only to tags.