return a descriptive error in case of a protected branch

api/server/handlers/environment/create.go

@@ -144,7 +144,20 @@ func (c *CreateEnvironmentHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 func (c *CreateEnvironmentHandler) deleteEnvAndReportError(
 	w http.ResponseWriter, r *http.Request, env *models.Environment, err error,
 ) {
-	c.Repo().Environment().DeleteEnvironment(env)
+	_, delErr := c.Repo().Environment().DeleteEnvironment(env)
+
+	if delErr != nil {
+		c.HandleAPIError(w, r, apierrors.NewErrInternal(delErr))
+		return
+	}
+
+	if strings.Contains(err.Error(), "protected branch") {
+		c.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(
+			fmt.Errorf("Error creating preview environment workflow files on protected branch"), http.StatusConflict,
+		))
+		return
+	}
+
 	c.HandleAPIError(w, r, apierrors.NewErrInternal(err))
 }
 

api/server/handlers/release/create.go

@@ -2,6 +2,7 @@ package release
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -176,6 +177,14 @@ func (c *CreateReleaseHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		)
 
 		if err != nil {
+			if errors.Is(err, actions.ErrProtectedBranch) {
+				c.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(
+					fmt.Errorf("Error creating github action workflows. Cannot write to protected branch: %s",
+						request.GitActionConfig.GitBranch), http.StatusConflict,
+				))
+				return
+			}
+
 			c.HandleAPIError(w, r, apierrors.NewErrInternal(err))
 			return
 		}
@@ -344,11 +353,11 @@ func createGitAction(
 		// need to call Setup() in order to get the workflow file before writing the
 		// action config, in the case of a dry run, since the dry run does not create
 		// a git action config.
-		workflowYAML, githubErr := gaRunner.Setup()
+		workflowYAML, gitErr = gaRunner.Setup()
 
 		if gaRunner.DryRun {
-			if githubErr != nil {
-				return nil, nil, githubErr
+			if gitErr != nil {
+				return nil, nil, gitErr
 			}
 
 			return nil, workflowYAML, nil

internal/integrations/ci/actions/actions.go

@@ -3,6 +3,7 @@ package actions
 import (
 	"context"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"net/http"
 
@@ -20,6 +21,8 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
+var ErrProtectedBranch = errors.New("protected branch")
+
 type GithubActions struct {
 	ServerURL    string
 	InstanceName string
@@ -77,6 +80,23 @@ func (g *GithubActions) Setup() ([]byte, error) {
 
 	g.defaultBranch = repo.GetDefaultBranch()
 
+	// check if the default branch is write-protected
+	branch, _, err := client.Repositories.GetBranch(
+		context.Background(),
+		g.GitRepoOwner,
+		g.GitRepoName,
+		g.defaultBranch,
+		true,
+	)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if branch.GetProtected() {
+		return nil, ErrProtectedBranch
+	}
+
 	if !g.DryRun {
 		// create porter token secret
 		if err := createGithubSecret(client, g.getPorterTokenSecretName(), g.PorterToken, g.GitRepoOwner, g.GitRepoName); err != nil {