A Copilot-generated pull request adds a workflow that comments on pull requests when an agent boundary check fails. The run fails even though the validation script completes and detects the policy violation. Which option best explains the failure?
Workflow: agent-boundary-check
Event: pull_request
Actor: github-copilot[bot]
permissions:
contents: read
Step: Run guardrail validation
./scripts/check-agent-boundaries.sh
Result: boundary violation detected
exit code: 1
Step: Comment on pull request
gh pr comment 231 --body "Boundary violation detected. Human review required."
HTTP 403: Resource not accessible by integration
exit code: 1
Conclusion: failureChoose an answer
Tap an option to check your answer.
Correct answer: The workflow lacks pull-requests write permission.
Why this is the answer
The workflow failed because it lacked the necessary pull-requests: write permission to comment on the pull request. The gh pr comment command requires this permission to interact with pull request comments. The provided workflow only has contents: read permission, which is insufficient for writing comments. The other options are incorrect: workflowdispatch is for manually triggering workflows and is not relevant to the permission issue. Copilot can trigger pullrequest workflows; the issue isn't the trigger itself but the permissions granted to the workflow run. The validation script correctly exited with code 1 to indicate a boundary violation, which is the expected behavior for a failed check. Changing it to exit with code 0 would incorrectly signal success.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed