A team allows Copilot coding agent to create pull requests, but wants automated validation before a human reviewer marks the PR ready. The workflow must run for pull requests targeting main, avoid broad write permissions, and upload SARIF results when static analysis produces a SARIF file. Which option completes the workflow?
name: agent-pr-guardrails
on:
(Missing value 1):
branches:
- main
permissions:
contents: read
(Missing value 2): write
jobs:
validate-agent-output:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run tests
run: npm test
- name: Run static analysis
run: npm run scan -- --sarif results.sarif
- name: Upload analysis results
(Missing value 3): github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifChoose an answer
Tap an option to check your answer.
Correct answer: Missing value 1 = pull_request Missing value 2 = security-events Missing value 3 = uses.
Why this is the answer
The pullrequest event trigger ensures the workflow runs when a pull request is opened, synchronized, or reopened, which is necessary for validating agent-created PRs before human review. security-events: write permission is specifically required for uploading SARIF files to GitHub Code Scanning, aligning with the need to avoid broad write permissions while enabling SARIF uploads. The uses keyword correctly specifies the action to be executed, in this case, github/codeql-action/upload-sarif@v3, which is the standard way to invoke a GitHub Action. Incorrect options: workflowdispatch would require manual triggering, not automated validation. pull-requests is not a valid permission scope. run is used for shell commands, not for invoking actions. push triggers on pushes to branches, not pull requests. checks is not a standard permission scope for SARIF uploads. pullrequesttarget runs in the context of the base repository and can be a security risk if not carefully managed; pullrequest is safer for this scenario. contents: write is too broad for just uploading SARIF results. with is used to pass inputs to an action, not to specify the action itself.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed