slsa-framework · puerco · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/internal/cmd/setup.go b/internal/cmd/setup.go
@@ -448,6 +448,14 @@ a fork of the repository you want to protect.
 					fmt.Printf("\n   ℹ️  Controls already enabled on %s\n\n", opts.GetRepository().Path)
 					return nil
 				}
+
+				if errors.Is(err, models.ErrRepositoryAccessDenied) {
+					fmt.Printf("\n   🔐 %s sourcetool does not have access to %s\n\n", colorHiRed("Error:"), opts.GetRepository().Path)
+					fmt.Println()
+					fmt.Printf("Please run %s again and grant the app access\n", w("sourcetool auth login"))
+					fmt.Println("to the repository or organization.")
+					return nil
+				}
 				return fmt.Errorf("configuring controls: %w", err)
 			}
 

diff --git a/pkg/ghcontrol/checklevel.go b/pkg/ghcontrol/checklevel.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net/http"
 	"slices"
 	"time"
 
@@ -249,7 +250,7 @@ func (ghc *GitHubConnection) EnableBranchRules(ctx context.Context) error {
 	}
 
 	// Create the SLSA ruleset
-	if _, _, err := ghc.Client().Repositories.CreateRuleset(ctx, ghc.Owner(), ghc.Repo(), github.RepositoryRuleset{
+	if _, resp, err := ghc.Client().Repositories.CreateRuleset(ctx, ghc.Owner(), ghc.Repo(), github.RepositoryRuleset{
 		Name:         "SLSA Branch Controls",
 		Target:       github.Ptr(github.RulesetTargetBranch),
 		Enforcement:  EnforcementActive,
@@ -265,6 +266,9 @@ func (ghc *GitHubConnection) EnableBranchRules(ctx context.Context) error {
 			NonFastForward: &github.EmptyRuleParameters{},
 		},
 	}); err != nil {
+		if resp.StatusCode == http.StatusNotFound {
+			return models.ErrRepositoryAccessDenied
+		}
 		return fmt.Errorf("creating branch protection ruleset: %w", err)
 	}
 
@@ -290,7 +294,7 @@ func (ghc *GitHubConnection) EnableTagRules(ctx context.Context) error {
 	}
 
 	// Create the SLSA ruleset
-	if _, _, err := ghc.Client().Repositories.CreateRuleset(ctx, ghc.Owner(), ghc.Repo(), github.RepositoryRuleset{
+	if _, resp, err := ghc.Client().Repositories.CreateRuleset(ctx, ghc.Owner(), ghc.Repo(), github.RepositoryRuleset{
 		Name:         "SLSA Tag Controls",
 		Target:       github.Ptr(github.RulesetTargetTag),
 		Enforcement:  EnforcementActive,
@@ -309,6 +313,9 @@ func (ghc *GitHubConnection) EnableTagRules(ctx context.Context) error {
 			},
 		},
 	}); err != nil {
+		if resp.StatusCode == http.StatusNotFound {
+			return models.ErrRepositoryAccessDenied
+		}
 		return fmt.Errorf("creating tag protection ruleset: %w", err)
 	}
 

diff --git a/pkg/sourcetool/models/models.go b/pkg/sourcetool/models/models.go
@@ -18,7 +18,10 @@ import (
 	"github.com/slsa-framework/source-tool/pkg/slsa"
 )
 
-var ErrProtectionAlreadyInPlace = errors.New("controls already in place in the repository")
+var (
+	ErrProtectionAlreadyInPlace = errors.New("controls already in place in the repository")
+	ErrRepositoryAccessDenied   = errors.New("access to repository denied")
+)
 
 // AttestationStorageReader abstracts an attestation storage system where
 // sourcetool can read VSAs and provenance attestations.